Loyalty Fraud

March 17, 2022 | 10 min read

Loyalty Fraud Loyalty Points Fraud

Loyalty Fraud Scams: The Next Big Thing in Fraud?

Imagine spending years saving up for the trip of a lifetime…only for a fraudster to rip the tickets to your dream vacation right out of your hand.

This isn’t just a nightmare. It’s loyalty fraud: one of the fastest-growing travel fraud threats in the industry. These loyalty point scams are becoming a real problem for travelers and businesses operating in the travel space.

We’ve discussed how fraudsters use identity fraud tactics to steal unearned loyalty points directly from travel-focused businesses. But this week, we’re looking at how criminals target consumers’ accounts, and how air carriers, hotels, and other industry players suffer as a result.

What is Loyalty Fraud?

Loyalty Fraud

[noun]/* loi • əl • tē • frôd/

Loyalty fraud (also known as Loyalty Point or Reward Point Fraud) happens when a criminal abuses or exploits a merchant reward program for nefarious purposes. The scam is most often carried out after an incident of account takeover fraud or another form of identity theft in order to steal a consumer’s reward points.

From a business perspective, loyalty programs are a sure thing. They increase revenue and customer retention, amplify conversion, reduce marketing and promotion costs, and vastly influence consumer spending. From the consumer’s perspective, loyalty rewards make them feel recognized, appreciated, and rewarded for their continued loyalty to the brand. It’s a win-win situation for both parties.

Although the value of such programs is pretty clear, what isn’t advertised is how many opportunities for fraud lurk behind the appeal.

According to a recent study, loyalty program fraud increased by nearly 80% YoY in 2021. Rather than slow the trend, as one might expect it to, it looks like the global pandemic brought a sharp spike in loyalty fraud cases. But, when we look at the figures, it’s not hard to see why fraudsters would be so enthusiastic about loyalty programs.

The main problem here is that these accounts are worth quite a lot of money. However, they are rarely watched closely. This provides a prime, often unguarded opportunity for cybercriminals.

Why Do Fraudsters Target Loyalty Points Programs?

The average household in the US has about 30 individual loyalty program memberships, including travel, retail, and financial services. Unfortunately, more than half of those accounts were inactive, meaning the account, and all related data, still existed and were accessible, but were not actively used by the account owner.

That’s bad news, given consumers’ lax attitude toward loyalty program security and their tendency to reuse passwords. More than 8 in 10 consumers reuse the same password across multiple sites, and 3 in 10 share a password with 2 or more other people.

Every inactive account is a reserve of vulnerable customer data, ripe for thieves hoping to commit loyalty points fraud. If a criminal gains access to one account, the same login credentials will likely give them access to others.

New opportunities. New threats.

Take steps today to keep your risk under control.


According to CreditCards.com, only 1 in 3 travel- and hospitality-focused loyalty programs implemented two-factor authentication. Most of the survey respondents felt that the process was too expensive to implement and maintain, and that it created unnecessary friction for customers.

The problem’s grown so much that it’s practically a cottage industry for criminals. It’s not hard to see why, though. After all, loyalty rewards are:


There are many ways to redeem loyalty points. They can be used to exchange for merchandise, book flights, cruises, or other travel, or even sell to online brokers. They can also be traded back and forth by fraudsters on the dark web. This increased liquidity is a serious issue.


Airline and hotel loyalty accounts tend to be less protected than other financial accounts. This makes them much more attractive to hackers.


As mentioned above, untouched balances are often also unwatched. Most consumers don’t check their loyalty points balances as often as they would a bank account. This is a recipe for fraud.


Points have increased in value as businesses compete with each other to attract customers. This growth marks a veritable gold mine for fraudsters.

We’ve discussed why fraudsters are so interested in consumer reward programs and why they’re vulnerable. Now, let's discuss how they actually carry out these attacks.

How Do Fraudsters Commit Loyalty Points Fraud?

Criminals typically gain access to customers’ accounts through the same methods used to breach bank accounts. In most cases, this means phishing attacks.

In many cases, the customer receives an email claiming to be sent by an airline, hotel, or travel agent. This individual requests that the customer verify certain account information. The consumer divulges their information, not realizing that they’re handing it over directly to a scammer. The fraudster then drains the customer’s account, either redeeming the points or transferring them.

A consumer may be more likely to fall for this trick than they would with a bank email. People are naturally more protective of personal banking information than of their loyalty program info. Even though most consumers think of reward points as equivalent to cash, they don’t exercise the same level of diligence in protecting their accounts.

Consumers don’t log in to check their rewards balances nearly as often as their bank balance. That’s a big problem because, unlike a zero-liability credit card, there’s no guarantee that the customer will be made whole after a loyalty fraud attack.

Loyalty Fraud Hurts Merchants Too

Fraudsters want access to consumers’ loyalty point accounts, and consumers don’t know enough to protect those accounts against fraudsters. This carries serious ramifications for businesses that operate these programs.

Merchants are adversely affected by loyalty scams in several ways:

Lost Customers

If loyalty fraud attacks discourage customers from program participation, then it defeats the entire point of the program’s existence. Given that banks purchase billions in miles each year from air carriers and other travel-focused businesses, this would be a serious—even existential—threat.

Compromised Data

Names, birthdates, addresses, payment card information…these are just samples of the sensitive data stored by program websites. The fact that a site is storing much of the same sensitive data as banks, just with less customer concern, makes it a hot target for fraudsters hoping to nab cardholder data.

Stolen Revenue

Loyalty points fraud can put a merchant in a difficult position: either replace a customer’s stolen points—effectively handing-out double points—or risk alienating a loyal customer. Regardless which option they go with, it’s going to have an impact on their bottom line.


Consumers may not always be aware of loyalty fraud when it happens, as fraudsters are extremely good at sailing under the radar. Sometimes, a customer will file a chargeback for the surprise amount, not realizing they’ve been defrauded. When they do so, intentionally or not, merchants are charged non-refundable chargeback fees.

1 in 4 program members reported that they would cancel a reward program membership if their account were compromised. Even worse, 17% say they would stop doing business with that company entirely. This concern is serious enough that loyalty points fraud could jeopardize the entire program's success if merchants don't implement solutions to prevent abuse.

5 Loyalty Fraud Solutions

We know this sounds like a lot of doom and gloom. It doesn’t have to be, though.

There are several things consumers and merchants can do to prevent loyalty fraud. Increasing security measures and being aware of any account changes is a key first step for both parties.

For merchants, in particular, a few best practices can help defend their businesses from the adverse effects of loyalty and other forms of identity fraud:

#1 | Monitor all account activity

It may be a sign of foul play if a customer leaves their account unattended for a long period of time, then suddenly becomes active. Ask customers to verify security information before accessing their account, and to confirm their identity before using any points in their account.

#2 | Enable fraud tools

Two-factor authentication, AVS (Address Verification Services), CVV (Card Verification Value), and 3DS 2.0 (3-D Secure) Technology can be used in tandem to prevent many forms of identity and ATO fraud.

#3 | Enforce stricter login credentials

Aside from two-factor authentication, remind customers to change their passwords at least semiannually, and require customers to create strong, unique passwords, combining letters, numbers, and special characters. Merchants can also use CAPTCHA puzzles to help prevent botnet attacks, and temporarily lock customers’ accounts after several failed login attempts.

#4 | Educate consumers

Building these security-conscious behaviors can help customers protect themselves against many potential security liabilities.

Customers are an ally in the fight against loyalty fraud, not an object. Account security is in customers’ best interests, which is why merchants should educate them on the value of security-conscious practices like checking account balances regularly and updating passwords. Sellers should also encourage customers to enable activity notifications when an account is accessed and report any suspicious activity immediately.

#5 | Reach out to inactive users

If a customer has not logged in for an extended period, it might be a good idea to reach out and see why. They might have lost interest or cannot engage with the service any longer, or they may simply be trying to save-up points.

It could be a good idea to lock inactive accounts. Many businesses are hesitant to take this action, fearing that it could anger customers or encourage disengagement. However, merchants  can simply explain that it’s in the customer’s own interest; most will be okay with calling to unlock their accounts if it means improved data security.

Protecting against loyalty points fraud is a collaborative process between merchants and customers. Both parties benefit…and both parties bear specific responsibilities.

Get Help to Fight Loyalty Fraud

Aside from solid loyalty fraud detection and prevention methods, sometimes an expert eye could help merchants pinpoint internal weaknesses that could lead to chargebacks and fraud.

Chargebacks911® revolutionary approach to chargeback management is summarized in this free whitepaper. Understanding the hidden sources of chargebacks is vital in order to defend your processing rights and avoid facing the prospect of a closed merchant account.

Let us help you recover lost revenue today! Call us for a free ROI analysis.

Like What You're Reading? Join our newsletter and stay up to date on the latest in payments and eCommerce trends.
Newsletter Signup
We’ll run the numbers; You’ll see the savings.
Please share a few details and we'll connect with you!
Over 18,000 companies recovered revenue with products from Chargebacks911
Close Form
Embed code has been copied to clipboard