Any idea how many points you have in your loyalty accounts?
If you don’t, it would be good idea to start paying attention, say anti-fraud experts, because loyalty point theft is a big and
escalating problem.
“The crooks have started shifting their attention from
credit card fraud to loyalty fraud,” said Peter Maeder, co-founder of the
U.K.-based Loyalty Security Association (LSA), which was formed in 2016.
The precise extent of loyalty point fraud is unknown, but
according to a 2017 projection from Aite Group, a research and advisory firm to
the financial services industry, fraud that occurs when perpetrators take over
someone else’s loyalty account will reach $1 billion this year.
The LSA, meanwhile, conservatively estimates that 1% of
airline miles redemptions worldwide are fraudulent.
Jeff Wixted, vice president of product management and
operations for Accertify, an American Express subsidiary that provides
fraud-prevention services, said loyalty fraud has especially accelerated in the
past 15 to 18 months, with fraudsters buoyed recently by the growing trend
among airlines to do away with point expirations.
Meanwhile, loyalty memberships worldwide, including in the
airline, hospitality and retail sectors, will reach 5.5 billion this year,
according to the e-commerce fraud prevention company Forter. Some 45% of
loyalty accounts are inactive, making them especially vulnerable to attack.
And while the value of loyalty points isn’t precisely known,
Wixted said estimates for the U.S. hover at around $100 billion.
Traditional credit card fraud amounts to $4 billion to $5
billion annually in the U.S., he said. He predicts that annual loyalty fraud
will eventually surpass those figures.
“It’s by far the biggest fraud issue the industry faces,”
Wixted said.
Loyalty point fraud can be perpetrated in a variety of ways.
According to a 2019 report by ARC, fraudsters sometimes gain access to loyalty
accounts through phishing schemes in which they’ll impersonate a trusted
source, such as a travel advisor, and send an email containing a fake
reservation confirmation or an e-ticket. The attacker gains control of the
recipient’s information either through an attachment containing malware or by
enticing the target to provide a loyalty program number.
Similar methods can be used by a hacker to gain access to
corporate booking tools, said Doug Nass, ARC’s director of fraud
investigations. And schemes are also perpetrated on social media sites, such as
Facebook, on which fraudsters prey on the unsuspecting by, for example,
advertising cheap plane tickets.
Loyalty fraud can also be undertaken by actual travel
advisors. In one example cited by IATA, an agent stole 3.7 million airline
miles by telling clients that their inexpensive tickets didn’t generate loyalty
accruals. The agent booked 135 flights with those miles before the scam was
discovered.
Finally, data breaches are another primary source of loyalty
fraud. A 2018 breach at British Airways, for example, exposed the data of
500,000 customers, while a Marriott breach discovered that same year exposed as
many as 383 million records. Major data breaches in recent years at companies
such as LinkedIn, Facebook, Yahoo, Equifax and Capital One can also expose
loyalty accounts.
Once in possession of a person’s loyalty information,
fraudsters can transfer points to their own accounts for direct purchases of
services such as flights and hotel rooms, said Cornelius Hattingh, ARC’s
director of revenue integrity.
It is easier, though, to take advantage of loyalty program
offerings that enable the points to be converted into gift cards at any number
of retailers. Such cards are desirable to criminals because they don’t require
an ID or a PIN.
Fraudsters also sell loyalty points on the dark web or pose
as travel agents, selling their ill-gotten goods via word of mouth, Nass said.
Loyalty programs are now taking steps to counter the fraud.
In the airline industry, which Wixted said is the largest loyalty fraud target,
IATA offers frequent-flyer fraud prevention workshops. Meanwhile, Airlines for
America says that, “carriers make significant investments in their IT systems
and implement protective measures to safeguard passenger information.”
Wixted said that Accertify protects six of the world’s 10
largest airlines against fraud, including loyalty fraud.
Still, experts say that by and large loyalty programs remain
vulnerable to attack.
“The loyalty industry is waking up that they have to do
something, but they are years behind the credit card companies in security measures,”
Maeder said.
Along with beefing up IT security, one step experts suggest
implementing is multifactor password authentication. Loyalty programs should
also proactively reach out to the owners of inactive accounts as well as coach
their customers about account security, ARC said.
As for loyalty program members, experts said they should
keep regular tabs on how many points they have in their accounts. Program
members should also make sure to practice basic security on their online
accounts by diversifying passwords and updating them regularly.