The attacker may grab a few unloaded physical gift cards from a physical store to see if the gift card issuer relied on sequential numbering patterns. This is not a required step, but it increases the attacker’s efficiency; for example, it may be that only the middle 8 digits of a 16-digit serial number need to be cracked, as opposed to all 16.
Sometimes a web or mobile application will inadvertently help the attacker narrow the field of possibilities by providing feedback when an invalid number is entered, for example, “all egift card numbers start with the digit 2.”