Loyalty program fraud: Everything you need to know
We don’t typically associate loyalty programs with high fraud risk because they rarely involve money transactions. However, loyalty programs can create the perfect space for hackers to snatch your hard-earned bonus points — and even steal your personal or financial information. Here’s what you need to know about loyalty points fraud and how to protect yourself.
Table of Contents
Table of Contents
What is loyalty program fraud?
Loyalty program fraud is when a fraudster or an opportunistic customer exploits a rewards program for financial gain. These fraudulent activities may range from simply unethical to outright criminal.
For example, an opportunistic customer may find ways to manipulate the rules of a loyalty program (like creating a second account) to earn a welcome bonus. Or it can be significantly more serious — like someone breaking into your account and stealing hundreds of dollars worth of loyalty points you’ve accumulated over the years.
With most rewards programs offering cash, gifts, products, and services in exchange for participation, loyalty program fraud is an appealing option for cybercriminals.
What are the types of loyalty fraud?
Loyalty program fraud comes in many different forms. Let’s take a closer look at some of the most common types.
1. New account fraud
Companies often welcome new customers with bonuses they get after creating an account. Fraudsters may use this incentive to their advantage by creating fake accounts to claim these bonuses. They may even use real people’s information to create fake accounts (known as synthetic identity theft).
2. Account takeover
Account takeover is a more serious loyalty fraud type. It involves fraudsters breaking into legitimate accounts and stealing the customers’ points (such as using them to buy products or withdrawing them as cash into the criminal’s account). Account takeover often involves using social engineering techniques (like phishing emails, calls, or texts) to gain unauthorized access.
3. Policy abuse
Policy abuse is when opportunistic customers manipulate the rules of a rewards program for financial gain. For example, if a company offers a free item to a customer on their birthday, the customer may later try and get a refund for this item, even though they never paid for it.
4. Fake loyalty programs
Cybercriminals may also create fake loyalty programs to take advantage of unsuspecting customers. These programs may entice users to click on links and share personal details in exchange for exclusive offers, prizes, and points (which they never get).
Real-life examples of loyalty program fraud
Loyalty program fraud affects many companies and individuals worldwide. While many fraud cases aren’t big enough to receive media attention, here are a few that did.
1. Airline miles theft
Many airlines and credit card companies reward their customers with air miles. In 2018, a cybercriminal stole millions of frequent flyer miles from various global loyalty programs and sold them on the dark web. The miles, which were from companies like Delta, British Airways, and Virgin Atlantic, were bundled and sold in batches for $1,000 or more.
2. Expiring points scam
In 2023, the largest rewards programs in Australia were targeted with a major expiring points scam. Customers received fake text messages and emails claiming their loyalty points were expiring and that they needed to use them or they’d lose them. Customers were asked to click on a link and provide their details to use these points. Scammers then used this information to log into the users’ accounts, steal their points, and even commit identity fraud.
3. Hacked loyalty program servers
Another example of loyalty program fraud is the hacking of Reward 360 — a well-known loyalty program company in India. In 2023, a cybercriminal hacked into the company’s system and diverted a significant number of customer vouchers and rewards to his account. He managed to keep the operation running for five months, converting the vouchers into a substantial amount of digital currency over this period.
How to protect yourself from loyalty fraud
Loyalty program fraud may have serious consequences, so it’s important to take steps to protect yourself. Here’s what you can do to prevent loyalty program fraud.
1. Create strong passwords
Make sure your passwords are at least 12 characters long, with a good mix of characters. Don’t use common words because they’re the easiest to guess. If you’re running out of ideas for strong passwords, consider using a password generator — it’ll create difficult-to-crack passwords for you.
2. Avoid using public Wi-Fi
Public Wi-Fi in places like cafes, airports, restaurants, and hotels often doesn’t have the best security measures. Cybercriminals may target these public hotspots to eavesdrop on your connection or steal your data. If you need to use public Wi-Fi, make sure you connect to a VPN first to protect your internet traffic from snoopers and hackers.
3. Keep an eye on your rewards
If you’re a member of a loyalty program, log in regularly to check your rewards and balances. By keeping an eye on your account, you’ll be able to spot suspicious activity (like a withdrawal you didn’t initiate) quickly and take immediate steps to secure your account.
4. Beware of phishing attempts
Loyalty program fraudsters may send phishing emails urging you to take action (like using points that are about to expire). Carefully review every email you receive and look for signs of a phishing attack. Don’t click on any links or attachments unless you’re sure the sender is legitimate.
5. Stay away from scam websites
Scammers and hackers may set up scam websites to steal your login info, financial data, or rewards. Consider using NordVPN’s Threat Protection Pro to avoid entering scam sites. This feature blocks unsafe websites and shows you a warning instead.
How companies can protect customers from loyalty fraud
If your company offers a loyalty program, securing it against fraud is essential. Here are some steps you can take to protect your company and your customers.
Require strong passwords
Make sure you don’t accept weak passwords. Even though many customers already know how important it is to only use strong, unique passwords, some may still opt for “password123” if the system allows it.
Check your loyalty program for loopholes
Review your company’s terms and conditions to identify potential loopholes (like promotional offers for new customers or referral bonuses). The sooner your company can identify these loopholes, the sooner you can implement additional checks to address them.
Closely monitor customer accounts
Dedicate resources and tools to account monitoring so you can quickly detect and address suspicious activity. It’s important to do that for your customers because they won’t always keep track of the activity on their accounts.
Require multi-factor authentication
Implementing multi-factor authentication (MFA) can further boost your customer account security. Encourage your customers to secure their accounts with MFA by educating them about the benefits of this technology and making it easy to set up.
Send educational campaigns
Educate your customers about the risks of loyalty program fraud, along with tips on how they can protect themselves. You may not need to do this often, but launching an occasional email campaign may be beneficial in boosting awareness and reducing the chances of fraud.