Criminals steal gift cards in a variety of ways. Theft of physical gift cards from retail stores is common, but online theft occurs as well. 

One common method is for criminals to use bots to stuff possible card numbers into web applications until valid card numbers are found. Validated card numbers are used to purchase goods, or are sold for cash through various online services. 

Criminals can use similar methods to perform coupon code discovery. While not as outright fraudulent as the above, it still has a direct impact on revenue. Another technique is to use credential stuffing to take over loyalty/reward accounts and drain their balances (potentially extracting funds from customers’ debit cards too, if they have linked them to their loyalty accounts). 

Threat actors have proven quite creative in exploiting gift and loyalty programs. Past examples included the discovery of programming errors in certain gift-card account APIs, creating potential race conditions. To exploit them, bots would submit simultaneous transfers among multiple cards, sometimes resulting in funds being credited to one card without being debited from another. Fraudsters were able to convert a small “seed” of initial funds into large gift-card balances.