Surely the company could trivially detect that?

They try, but a combination of multiple layers of work arounds used by the attackers, and a strong desire not to false positive legitimate voucher buyers means there’s always a way.