Learn How Loyalty Points Fraud Steals From Customers & How to Stop It
Imagine you spend years saving up for the trip of a lifetime…only for a fraudster to rip the tickets to your dream vacation right out of your hand. You could have been lying on a beach in Honolulu or taking the family on a magical visit to Orlando, but now you’re waiting on hold, desperately trying to recover your stolen vacation.
This isn’t just a nightmare. It’s loyalty fraud: one of the fastest-growing travel fraud threats in the industry, and a real problem for travelers, as well as businesses operating in the travel space.
We’ve discussed how fraudsters use identity fraud tactics to steal unearned loyalty points directly from travel-focused businesses. But this week, we’re looking at how criminals target consumers’ accounts, and how air carriers, hotels, and other industry players suffer as a result.
The Threat of Loyalty Points Fraud in the Travel Industry
Rewards- and loyalty points-focused fraud attacks are on the rise. The problem’s grown so much that it’s practically a cottage industry for criminals, and it’s not hard to see why:
GOOD AS CASHLoyalty points can be used to exchange for merchandise, book flights, or even sell to online brokers.
SOFT TARGETSAirline and hotel loyalty accounts tend to be less-protected than other financial accounts, making them more attractive to hackers.
HARDER TO NOTICEMost consumers don’t check their loyalty points balances as often as they would a bank account.
Criminals typically gain access to customers’ accounts through phishing attacks. In many cases, the customer receives an email claiming to be sent by an airline, hotel, or travel agent, that requests the customer verify certain account information.
A consumer may be more likely to fall for this trick than they would with a bank email, as people are naturally more protective of personal banking information than of their loyalty program info. Even though most consumers think of reward points as equivalent to cash, they don’t exercise the same level of diligence in protecting their account. As one study revealed, 1 in 3 customers login to check their rewards balances once every few months at most, while 1 in 10 never check their account balance. That’s a big problem, because unlike a zero-liability credit card, there’s no guarantee that the customer will be alright after a loyalty fraud attack.
Looking at Loyalty Points:
- US consumers maintain approximately 3.3 billion loyalty program memberships.
- Stored points and travel miles in the US are valued at $48 billion.
- 81% of US consumers equate loyalty points with cash.
- One in three program members only check their balance once every few months. One in ten never check their balance.
- 40% of program members would tell friends and family about a positive experience, and 1/3 would encourage friends and family to join.
- 3 out of 4 travelers have made a purchasing decision based on loyalty program incentives.
- A loyalty program can increase restaurant visits by up to 35%.
- 72% of program managers have experienced issues with fraud.
Fraudsters want access to consumers’ loyalty points accounts, and consumers don’t know enough to protect those accounts against fraudsters. This carries serious ramifications for your travel-focused business:
1. Lost Customers
If loyalty fraud attacks discourage customers from program participation, then it defeats the entire point of the program’s existence. Given that banks purchase billions in miles each year from air carriers and other travel-focused businesses, this would be a serious—even existential—threat.
2. Compromised Data
Names, birthdates, addresses, payment card information…this is just a sample of the sensitive data stored by program websites. The fact that your site is storing much of the same sensitive data as banks, just with less customer concern, makes it a hot target for fraudsters hoping to nab cardholder data.
3. Stolen Revenue
Loyalty points fraud can put you in a difficult position: either replace a customer’s stolen points—effectively handing-out double points—or risk alienating a loyal customer. Regardless which option you go with, it’s going to have an impact on your bottom line.
1 in 4 program members reported that they would cancel a reward program membership if their account were compromised. Even worse, 17% say they would stop doing business with that company entirely.
Why Travel Points are a Fraudster’s Dream
The number of individual loyalty program memberships in the US—including travel, retail, and financial services—came to 3.8 billion in 2016. That’s roughly 30 program memberships per household! Unfortunately, more than half of those accounts were inactive, meaning the account and all related data still existed and was accessible, but was not actively utilized by the account owner.
That’s bad news, given consumers’ lax attitude toward loyalty program security and their tendency to reuse passwords:
- More than 8 in 10 consumers reuse the same password across multiple sites.
- 3 in 10 share a password with 2 or more other people.
- 6 in 10 have been forced to reset a password within the last 60 days.
Every inactive account is a reserve of vulnerable customer data, ripe for thieves hoping to commit loyalty points fraud. If a criminal gains access to one account, it’s likely that the same login credentials will give them access to others as well. That’s why implementing two-factor authentication for loyalty accounts is a simple solution, but it’s also one of your best defenses against vulnerability.
According to CreditCards.com, only 1 in 3 travel- and hospitality-focused loyalty programs implemented two-factor authentication. Most of the survey respondents felt that the process was too expensive to implement and maintain, and that it created unnecessary friction for customers.
Before you make that call, though, you need to ask yourself: are you willing to risk it?
Take Steps to Prevent Loyalty Fraud
We at Chargebacks911® strongly recommend two-factor authentication as an effective method of deterring both loyalty points fraud and more conventional payment card fraud. The tool can also be effective at deterring loss from multiple common chargeback sources including family fraud and buyer’s remorse.
Learn the Hidden Sources of Chargebacks
Our revolutionary approach to chargeback management is summarized in this free whitepaper. Understanding the hidden sources of chargebacks is vital in order to defend your processing rights and avoid facing the prospect of a closed merchant account.FREE DOWNLOAD
Of course, two-factor authentication is not the only tool at program managers’ disposal. These are just a few behaviors and practices that can help:
Monitor All Account ActivityIt may be a sign of foul play if a customer leaves his or her account unattended for a long period of time, then suddenly becomes active. Ask customers to verify security information before accessing their account, and to confirm their identity before using any points in their account.
Enforce Stricter Login CredentialsRemind customers to change their passwords at least semiannually, and require customers to create strong, unique passwords, combining letters, numbers, and special characters. You can also use CAPTCHA puzzles to help prevent botnet attacks, and temporarily lock customers’ accounts after a certain number of failed login attempts.
Remember: customers are an ally in the fight against loyalty fraud, not an object. Account security is in your customers’ best interests, which is why you should educate them on the value of security-conscious practices like checking account balances regularly and updating passwords. You should also encourage customers to enable activity notifications, so they know when an account is accessed, and to report any suspicious activity immediately.
Building these security-conscious behaviors can help customers protect themselves against many potential security liabilities.
Reach Out to Inactive Users
If a customer has not logged in for an extended period, it might be a good idea to reach out and see why. They might have lost interest or are unable to engage with your service any longer, or they may simply be trying to save-up points.
It could be a good idea to lock inactive accounts. Many businesses are hesitant to take this action, fearing that it could anger customers or encourage disengagement. However, you can simply explain that it’s in the customer’s own interest; most will be fine with calling to unlock their accounts if it means improved data security.
Protecting against loyalty points fraud is a collaborative process between you and your customers. Both parties benefit…and both parties bear certain responsibilities.
Of course, the above pointers are just the beginning. Ready to learn more about how to protect your business—and your customers—from loyalty fraud? Click below to get started.