Jane Frankfort was stunned. After years of flying American Airlines, she finally had 150,000 frequent flyer miles and was ready to book her dream vacation. But when she tried to use them, she discovered that her account had been cleaned out months ago, with the points used by others for tickets from India to Qatar.
Unfortunately, Ms. Frankfort is not alone. Every year, thousands of people and companies are victims of loyalty fraud, which affects programs from frequent flyer clubs to gift cards. Recently, loyalty fraud has surged, costing businesses at least $2.3 billion annually. With the value of all loyalty accounts totalling over $60 billion in the US and $250 billion worldwide, it’s time for loyalty program managers to take loyalty fraud seriously.
Setting The Stage for the Rise in Loyalty Fraud
It comes as no surprise that banks and eCommerce companies are fraudsters’ main targets. As more companies go online and more digital channels become available, the need for advanced security measures has become common practice. Requiring more complicated passwords, having another factor for authentication, device fingerprinting, transaction analysis, are considered the norm. Consumer education has resulted in the ease of adoption of these protocols and subsequently reduced fraud; losses due to counterfeit cards, for example, dropped 75% between December 2015 and March 2018.
Despite the global value of rewards accounts reaching $250 billion, those who manage these programs have not followed in the footsteps of banks and eCommerce companies in ramping up their security controls. Simple login details, like an email and password or 4-digit PIN, are still considered sufficient ‘security’. In the case that security is considered, program managers will be resistant to anything that might interfere with the user experience. Without their backing, it’s no surprise that loyalty programs suffer lax security. But it’s not just the lax security that makes loyalty programs so attractive to fraudsters.
Why Loyalty Programs are Goldmines for Fraudsters
Research shows that it costs a business up to 25 times more to acquire new customers than selling to an existing one. As online channels became popular, loyalty and reward programs became the gold standard: dedicated mobile apps, discount codes, online promotions, etc. are available exclusively for members. And they have definitely proved their worth: and these types of initiatives end up paying for themselves.
KPIs for those who manage the programs revolve around measurements such as customer engagement and transaction rates. Recent surveys found that 86% of consumers belong to loyalty programs, 22% will buy only from stores they have a loyalty membership with, and, on average, consumers belong to 14 different loyalty programs. Given these numbers, it’s easy to see why companies promote these programs; they truly do generate loyalty, retain customers, and ultimately lead to further sales and an increase in brand value.
For these reasons, it is logical to see how this growing popularity has contributed to the rising value of points, they have become somewhat akin to cash. As Amir Mousa, Internal Audit Section Head of Al Ain Holding Group notes, people can use them to buy “coffee machines, concert tickets — anything.” Points can also be converted into cash-like gift cards. And of course, miles are sold for cash on the Dark Web: this growing popularity has also contributed to the value of this target for fraudsters and the prevalence of these accounts coming under attack
Let’s loop back to Ms Frankfort. How did months pass before she realized that her points had been stolen? The simple answer is: customers don’t check loyalty accounts as carefully as they would check bank accounts or credit card statements.
Despite saving miles for years, she didn’t consider that there was any need to review the account regularly or that her account may come under attack. For fraudsters, these points are the proverbial sitting ducks, ready to be snatched up.
Taking all of this into account, it’s no wonder that fraudsters are drawn towards these types of accounts. For those managing the programs, it seems to be a case of risk vs reward. But the question remains, what is considered a significant enough risk to push them in the direction of enhancing security?
Perpetrators of Loyalty Fraud
We have established that loyalty fraud is committed by fraudsters. Yet, there are others that engage in exploiting loyalty points and rewards programs: customers AND employees.
Customer fraud involves exploiting loopholes in a program’s rules. Recent examples include a travel blogger turning an Alaskan Airline trip into a $60,000 trip around the world, and multiple customers getting Starbucks drinks worth up to $54 from a promotion designed to offer far more modest prices.
Employee fraud is committed by diverting rewards from customers. For example, this agent submitted his own email address instead of the customer’s when entering their frequent flyer form. He accumulated over 2,500,000 miles before a customer checked their mileage balance, discovered it was zero, and prompted an investigation. In order to accumulate so many miles, the agent must have diverted miles from thousands of customers who never noticed.
The Emerging Threat of Account Takeover Attacks
Of these types of fraud, the greatest threat is from account takeover (ATO) attacks launched by hackers, sometimes with “inside” help, which can expose the personal data of millions of customers. Hackers are capable of causing millions of dollars of damages and ruining company reputations. Although hackers may sell miles directly on the dark web or steal miles and reward points for themselves, many sell account credentials to others, who then monetize them. One of the more publicized account takeover attacks this year targeted Hilton’s Honor Points program, with fraudsters draining accounts of hundreds of thousands of points.
ATO attacks affect 72% of loyalty programs. They are made possible by acquiring combo lists (usernames/passwords) and basic “cracking” tools online. Perhaps the most serious ATO attack targeted Indian IT giant Wipro, going after loyalty program data. This well-planned phishing operation exposed data on over 100 computer systems and spread malware as it went.
A Clear and Present Danger
Loyalty fraud is now causing loss of revenue for many companies. In addition to lost revenue, bad publicity surrounding data breaches drives customers away; a recent survey found that 65% of customers will abandon a company that suffers a data breach. Even if this number is somewhat exaggerated, it’s clear that attacks on loyalty programs pose a serious threat. In an era when customers expect rewards for their business, it’s essential to make sure your loyalty program is safe and secure.