A friend of mine’s parents were victims of the “Grandparent scam“. The scam works by a crook calling the victim and claiming that a grandchild is in trouble with the law. They then claim that they are lawyers who can get bail for the grandchild if money is transferred to them. However there’s a catch, the scammers don’t want the money wired they want some store gift cards. In my friend’s case the scammers used Target gift cards, precisely as described in the second link.

She is, unsurprisingly, not impressed with Target since the scam has been well known since at least December 2016 (and has been around in similar forms for at least a decade) and Target appear to be deliberately not taking obvious steps to stop the scammers.

The caller demanded that my father buy the cards with cash, call him back, and give him the gift card numbers over the phone. When my father went back to the Target where he bought the cards three hours later and asked them to flag and cancel those gift cards, they had already been redeemed in another state.

They redeemed the gift cards without having them in hand. Just like that.

A customer came in with $6000 in cash and bought four gift cards. A transaction that large should have set off at least SOME alarm bells.

Structuring of a large transaction into four smaller ones. It’s not quite smurfing as it’s done in financial transfers, but again, any company that deals in cash and gift cards should at least train their personnel to spot suspicious transactions!

And then there’s the redeeming of a large transaction amount in another state. No ID needed. No actual card present. The cards were redeemed in another state within a couple of hours. No one at Target thought this was in any way sketchy? There was no need to have the actual card present?

This contrasts with the corporate statement journalists got in December:

“Target is committed to providing a secure environment for our guests and team members. As a part of that commitment, we take a multi-layered, comprehensive approach to preventing theft and fraud that includes innovative programs and partnerships with local law enforcement, technology and team member training. We are aware of scams like these and have communicated to our store teams in the area. Additionally, we are actively working with law enforcement.”

Bluntly she, and I, think that’s being “economical with the actualité”. This is because it would be trivially simple to make this scam a lot harder without inconveniencing legitimate users of gift cards. All it would take is to not allow recently purchased cards to be used unless the card is physically present for a couple of days, perhaps as long as a week. Almost all legitimate gift card users will have the card with them and if, for some reason, they don’t, a delay of a day or two until either they receive the card in the mail or the lockout expires is unlikely to be a major issue. As it is the scammers are able to redeem the cards immediately before the victim realizes he’s been scammed and can cancel the cards.

Scammers like this treat crime as a business and anything that can be done to raise barriers will cause them to change their mode of operation and the likelihood is that the new method will either be more suspicious and will entrap fewer victims or will be easier to trace or reverse. The fact that Target appears to have done nothing at all in four months since they were previously informed of the scam means they would seem to share some liability for the money lost since they appear to be negligent, possibly (and this would be a good thing for a court to decide) culpably. As such they have had plenty of time to implement controls to stop this and I wonder whether they may have a financial incentive to not implement the controls since they presumably make money when then card is used. Either way an enterprising lawyer who found a number of victims like this and sued as a class action on behalf of the lot of them would likely win because there’s plenty of additional evidence that Target’s corporate culture is lax regarding security. Lets face it, it wasn’t so long ago that Target managed to let hackers install malware to steal the credit and debit card details of millions of customers. In that case also Target seemed to be asleep at the wheel and the various systems in place missed obvious warnings. In this case Target has been informed of the scam at least four months ago but has yet to implement even the most simple of control.

Rather than worry about the ability of Transgender people to use the toilet of their choice, Target ought to concentrate on the basics such as ensuring that its customers (and potential customers) can shop at its stores without worrying about whether they’ll be victims of a scam or fraud. Getting the reputation of being lax on security is probably going to be worse for Target than concerns about bing politically correct or not.