Loyalty Program Fraud: A Rapidly Growing Trend Among Identity Thieves

The adoption of chip-enabled EMV credit cards has helped reduce the amount of card present fraud in brick-and-mortar stores, but for identity thieves, the necessity for someone else’s credit information is the mother of invention (or ingenuity).

The latest target for fraud? Travel loyalty programs. As account takeover (ATO) soars, loyalty points accounts in particular are being preyed upon in greater numbers; of all non-card present fraud that occurred in 2016, 4% of attacks were on loyalty and rewards points accounts, but that number jumped to 11% in 2017. In 2016, 48% of online businesses experienced an increase in ATO over the previous year, and ATO losses reached $2.3 billion.

Why target loyalty points accounts?

Unfortunately, loyalty accounts are easy to drain, making them even more attractive to ATO fraudsters. They’re designed to make redeeming points for goods and services simple, which in turn means it’s just as simple for a criminal to quickly use up an unsuspecting victim’s points without having to input any form of payment or other information (though the victim’s payment and personal data is accessible to the thief once they log into the account).

The fact that many people tend to let their points languish or forget about them before getting around to redeeming them makes them sitting ducks, ripe for the hunt. As of 2016, $48 billion in airline miles and other rewards sat unredeemed in customer accounts.

Fraudsters use stolen credit cards to earn even more loyalty points

Fraudsters aren’t just interested in hacking accounts for points – they’ve also found ways to cheat loyalty programs by racking up points illegitimately. Using an airline loyalty program as an example, the criminal often acquires stolen credit card information in bulk and then uses it to purchase multiple airline tickets. These transactions accrue a massive amount of loyalty points, which the criminal then redeems before the fraud is discovered. Once the cardholder of the stolen information discovers the fraud, they file a chargeback.

The fallout can be devastating for both the airline and the airline customer. The airline is responsible for chargeback fees and loses the profits generated from the ticket sales, in addition to the value of the points redeemed by the fraudster, which the airline now has to pay out a second time to reimburse the customer’s loss. Generally, the fraud is discovered too late for the airline to have time to resell the tickets, which results in the loss of several hundred dollars per attack. An understandably angry customer might find themselves unwilling or unable to trust that a similar attack won’t happen again, possibly choosing to no longer do business with the airline. These customers may be some of the most loyal customers to the airline – perhaps even VIPs – which would result in a significant loss in revenue should the customer cut ties with the airline.

How can travel companies circumvent loyalty program fraud?

Some solutions you might consider adopting to address the issue include:

• Setting limits on how fast customers can earn points and spending requirements to accrue points
• Establishing manual review teams
• Checking customer point transactions histories, looking for how long and at what pace a person accrued points, as well as how fast those points were spent
• Introducing 3D Secure or other verification methods

However, these solutions not only negatively impact the customer’s experience – customers don’t want to be made to spend a minimum in order to accrue points or have to remember a password to verify their identity  – they also require more labor and cost on the merchant’s end. Sixty percent of online businesses are concerned about spending too much on manually reviewing orders.

Download our free ebook, Machine Learning: The Future of Fraud-Fighting in the Travel Industry, to learn how travel companies can empower themselves against ATO and loyalty fraud, and protect their customers from predatory fraudsters without negatively impacting the customer experience.