Loyalty programs offer a lot of benefits to members, whether in the form of points, discounts, or special benefits. While they have become a way for businesses to differentiate themselves, their growing significance means loyalty programs have become a target for exploitation and fraud.
What is loyalty program fraud?
Loyalty fraud is defined as where deception is used to intentionally secure unfair financial, personal, or third-party gains from loyalty programs. The biggest opportunity for fraudsters is monetisation of collected loyalty data and points.
Why is loyalty program fraud growing?
Loyalty fraud research estimates loyalty program related fraud has risen 89% year-on-year, with approximately $1 billion in rewards value lost to fraud every single year.
Cyber-attacks are a growing problem worldwide, but people are less aware of loyalty-specific fraud. It is this, and the inherent digital nature of loyalty programs, which make them so enticing to hackers and fraudsters. Loyalty points are a form of digital currency which can make them easier to access and move around with relatively little danger.
The other main issues which make loyalty programs a target is some programs rely on legacy systems which are more easily breached or are insecure due to inadequate authentication processes. Many programs protect loyalty accounts by an email and password which is easy to attack, especially if not protected by the far more secure method of two-factor authentication.
Types of loyalty program fraud
Loyalty program fraud is a not-often-recognised problem which can be perpetrated by external fraudsters, internal staff or the members themselves. While loyalty fraud is an evolving space, being aware of different types of loyalty program fraud can be the first step towards mitigating the risks.
Here’s five of the most common type of loyalty program fraud (with examples):
Account Takeover (ATO)
Account takeover is where fraudsters hack into member or staff accounts and exploit points balances and payment details attached to the account. It may also involve hackers gaining access to and exploiting highly secure and lucrative databases.
Marriot’s Mass Data Breach
Marriot’s loyalty program became victim to one of the largest mass data breaches in history. In 2018, it was discovered that information (including personal, passport and payment card details) on up to 500 million guests had been compromised. Triggered by a hacker executing a staff account take-over, further investigations revealed unauthorised access as early as 2014. It turns out that when Marriott acquired Starwood in 2016, they inherited thousands of new hotels and adopted an old reservation system unknowingly compromised by hackers.
A brute force attack is a process of trial-and-error where fraudsters submit passwords, guess encryption keys, or uncover unsecure website pages to gain aunthorised access. Another common form of brute force attack is ‘credentials stuffing’ where a hacker will use the same uncovered username-password combo across multiple websites.
Hilton Honors Brute Force Attack
In 2014, multiple hackers gained access to Hilton Honors loyalty program member accounts through a brute force attack. The attack was not uncovered until members reported receiving emails for unauthorised reward redemptions and depleted points balances. Many of these points later appeared for sale online at a fraction of their value. It was uncovered that weak security protocols permitted the attack, and so Hilton introduced a more robust sign-in process (including more complex passwords and CAPTCHA codes) as a measure to stop a recurrence of such breaches.
Policy abuse occurs when fraudsters identify a way to earn large amounts of points or rewards by exploiting the platform, or the program terms and conditions. Technical or policy-related loopholes are not always violated nefariously, but news can spread quickly due to social media.
The Most Expensive Starbucks Drink Ever
Back in 2014, a member of ‘My Starbucks Rewards’ found a loophole in the terms and conditions of the birthday free item promotion. This minor loophole allowed the mischievous member to create the most expensive Starbucks drink ever, which included 60 espresso shots, protein powder and syrups in a giant Slurpee cup totalling US$54.75, all for free. Restrictions were quickly implemented into the program terms and conditions to prevent other members from replicating the behaviour.
New Account Fraud or Pooling Fraud
New account fraud or pooling fraud is where fraudsters create new ‘fake’ accounts, sometimes with stolen personal details, and then use these accounts to consolidate, sell and redeem stolen points. This occurs when a loyalty program allows the ability to transfer points from one account to another, which is a useful feature for members, but can provide the environment for loyalty points laundering. This is observed in airline and hotel programs, where third-party agents exploit traveller transactions to earn points for themselves.
The Nefarious Travel Agent
A former agent of an American travel company was charged for stealing nearly 3.7 million airline miles from high-end clients, and then using them to buy flight tickets for herself and her family. It turns out the travel agent misled clients about airline restrictions on generating loyalty bonuses and misappropriated the airlines’ miles for their own benefit. Some 135 flights worth more than $109,000 were booked for the agent and their family before the fraud was discovered.
Staff can be the frontline resource to detect and prevent fraud, but they can also be the weakest link. Staff fraud occurs when employees claim unused member benefits or take advantage of special privileges to benefit themselves or people they know.
Airline Agent Corruption
An airline agent accumulated loyalty points from thousands of passengers. The agent put in accurate passenger details, but then used his email instead of the passengers, which allowed him to accumulate approximately 2.6 million air miles before anyone noticed.
Mitigation strategies for loyalty program fraud
It is essential to have protection across all touchpoints, as loyalty fraud and security exploitation can occur at any step in the overall experience. Here are a several strategies to be aware of to mitigate loyalty program fraud:
Security and fraud review: A comprehensive security and fraud review of an existing or potential loyalty platform can help uncover any vulnerabilities which can be identified prior. This is most pertinent for older legacy platforms (as seen in the Marriot example).
Security and fraud monitoring: Any good loyalty platform should have some level of in-built software to monitor account activity, flag abnormal behaviour, and set up access rules and privileges. For larger programs, this may require a dedicated monitoring and auditing team.
Improve security process: Requiring users to sign up with complex passwords, or including things as simple as a CAPTCHA, can significantly improve the security of the user experience. The next best approach would be to enable two-factor authentication (2FA). More secure processes can help to avoid both member account takeover, as well as staff account takeover which can have more damaging effects.
Terms and conditions: Program operators should always ensure the terms and conditions of the program and any associated promotions are structured in a way that protects the brand and loyalty program while remaining rewarding for members.
Fraud education: Training employees with theknowledge of loyalty fraud schemes, red flags, and prevention methods is a powerful tool to minimise risk.
Loyalty programs are an ideal target for fraudsters as they hold tremendous amounts of data and value. Despite this, awareness of loyalty fraud is relatively low among businesses and members.
Given trends of rising loyalty fraud alongside loyalty program proliferation (and digitalisation), program operators need to be aware of evolving risks and preventative solutions to protect the loyalty accounts of their members.