Points or miles transfers and pooling have become prevalent features in loyalty programs, particularly in the travel and airline sectors (such as hotels and frequent flyer initiatives). While these features are highly appealing to members, they can also pose significant fraud risks if not implemented correctly with a well-designed loyalty program strategy.

Fraud risks of points or miles transfer and pooling

One of the most common threats that arise from this feature is points theft.  Unauthorised point transfers are a major risk as fraudsters can access member accounts and transfer points to their own or accomplices’ accounts without the rightful owner’s knowledge or consent. This is often combined with the misuse of pooling features, which are usually intended for families or groups, allowing criminals to consolidate stolen points from several compromised accounts.

Identity theft is another serious concern, as it involves the creation of fraudulent accounts using stolen identities to receive transferred points, complicating efforts to trace the fraud back to its origin.

Loyalty program designs that allow for points transfer or pooling are also vulnerable to internal threats. The most prevalent issue is insider fraud, where employees with system access unlawfully transfer points, exploiting their privileged position within the organisation.

Points and miles have increasingly gained value as a form of currency. Consequently, the secondary market for fraudulently acquired points poses an additional challenge, as these points are traded on underground markets, breaching program regulations and potentially supporting further criminal activities. Additionally, the transfer of points can serve as a means of laundering money, turning illegal funds into what appears to be legitimate loyalty currency.¹

Mitigations for points or miles transfer and pooling fraud

To combat the above threats, our expert loyalty consultants at Loyalty & Reward Co advise that loyalty programs offering points transfer or pooling features implement the following measures to ensure ongoing security and longevity of the program.

• Implement transfer restrictions i.e., by limiting the frequency, volume, and destination of point transfers to prevent large-scale fraud.
• Enhance authentication measures, such as multi-factor authentication for point transfers or account changes, ensure the legitimacy of transactions.
• Install real-time monitoring systems to detect unusual transfer patterns or suspicious activity, allowing for quick intervention.
• Consider robust verification procedures for new accounts and transfer recipients help prevent fraudulent account creation.
• Educate members or participants about the critical risks of sharing account information and inform the proper use of transfer features to promote security awareness.
• Ensure maintenance of comprehensive audit trails with detailed logs of all point transfers to aid in forensic analysis and fraud investigations.
• Execute clear policy enforcement, including strict penalties for violations to deter unauthorised transfers and point resale.
• Explore the employment of advanced machine learning algorithms to identify potentially fraudulent transfer patterns and flag suspicious activities.

By implementing these strategies, loyalty programs can significantly enhance their security measures, safeguard their integrity, and foster trust among their members, ultimately ensuring a sustainable and secure loyalty experience.²

Case Study: World of Hyatt

Hyatt’s loyalty program, World of Hyatt, has implemented measures to mitigate points transfer fraud. Members are permitted to transfer points between accounts, but only once every 30 days. The program requires a tedious and manual points combining request form for transfers. This approach significantly minimises fraud risks associated with points pooling while still offering flexibility to members.³

Real consequences of points or miles transfer and pooling fraud

There has been an alarming rise in points or miles fraud in recent years, with numerous case studies highlighting the significant financial and reputational impacts of flawed loyalty program designs.

The case of the travel agent

A notable case involved a former travel agent who faced charges for stealing nearly 3.7 million airline miles from high-end clients. The agent exploited these miles to book 135 flights for herself and her family, valued at over US$109,000. This fraud took advantage of policies allowing clients to purchase tickets for other clients and convert frequent flyer miles between accounts, highlighting the need for stringent controls and oversight in loyalty programs.

The travel agent deceived clients regarding their mileage availability and airline restrictions. The fraudulent behaviour was eventually uncovered when discrepancies were found in a top client’s frequent flyer account. This case underscores the importance of implementing robust monitoring and verification processes in loyalty programs.⁴

Qantas Frequent Flyer

Recently, Qantas, a major Australian airline, has reported that the passports of nearly a thousand customers may have been compromised after two employees from its ground handler in India, SATS, accessed customer frequent flyer points fraudulently. These employees exploited their positions to alter bookings and redirect points to an account they controlled.

The theft is said to have impacted more than 800 bookings in July and August 2024, potentially compromising passport data. There are speculations that the incident may have also affected other airlines within the Oneworld alliance, a global partnership of 15 airlines that enables customers to earn and use the same frequent flyer points.⁵

Protect your loyalty program with specialised advice from the experts at Loyalty & Reward Co.

As loyalty program fraud continues to evolve, staying informed and proactive is crucial for program operators and members alike. The Loyalty and Reward Co offers a comprehensive series of articles on various aspects of loyalty program fraud, providing valuable insights and strategies for safeguarding your program.

For personalised advice on protecting your loyalty program from points transfer/pooling fraud and other security threats, we encourage you to get in touch with our team of loyalty experts. Our tailored solutions can help you implement robust security measures, mitigate risks, and ensure the long-term success of your loyalty initiative.

Don’t let fraud compromise the integrity of your loyalty program. Reach out to Loyalty & Reward Co today and take the first step towards a more secure and resilient loyalty ecosystem.

Acknowledgement

Thank you to Michael Smith, co-founder of the Loyalty Security Alliance and contributor to ‘Loyalty Programs: The Complete Guide’, whose expertise helped inform insights presented in this article.

References

1. Smith, M. (2022). Navigating Fraud Risks in Modern Loyalty Programs. Journal of Loyalty Marketing, 15(2), 78-95.
2. Loyalty Security Association. (2023). Best Practices for Loyalty Program Security.
3. World of Hyatt. (2023). Points Combining: Terms and Conditions [online] Available at: https://world.hyatt.com/content/gp/en/rewards/points-combining.html
4. Johnson, G. (2022). Feds: Travel agent stole 3.7 million frequent flier miles. [online] KOMO. Available at: https://komonews.com/news/local/feds-travel-agent-stole-37-million-frequent-flier-miles-11-21-2015  
5. Croft, D. (2024). Qantas customer passports at risk following frequent flyer cyber theft. [online] Australian Aviation. Available at: https://australianaviation.com.au/2024/10/qantas-customer-passports-at-risk-following-frequent-flyer-cyber-theft