Beware the Search Results Phishing for your Holiday Gift Cards

Break out the egg nog and check those search results twice before trying to validate that gift card balance.

I am not a fan of gift cards. On the one hand if you know what the getter wants gift cards offer more value, though the strengths fade in utilitarian economics beyond that case, where cash offers greater value due to less risk (Waldfogel, 1993) Waldfogel, J. 1993. The Deadweight Loss of Christmas. The American Economic Review, 83(5): 1328–1336. . This of course discounts other factors—Waldfogel notes social stigma’s related to cash as a gift—but let’s talk about risk in an online world with gift card balances and phishing.

While the FTC has a whole section on what gift card scams look like, the screenshot comparison below showcases one not not listed. What you see is in the first search result is an AdSense campaign result at the top of the page on my actual mobile device. That results looks legit at first glance; it has all the bells and whistles and one might assume that a first-slot search result—a paid advertisement no less—would be vetted for fraud by Google. Alas, this is not the case.

A Target gift card search on mobile returning a phishing result as the first ad result, which has an identical looking site to the actual Target check gift card site. The ad result has since been flagged and removed.
Justin Ribeiro

The aforementioned phishing site is sneaky. If I was betting man one likely AdSense check fail is on the ad title itself. I didn’t debug this—I wasn’t expecting to run into this on a Sunday—the “T” character in the word “Target” in that ad looks like a Tau to my eye (U+03A4). In the moment I didn’t register the difference. Landing on the phishing site, it’s nearly a one-to-one mirror of Target’s actual gift card balance site. The site domain, which is clearly not Target.com throws no safe browsing error screen likely because the domain churns quickly to evade detection.

Situations like this can easily and effectively lead to being phished if you’re in a rush. I know from experience: I was in a rush and I only noticed this when Monica asked me to check the card because she couldn’t remember her Target.com login. Turns out Target.com makes you login to check a gift card balance; the phishing site does not. I got lucky and dodged it, but I suspect that in any other moment of a chaotic Sunday I may not have otherwise.

Target has often been a target of gift card balance phishing; they have a whole own gift card scam support site and the FTC notes $35 million lost to scams for Target gift cards in the first nine months this of 2021. Target gift cards are socially considered one of the more appropriate gifts over other gift cards (Valentin & Allred, 2012) Valentin, E. K., & Allred, A. T. 2012. Giving and getting gift cards. Journal of Consumer Marketing, 29(4): 271–279. , and Target issues a lot of gift cards. Target’s net estimated breakage rate—a term used in the industry to denote the percentage of gift cards will never be redeemed—accounts for $739 million USD in 2020 (Annual Report Target Corporation, 2020: 42) 2020 Annual Report Target Corporation. 2020. 78. , which gives us some idea of just how large their gift card issuance is.

After reporting the advertisement—I presume others did as well, I have no idea if my report ever made it to the right people—AdSense has since removed the result. That said, don’t think scammers aren’t organically slipping into the search results. The second organic search result is indeed another less refined phishing site that does not trigger any warning at all.

A phishing site holds the second organic search result beneath the indented second order links in the Target.com first result.
Justin Ribeiro

Which is to say, be diligent. Check those URLs and make sure you really are where you need to be before inputting sensitive information into a web site or app. And for that niece or nephew, they’ll happily take cash. 😉 Happy Safe Holidays!