What is the most common type of gift card fraud?

Card-draining (also called gift card 'tampering') is the most prevalent fraud — attackers physically tamper with cards on retail racks, harvest the codes, then drain the value as soon as a customer activates the card. Online, social-engineering scams that pressure victims to buy cards and read out the codes are the most frequent fraud reported by consumers.

Can a digital-only gift card program be tampered with?

The physical card-draining attack is impossible against fully digital cards. Digital programs face different risks — credential stuffing against accounts that hold balances, account takeover, and BIN testing on issued codes — all of which are mitigated through code entropy, encrypted storage, rate limiting, and account-level 2FA.

Are merchants liable for fraudulent gift card purchases?

It depends on the channel. For card-present transactions where the merchant follows EMV standards, liability typically sits with the issuing bank. For card-not-present (online) gift card sales, chargeback liability sits with the merchant — making fraud screening on online gift card purchases especially important.

How quickly should I respond to a suspected fraud incident?

Within hours. Most gift card fraud — particularly card-draining — has a short window between code harvest and balance drain. A platform that lets you suspend specific cards, freeze recent activity, and audit redemption history channel-by-channel turns a multi-day investigation into a single-session response.

Security guide

How to prevent gift card fraud

By Natasha Mazey Published 27 April 2026 Last reviewed 27 April 2026

Gift card fraud quietly costs retailers and hospitality operators millions every year. Most incidents share a small set of attack patterns — and most of those patterns are preventable with the right platform controls. This guide covers the threats, the defences, and the program design choices that keep loss rates low.

Why gift cards attract fraud

Gift cards are attractive to attackers for the same reasons they're popular with consumers: instant value, easy transfer, and untraceability once redeemed. Unlike credit-card fraud, where stolen funds can often be reversed, gift card balances spent on goods or services are effectively unrecoverable. That asymmetry — easy to steal, hard to claw back — drives both the volume and the creativity of attacks.

The five attack patterns to plan for

1. Card draining (physical tampering)

Attackers visit retail racks, photograph or peel back the protective barcode of unactivated physical cards, replace the packaging, and place the card back on the rack. Once a customer buys the card and activates it, the attacker waits for the balance to load and drains it within minutes. The countermeasures are: tamper-evident packaging, sealed activation envelopes, behind-counter inventory for high-denomination cards, and — critically — a platform that lets you flag and freeze a specific card's balance after activation if a customer reports it was drained.

2. Code harvesting and brute force

If gift card codes follow a predictable pattern or use insufficient entropy, attackers can enumerate and test codes against the balance-check endpoint until they find live cards. The defences are high-entropy randomly generated codes (a minimum of 16 alphanumeric characters with no sequential or guessable elements), aggressive rate limiting on the balance endpoint, and CAPTCHA on public balance-check pages.

3. Social engineering and consumer scams

Scammers impersonate authorities (IRS, utilities, family members in crisis) and pressure victims to buy gift cards and read out the codes. Merchants typically learn about this when a recipient calls customer service to ask why their card is empty. While the merchant isn't directly defrauded, recovery support requests can be costly. The mitigations are at-purchase warnings (signage and online prompts), in-store staff scripts that flag suspicious bulk gift card purchases, and clear consumer communication that no legitimate authority asks for payment in gift cards.

4. Card-not-present chargeback fraud

Online gift card purchases bought with a stolen credit card are an attractive target — the card is delivered instantly via email, redeemed quickly, and then the cardholder disputes the original transaction. The merchant loses both the funds and the goods purchased with the gift card. Defences are AVS/CVV verification, 3D Secure, device fingerprinting, velocity limits on first-purchase customers, and routing high-risk orders to manual review. For high-value digital cards, scheduled-send delays of 24 hours can buy time for chargeback flags to fire before the card is redeemed.

5. Internal fraud

Staff with POS access can self-issue gift cards, redeem them on legitimate sales, or void transactions to gift themselves credit. The defences are role-based permissions (only managers can issue or adjust gift cards), full audit trails of every issuance and adjustment, and reporting that surfaces unusual patterns: high-value voids, duplicate issuances to the same recipient, or balance adjustments outside normal hours.

The platform controls that matter

Whichever gift card system you use, the same set of capabilities determines how resilient your program is:

High-entropy code generation — 16+ random alphanumerics, no embedded counters or merchant prefixes that aid enumeration.
Encrypted storage — codes stored hashed or encrypted at rest; never displayed in plain text in admin tools or reports.
Per-card audit trails — every issuance, adjustment, redemption, and balance check is logged with timestamp, user, and channel.
Real-time balance sync — a card redeemed online cannot also be redeemed in-store; balance changes propagate immediately across all channels.
Suspend/freeze controls — a single card can be frozen or invalidated without affecting any other card in circulation.
Permission-based roles — issuance, adjustment, and bulk creation are gated behind role checks, with two-factor authentication required for elevated actions.
Rate limits on public endpoints — balance check and redemption endpoints reject brute-force attempts.
Anomaly reporting — dashboards surface unusual patterns: spike in low-balance redemptions, off-hours adjustments, geographic mismatches.

How Wrapped's controls map to these threats

Wrapped is built around exactly this control set. The platform generates randomized codes per issued card, stores them encrypted, and exposes per-card audit logs. Two-factor authentication is required for staff with issuance or adjustment permissions, and roles can be scoped per site. Real-time sync across all 30+ POS and eCommerce integrations means a redeemed card is immediately invalid everywhere — closing the in-store/online race condition that drainers exploit. Individual cards can be suspended in a click, and the liability dashboard surfaces redemption patterns by site, hour, and channel for ongoing monitoring.

Frequently asked questions

What is the most common type of gift card fraud?: Card-draining (also called gift card 'tampering') is the most prevalent fraud — attackers physically tamper with cards on retail racks, harvest the codes, then drain the value as soon as a customer activates the card. Online, social-engineering scams that pressure victims to buy cards and read out the codes are the most frequent fraud reported by consumers.
Can a digital-only gift card program be tampered with?: The physical card-draining attack is impossible against fully digital cards. Digital programs face different risks — credential stuffing against accounts that hold balances, account takeover, and BIN testing on issued codes — all of which are mitigated through code entropy, encrypted storage, rate limiting, and account-level 2FA.
Are merchants liable for fraudulent gift card purchases?: It depends on the channel. For card-present transactions where the merchant follows EMV standards, liability typically sits with the issuing bank. For card-not-present (online) gift card sales, chargeback liability sits with the merchant — making fraud screening on online gift card purchases especially important.
How quickly should I respond to a suspected fraud incident?: Within hours. Most gift card fraud — particularly card-draining — has a short window between code harvest and balance drain. A platform that lets you suspend specific cards, freeze recent activity, and audit redemption history channel-by-channel turns a multi-day investigation into a single-session response.