Is loyalty fraud on your radar?

Phil Muncaster, guest writer at ESET checks whether is loyalty fraud on your radar? Here’s why your hard-earned reward points and air miles may be easy pickings for cybercriminals.

Loyalty accounts are big business, and hackers and fraudsters are increasingly zeroing in on a potential goldmine. According to one study, the global market for loyalty management is set to grow at an annual growth rate of 12.3% over the coming seven years to reach nearly US$18 billion by 2028. And where there’s money and users, cybercrime inevitably follows.

From British beauty and health retailer Boots, Australia’s supermarket chain Woolworths, to multinational brands like Tesco and Dunkin Donuts, attacks on loyalty card programs are increasingly common. Social media is awash with stories from angry victims who have had their accounts drained.

In fact, there’s an estimated US$48 trillion of unspent loyalty points globally, so it’s no surprise these programs have become an increasingly popular target for cybercriminals over the years, with the COVID-19 pandemic further exacerbating the threat. If you’re a loyal spender, you should take extra precautions to protect your rewards accounts. It’s not just the points you’ll be guarding – the same applies to any sensitive personal information stored with them.

How popular are loyalty programs?
Oracle claims that around three-quarters (72%) of US millennials are either members of their favorite brand’s loyalty program or would join one. Such programs are a popular way to build closer ties with customers online at a time when loyalty is hard won but easily lost. They typically offer discounts and special deals, or even free goods, services and experiences for members who accrue enough points.

These could include:

  • Free flights and hotel stays (e.g., air miles)
  • Free or subsidised taxi rides (e.g., Uber)
  • Free groceries

In return, the companies in question get highly valuable data to track customer purchasing and browsing behavior – with which they then improve their marketing and promotional efforts.

What are the bad guys doing?
There are essentially three potential vectors for loyalty card cyberthreats. On the one hand, brands could be defrauded by legitimate customers who try to game the system by, for example, opening multiple accounts. Another possible risk is of malicious employees at the firm who steal customer personally identifiable information (PII) and points. However, the biggest threat is from external attackers hijacking accounts to steal points, make purchases, transfer points and/or steal customer PII to sell on the cybercrime underground.

How do they do this?

  • Phishing emails, texts, phone calls and messages designed to trick the user into handing over their account logins
  • Credential stuffing attacks which use previously breached passwords and usernames across other online accounts which shares the same credentials
  • Harvesting logins via fake mobile applications on third-party app stores

How bad is it?
There’s surprisingly little recent data detailing the scale of such attacks. However, loyalty card fraud increased 89% year-on-year in early 2020, according to one study. The same research estimates that direct and indirect losses from associated fraud reach around US$1 billion per year.

Separately, there were 100 billion credential stuffing attacks detected between July 2018 and July 2020, 63 billion of which were aimed at the retail, travel, and hospitality sectors. Hotel loyalty accounts can be sold on cybercrime forums for as much as US$850. Some entrepreneurial cybercriminals even operate shady ‘travel agencies’ which combine stolen credit cards and airline and hotel loyalty programs.

How can you protect loyalty points?
What can you do to protect your most important online accounts? It boils down to best practices around password management and awareness of phishing threats.

Here are our top seven tips:

  1. Use strong, unique passwordsfor each account and consider storing them in a password manager
  2. Switch on multi-factor authentication for all accounts that offer it. This will go a long way towards protecting your accounts from attackers
  3. Only install mobile apps from trusted sources
  4. Use scanning software to ensure apps are free of malware before downloading
  5. Deploy security software from a reputable provider on all devices
  6. Never click on links or open attachments in unsolicited emails/texts/social media messages
  7. If you’re going to log into a loyalty account, visit the site directly rather than following links

Loyalty and reward card schemes are a mainstay of modern marketing and customer engagement strategies. They’re also a well-established money-maker for cybercriminals and fraudsters. Taking a few best-practice steps can help to secure your account against this activity. Also, with trillions of dollars of unspent reward points languishing in these accounts, another good way to keep points out of the bad guys’ hands is to make sure you actually redeem your rewards.