CNP fraud in gift cards - a special report

CNP Fraud in Gift Cards

A Special Report

1
CNP fraud in gift cards - a special report

Introduction
When Blockbuster released the first plastic gift card in 1994, they surely had no idea
what kind of trend they were starting: In 2016, the gift card industry in the US alone
was worth $127 Billion, and by 2018, the market is expected to reach $160 billion.
For retailers, the benefits of selling gift cards extend well beyond the initial revenue.
The purchase ensures a future shopping trip, and when redeeming gift cards,
customers spend an average of 20% more than the value of the card. Considering
the widespread popularity of gift cards (93% of US consumers receive or give a gift
card every year!) offering these products seems like a no-brainer.

But the same flexibility that makes gift cards such an appealing present also makes
them a favorite target for fraudsters. Cash in hand is the ideal endgame for most
fraudsters, but purchasing power on a card is a pretty close second. Furthermore,
online peer-to-peer (P2P) marketplaces for reselling gift cards make it incredibly easy
for fraudsters to quickly turn a profit from the stolen goods.

Indeed, merchants operating in the online gift card market face a wide range of
challenges when it comes to preventing fraud. First of all, the behavior of both
legitimate shoppers and fraudsters varies depending on the type of gift card
purchased, making it difficult to vet these orders for fraud. Closed-loop (brand
specific) gift cards, for instance, are significantly safer than open-loop cards, which are
redeemable anywhere that accepts major credit cards.

Secondly, the market’s expansion is fueled largely by the 200% annual growth rate
in digital gift card sales. The fraudsters who target digital gift cards are generally more
tech savvy, making fraud detection and prevention increasingly challenging.

Finally, the combination of relatively high fraud rates and hard to detect fraud attempts
leads gift card sellers to rely on high-friction validation measures. Manual fraud
review, for instance, is labor intensive and slow, and can negatively impact customers’
shopping experience. Automated rules-based systems, which are a possible
alternative to manual review, often result in false declines (and in wrong approvals).
Since shoppers expect quick delivery (especially with digital cards), and because
product differentiation across sellers is minimal, delays and friction can send annoyed
customers to the competition. In short, adapting to the ever-changing fraud landscape
while providing a good customer experience is a challenge many gift card sellers
struggle with.

2
CNP fraud in gift cards - a special report

We compiled the following report based on our extensive experience working with
dozens of online gift card merchants. This report elucidates gift card CNP fraud trends
as they manifest for retailers offering brand-specific cards, gift card-only merchants,
and online P2P gift card marketplaces. Readers will also get actionable tips for
approving more good orders and avoiding false positive declines.

Retailers beware:
gift cards add risk to the mix
Retailers are eager to sell gift cards on their eCommerce sites and for good reason-
55% of gift card recipients will visit the retailer at least twice in order to deplete their
card, offering great upsell opportunities. However, it’s important to understand that gift
cards have a unique risk profile, and on average carry more risk than other goods.
Riskified’s data shows that adding a closed-loop (brand-specific) gift card to a
shopping cart negatively impacts approval rates across online verticals:

Giftcard
impact

-0.5 -6.8 -8.1 -11. -12

1% .51%
% % %

Home Cameras Sports Fashion Electronics

97.4% 93.4% 98.1% 93.4% 96.6%

Approval rate

The data reveals that gift cards carry a higher risk of being targeted by fraudsters
compared to other goods. Moreover, there is a correlation between the rate of
gift-card fraud and the overall fraud rate in a given industry. For instance, there is
more CNP fraud in online fashion and consumer electronics than in furniture or other
home goods. Accordingly, a gift card sold by a fashion brand or consumer electronics
merchant is riskier than a gift card sold by a home goods store. Just as these
industries are targeted by fraudsters for their high ticket, easily resellable items,
so too are the gift cards that can be used to purchase these goods.

3
CNP fraud in gift cards - a special report

Digital cards are doubly dangerous

The burgeoning gift card market consists of three types of sellers: ‘Retailers’ selling
cards to be redeemed at their own store (e.g. Urban Outfitters, Sephora, Starbucks,
BestBuy); ‘Merchants’ who sell gift cards exclusively (GiftCards.com, Giftly.com,
GiftCardMall.com) and ‘Marketplaces’ for P2P exchange of cards (GiftcardZen.com,
CardCash.com, Raise.com, Zeek.me).

While some of the differences in fraud patterns between these three types of gift card
sellers (Retailers, Merchants, and Marketplaces) will be covered later in this report,
the data clearly indicates that regardless of seller type, plastic gift card orders are
significantly safer than those for digital cards:

Retailers
96.4%

75%
%
98
es

68

M
ac

er
pl

ch
t
ke

an
ar

ts
M

96
%
%
93

Approval rate

It’s perhaps not surprising that digital gift cards carry a greater risk of CNP fraud. For
one thing, instantaneous delivery means digital cards can be resold on a secondary
market in seconds, making them more attractive to fraudsters. Fraud attempts on
digital goods orders are also more likely to slip through the cracks of legacy fraud
systems that were developed to detect CNP fraud in physical good transactions.

Fraudsters don’t go for discounts

For both plastic and digital gift cards, fraud attempts are less likely to occur on
online Marketplaces than on Merchants’ or Retailers’ sites. The appeal of these
Marketplaces is primarily the ability to buy gift cards for less than their face value, and
fraudsters have little reason to seek discounts as they are using stolen credit card

4
CNP fraud in gift cards - a special report

details. The numbers bear this out: Marketplaces can and should be able to approve
17% more online orders than Retailers and gift card Merchants. The difference is even
starker in digital gift card approval rates, where new cards are nearly five times more
likely to be targeted by fraudsters than second hand cards sold on Marketplaces.

Open-loop cards are open invitations

for fraudsters
When it comes to vetting gift card orders for fraud, another factor that greatly
influences the level of risk associated with an online gift card order is whether it is
for an “open-loop” or “closed-loop” card. Closed-loop cards can only be redeemed
at a specific store, for example a Macy’s or iTunes gift card. Open-loop cards bear
the logo of a major credit card company - Visa, MasterCard, American Express or
Discover - and can be used anywhere that accepts these credit cards.

Because they essentially serve as cash on a card, the rate of fraud in orders of open-
loop cards is much higher than in closed-loop gift cards. Less than 80% of online
open-loop gift card orders are valid, compared to nearly 90% of closed-loop gift card
orders. This difference in fraud rates is consistent with the disparity in average order
value between the two types of gift cards: fraudsters tend to target expensive goods,
and the average value of an online open-loop gift card order is $342, more than
twice as much as the average closed-loop card ($159).

Plastic As explained above, digital cards carry

a higher risk of fraud than plastic gift
cards - and the distinction becomes
even more stark when we consider it
x 1.8
in conjunction with the type of card
being purchased (open vs closed-loop).
Digital Open-loop digital gift cards are eight
times more likely to be targeted by
fraudsters than open-loop plastic cards,
and are nearly twenty times more likely
x 3.1
to be fraudulent than closed-loop
plastic gift cards!
Closed-loop fraud rate
Open-loop fraud rate

5
CNP fraud in gift cards - a special report

Closed-loop cards are a mixed deck

While closed-loop gift cards are safer than their open-loop counterparts, some
brand-specific gift cards carry a greater risk of CNP fraud than others.

Safe approval rate

on
az
m
A

op e

Bu est
St m
a

44.2%
B
G

es
un

57.3% 56.8%
iT

t
ar
t
ge

m
r

al
Ta

ay

56.8%
eB

76.8% 76.8%

G o r t k ’s
ds g
o
s

oo in
Sp D ic
tc
e’

t
82.5%

id
ar
w

Pe

&M

A
m
Lo

te
tS
H

Ri
Pe
97.3% 98.4% 98.9%
99% 99.1% 99.5%

Businesses selling closed-loop gift cards for risky goods, like gaming consoles
and popular electronic gadgets, experience more fraud attempts. These gaming
merchants are hit not only with sophisticated fraud attacks but also with so-called
‘friendly fraud’: children and teenagers purchasing gift cards using their parent’s
credit cards without permission.

Closed-loop gift cards sold by Retailers offering a very wide range of products, such
as Amazon or Walmart, behave more like open-loop gift cards when it comes to
online fraud. The high rate of fraud in these closed-loop cards reflects the fact that in
terms of purchasing ability, there is very little effective difference between an Amazon
gift card and an open-loop gift card.

Similarly, iTunes gift cards, which can be used to purchase songs, apps, and even
phones and hardware, experience a very high rate of fraud - fewer than 70% of these
online orders can be safely approved. Closed-loop cards issued by such megastores
are so appealing to fraudsters that they are systematically targeted in broad, well-
coordinated online attacks. Riskified recently uncovered a fraud ring that took
advantage of senior citizens, remotely taking control of their computers to purchase
iTunes gift cards.

6
CNP fraud in gift cards - a special report

The holidays are wild cards

Gift cards are popular all year round. However, there are three seasonal spikes in
online order volume that gift card sellers should be aware of. The week prior to
Valentine's Day sees a 20% spike in the volume of legitimate gift card orders, but an
even greater increase in the number of fraud attacks. In fact, the rate of CNP fraud
attempts is 35% higher than average during this week.

In the week leading up to Mother’s Day, the amount of online orders for gift cards
increases by 35%. Gift card sellers should be able to achieve the same order
approval rates as usual during this week, as the level of CNP fraud remains constant.
Finally, the last two weeks of the year, from mid-December through New Year, see
a huge surge in demand for gift cards, with online sales increasing by 130% during
this two-week period. Since there is a massive increase in the amount of legitimate
shoppers coming online to buy gift cards while the number of fraud attempts remains
roughly constant, merchants can safely approve a higher percent of orders!

The year-end pattern of increased sales

volume and reduced fraud rates is not
unique to gift cards. Online orders for
nearly all products are less likely to be
fraudulent during the holiday season.
+130% Customers tend to defer shopping needs
from the months prior to these holidays
because of the savings associated with
end of year sales.

+35% +35%

+20%
Fraud Rate
Order Volume
Same

Year end holidays Mother's Day Valentine's Day

-25%

7
CNP fraud in gift cards - a special report

The mobile factor: fraud on the run

Unlike most other online industries, where orders placed via mobile phones and
tablets are safer than orders placed via desktop computers (including laptops), mobile
gift card orders are actually riskier than their desktop counterparts.

87%
77%

Safe approval rate

This is particularly unusual because high cart value is typically correlated with risk,
and the average value of a gift card order made via mobile ($150) is 40% lower than
the average desktop purchase ($250). A partial explanation for the higher rate of
fraud in mobile purchases is that 73% of gift cards purchased via smartphone or tablet
are digital cards.

Another shopping pattern unique to the gift card market is the tendency of shoppers
to buy using their desktop. Over three quarters of gift card orders are made via
desktop, whereas in other online industries the breakdown between mobile and
desktop shopping is closer to an even fifty-fifty split. The significantly higher amount of
purchases via desktop computers may indicate that a high rate of gift card orders are
being placed by larger organizations and corporations, as gift cards are a common
present for employees.

8
CNP fraud in gift cards - a special report

Risky & safe email domains

Although no single data point should be used exclusively to approve or decline a
purchase, the shopper’s email address, and specifically the email domain, can shed
light on the likelihood of fraud. Email domains associated with internet providers
(like Verizon, AT&T, Cox, or Comcast) are good indicators of safety. To open an email
account with an internet service provider, users must divulge personal information,
such as one’s name and billing address. Thus, fraudsters who aim to conceal their
true identity and physical location, are unlikely to use such an email account to place
fraudulent online purchases. Indeed, over 92% of gift cards purchased with an ISP
email account can be safely approved.

Safe approval rate 93%

92.1% msn.com
88.1% 88.5% 90.6% ISPs
.edu .org
81.2% Hotmail
Gmail.com Yahoo
AOL

66%
iCloud.com
56.6%
Outlook.com

27.6%
mail.com

Dot-org emails are also relatively safe, as fraudsters are less likely to commit cyber
crimes at work, or to use their company email address when purchasing a gift card
fraudulently. For similar reasons, Dot-edu emails are generally low risk: you can’t
open a university email account without being associated with the institution, and the
holders of these accounts are wary of committing crimes so directly linked to their
true identity.

Email providers like mail.com and outlook.com are frequently abused by fraudsters-
registration is free and easy, and there is minimal identity verification. Generally, the
lower the barriers to creating an account, the more likely it is for an email domain to
be associated with fraud attempts. This explains the riskiness of icloud.com email
addresses: opening an icloud.com email account is easy, and doesn’t require owning
an Apple device.

9
CNP fraud in gift cards - a special report

Proxy servers & fraud

In the context of CNP transactions, proxy usage refers to cases where rather than
browsing a retailer’s website directly from the server closest to their device, shoppers
connect via an additional server. While there are legitimate reasons for using proxy
servers, fraudsters often use proxies to conceal their true IP address (and therefore,
the geographic location of the device). Proxy use is much more common in digital
card purchases than in plastic card orders. A digital card order is 2.5 times more likely
to be placed via a proxy server than a plastic card. Orders for digital gift cards using
a proxy server are also 3 times more likely to be fraudulent compared to plastic gift
cards purchased via proxy. Investing in advanced proxy detection abilities, therefore,
is definitely worthwhile for any business selling digital goods.

Digital card self-senders: cause for alarm

According to reports, 97% of US consumers send or receive a gift card every year.
This includes self senders who buy and ship cards to their own address.
While shipping a plastic gift card to oneself is a common legitimate shopping pattern,
purchasing a digital gift card for personal use is an indicator of risk.

There aren’t many obvious reasons why a legitimate customer would purchase a
digital card for themselves. Perhaps the only reasonable explanation is purchasing
a discounted digital card on an online P2P gift card marketplace. But if the card is
being purchased for the full price or is intended as a present, there’s little reason
not to send it to the email address of the gift’s recipient. Riskified’s data reflects this
clearly: digital closed-loop gift cards are 37% more likely to be fraud attempts when
the shopper sends the card to their own email address than when the digital gift card
is sent to a different person. In digital open-loop gift cards, the rate of fraud is 79%
higher when the card is delivered to the buyer’s own email address.

+79% +37%
Fraud in Fraud in
open-loop closed-loop

10
CNP fraud in gift cards - a special report

Best practices for driving approval rates

Retailers love when online shoppers buy gift cards. They ensure that a customer
(or the gift recipient) will have to return to shop with them again - and this return trip
tends to lead to additional purchases beyond the value on the card. Even more
compelling - 72% of gift card recipients make a return trip to the store. So when a
Retailer declines a gift card order, they’re taking an axe to a potential stream of future
revenues. Following are best practices to allow gift card sellers to approve more
online orders, driving both current and future sales revenue.

Link the email to the customer’s name

In both digital and plastic gift card orders, looking for a link between the email
address and the customer’s first and last names is critical. For plastic cards, the safe
approval rate is 10% higher when there’s a match between the email address and
the customer’s name. In digital gift card orders - where in the absence of a physical
shipping address, the email is essentially the card’s delivery destination - the link
between the email address and the customer’s name is even more important. Orders
for digital cards where the email address matches the customer’s name are 5 times
less likely to be a fraud attempt than those where the email does not match the
customer’s name!

84%
Approval
rate

66%
Approval
rate

Email matches Email doesn't

user name match user name

11
CNP fraud in gift cards - a special report

Identify and nurture returning customers

Returning customers are safer and more lucrative than first time shoppers. Riskified’s
data shows that returning gift card shoppers spend 57% more than new shoppers,
and their orders are 23% less likely to be fraudulent.

Since shoppers don’t always use the same device or email address for every
purchase, collecting and cross-checking only basic order information is not always
sufficient for spotting returning customers. To improve your ability to distinguish
between first-time and returning customers, we recommend cross referencing data
points such as IP address, browser & operating system combination, billing address,
customer name, username, phone number and shipping address (if applicable).

+57%
Spend

Sign Up Sign In

-23%
Fraud

new customers returning customers

12
CNP fraud in gift cards - a special report

Good customers want (discounted) personalized cards

Some online behaviors and shopping choices may hint at the legitimacy of
a gift card order.

Promo codes
Promo codes and discounts for good
l
Sp e c i a
customers not only drive brand loyalty
%
+ 16 but are also useful for fraud management.
Offer Online gift card orders where the shopper
used a promo code are 16% safer.

Personalized photo
Some gift card sellers allow shoppers to
personalize their gift card by uploading
a photo or adding a personal message.

+12% It’s perhaps not surprising that fraudsters

are less interested in taking advantage
of these personalization opportunities.
When the option is offered, gift card
orders with uploaded photos are 12% safer
than orders where the user chose not to
personalize their gift card with a photo.

Message length
A long message written by the buyer to the gift card recipient is correlated with
legitimate shopping behavior. Digital gift card orders with messages comprised of
less than 20 characters are significantly more likely to be fraudulent.

Drilling down further, the risk in 1-5 character messages is a result of nonsense strings
of letters (e.g. asdf) entered just to fulfill the requirement of entering a message. The
6-19 range contains a lot of preset messages from dropdown menus, such as “I love
you”, “Happy Birthday” or “Money for Gas”, which are also convenient for fraudsters
who will not be giving these cards as gifts.

13
CNP fraud in gift cards - a special report

A message with 20+ characters requires the user to actually type something, though
it’s still a good idea to read the message and check if it’s coherent and whether it
makes sense given the other order details.

Safest
40+ Characters

Get well
soon

Thinking
of you

-25% -58% -59%

20-39 Characters 6-19 Characters 1-5 Characters

Impact on approval rate

AVS isn’t in the cards for digital

An AVS match is generally considered a positive indicator of legitimacy in online
orders. However, sellers looking to avoid false declines and chargebacks shouldn’t
rely too heavily on AVS results when deciding whether to approve or decline a
transaction. Since AVS is tied to the billing address, its value as a fraud detection
mechanism diminishes in digital good orders - where items are “shipped” to an email
address. Our data bears out that AVS results are less important in digital gift card
orders. Gift card sellers can safely approve 58% of digital gift card purchases with
no AVS match whatsoever - the same approval rate as with orders with a partial AVS
match.

14
CNP fraud in gift cards - a special report

Conclusion
The global online gift card market is expected to continue growing, led by significant
rise in digital card sales. This growth presents a major opportunity for Retailers,
Merchants, and gift card Marketplaces, but also raises the stakes on accurate CNP
fraud detection.

In addition to illuminating the key fraud trends in the online gift card industry, we hope
this report has provided your with helpful tips for boosting order approval rates. The
stats included in the report represent averages across gift card sellers - and every
business may encounter different fraud patterns and unique legitimate shopping
behavior. Therefore, rather than using this data as a basis for fraud prevention rules,
we recommend analyzing your own gift card order data to determine the best
strategy to keep your business protected without rejecting good customers.

Riskified’s clients include leading gift card Merchants and Marketplaces, as well
as Fortune 500 Retailers who offer gift cards alongside their merchandise. Our
experience processing millions of gift card orders, along with a broad understanding
of fraud patterns across global markets, allows our partners selling gift cards to
benefit from higher approval rates and reduced losses from chargebacks. Cutting
edge fraud detection methods - including data enrichment, proxy detection, device
and browser fingerprinting, elastic linking, machine learning models, and behavioral
analytics - enable Riskified to make accurate decisions in real time, while providing
retailers with a full chargeback guarantee in case of fraud.

Riskified experts will gladly provide advice regarding online fraud management
challenges. For a free consultation or more information about our solution,
please visit our website www.riskified.com or contact us at sales@riskified.com.

15