By Robert Silk March 2, 2020 Shared from Travel Weekly
Photo Credit: wk1003mike/Shutterstock
Any idea how many points you have in your loyalty accounts? If you don’t, it would be good idea to start paying attention, say anti-fraud experts, because loyalty point theft is a big and escalating problem.
“The crooks have started shifting their attention from credit card fraud to loyalty fraud,” said Peter Maeder, co-founder of the U.K.-based Loyalty Security Association (LSA), which was formed in 2016.
The precise extent of loyalty point fraud is unknown, but according to a 2017 projection from Aite Group, a research and advisory firm to the financial services industry, fraud that occurs when perpetrators take over someone else’s loyalty account will reach $1 billion this year.
The LSA, meanwhile, conservatively estimates that 1% of airline miles redemptions worldwide are fraudulent.
Jeff Wixted, vice president of product management and operations for Accertify, an American Express subsidiary that provides fraud-prevention services, said loyalty fraud has especially accelerated in the past 15 to 18 months, with fraudsters buoyed recently by the growing trend among airlines to do away with point expirations.
Meanwhile, loyalty memberships worldwide, including in the airline, hospitality and retail sectors, will reach 5.5 billion this year, according to the e-commerce fraud prevention company Forter. Some 45% of loyalty accounts are inactive, making them especially vulnerable to attack.
And while the value of loyalty points isn’t precisely known, Wixted said estimates for the U.S. hover at around $100 billion.
Traditional credit card fraud amounts to $4 billion to $5 billion annually in the U.S., he said. He predicts that annual loyalty fraud will eventually surpass those figures.
“It’s by far the biggest fraud issue the industry faces,” Wixted said.
Loyalty point fraud can be perpetrated in a variety of ways. According to a 2019 report by ARC, fraudsters sometimes gain access to loyalty accounts through phishing schemes in which they’ll impersonate a trusted source, such as a travel advisor, and send an email containing a fake reservation confirmation or an e-ticket. The attacker gains control of the recipient’s information either through an attachment containing malware or by enticing the target to provide a loyalty program number.
Similar methods can be used by a hacker to gain access to corporate booking tools, said Doug Nass, ARC’s director of fraud investigations. And schemes are also perpetrated on social media sites, such as Facebook, on which fraudsters prey on the unsuspecting by, for example, advertising cheap plane tickets.
Loyalty fraud can also be undertaken by actual travel advisors. In one example cited by IATA, an agent stole 3.7 million airline miles by telling clients that their inexpensive tickets didn’t generate loyalty accruals. The agent booked 135 flights with those miles before the scam was discovered.
Finally, data breaches are another primary source of loyalty fraud. A 2018 breach at British Airways, for example, exposed the data of 500,000 customers, while a Marriott breach discovered that same year exposed as many as 383 million records. Major data breaches in recent years at companies such as LinkedIn, Facebook, Yahoo, Equifax and Capital One can also expose loyalty accounts.
Once in possession of a person’s loyalty information, fraudsters can transfer points to their own accounts for direct purchases of services such as flights and hotel rooms, said Cornelius Hattingh, ARC’s director of revenue integrity.
It is easier, though, to take advantage of loyalty program offerings that enable the points to be converted into gift cards at any number of retailers. Such cards are desirable to criminals because they don’t require an ID or a PIN.
Fraudsters also sell loyalty points on the dark web or pose as travel agents, selling their ill-gotten goods via word of mouth, Nass said.
Loyalty programs are now taking steps to counter the fraud. In the airline industry, which Wixted said is the largest loyalty fraud target, IATA offers frequent-flyer fraud prevention workshops. Meanwhile, Airlines for America says that, “carriers make significant investments in their IT systems and implement protective measures to safeguard passenger information.”
Wixted said that Accertify protects six of the world’s 10 largest airlines against fraud, including loyalty fraud.
Still, experts say that by and large loyalty programs remain vulnerable to attack.
“The loyalty industry is waking up that they have to do something, but they are years behind the credit card companies in security measures,” Maeder said.
Along with beefing up IT security, one step experts suggest implementing is multifactor password authentication. Loyalty programs should also proactively reach out to the owners of inactive accounts as well as coach their customers about account security, ARC said.
As for loyalty program members, experts said they should keep regular tabs on how many points they have in their accounts. Program members should also make sure to practice basic security on their online accounts by diversifying passwords and updating them regularly.