I’ve been slowly collecting images of compromised gift cards found at stores for over a year for a future gift card scam spotting post, and while those attacks vary, they’re all basically some form of tampering with a physical gift card, its package, or its barcode. You’ll find them in the wild as compromised Visas, Mastercards, Apple cards, BestBuy cards, or just about anything else. (Side note: If you have example pictures of that type of scam and wouldn’t mind if I include them in the post whenever I write it, I’d appreciate an email. I promise I’ll write it before the heat death of the universe or you’ll get double your money back.)

The New Scam

Over the weekend there was a new type of gift card scam (albeit an old type of network security scam) to hit the community: a hacked email inbox. This matters for two reasons:

  • Many gift card buyers and resellers keep all their card numbers in a shared Google Sheet, accessible with your Google account
  • Physical Happy gift cards are redeemed online and a link for later retrieval is sent to your email

If a hacker gets control of your email, they’ve probably got access to your gift cards too.

Staying Safe

Not to sound like a network security prognosticon (yes, I made that term up), but there are steps you can take to help protect yourself from a similar attack:

  • Always use two-factor authentication on your network accounts
  • Get rid of any dormant accounts that may have access to sensitive information
  • Double check your sharing settings on sheets or documents with sensitive information
  • Prefer Google Authenticator instead of SMS messages for two-factor authentication
  • Archive and remove old information from your documents and sheets

Finally, if you find yourself in a similar situation, do a few things immediately:

  • Change your passwords
  • Call the card issuers and report fraud (the good news is you still probably have all the card numbers too)
  • Reach out to others in the community who can offer level headed advice after the dust settles

If this happened to you, or happens to you in the future, I’m sorry, that sucks. If it hasn’t happened to you yet, consider making the above steps part of your regular housekeeping.

Good luck!

Prognostico: The network security prognosticon.