Editorial Policy

How to protect yourself from rewards fraud

Susan Johnston Taylor

September 2, 2015

Imagine you’ve diligently saved up credit card points or airline miles for a much-needed vacation, but when you finally log into your account to book your trip, the rewards balance is zero. Bye, bye Bahamian getaway.

With an estimated $48 billion in points and miles awarded in 2011, rewards fraud is a potentially lucrative game for criminals, according to Colloquy, which publishes research and information geared toward loyalty marketers.

One man’s estranged wife stole 2 million of his reward points by calling American Express and requesting the points be transferred to her Delta frequent flier account. Even if you aren’t going through a nasty divorce or other dispute, you could lose points or miles through rewards fraud committed by strangers.

Most rewards fraudsters aren’t brazen enough to book themselves an airline ticket or hotel with stolen points or miles. “What they’re doing quite a bit is laundering the points and transferring the accounts,” says Ryan Wilk, director of customer success for NuData Security, a behavioral analytics firm that helps companies identify potential fraudsters. “They’re buying tickets for others by posting a notice on Craigslist or eBay saying, ‘I have an airline ticket that I can transfer to you.'”

Earlier this year, British Airways froze some of its frequent-flier accounts while it resolved a hacking issue. Hackers also managed to steal points from customers in the Starwood Preferred Guest loyalty program and sold them online in January (Starwood reportedly said it would refund any points lost due to fraud).

In other cases, thieves redeem credit card points for airline miles gift cards or merchandise that can be kept or resold. “Bad actors convert those points to a gift card,” Wilk says, “without really caring what happens to that third party ” who ends up using that stolen gift card or airline ticket. To avoid being a third-party victim whose flight or hotel room could be cancelled once fraud is discovered, book travel through reputable sources rather than buying discounted travel through Craigslist or eBay.

Like more traditional instances of credit card fraud, most credit card issuers or travel companies will make the loyalty customer whole and refund stolen points if an account is hacked. Businesses don’t want customers to not come back, Wilk says. “A customer’s lifetime spend is worth more than that one-time hit.”

Still, getting points or miles refunded can be a hassle, so here are a few tips for minimizing your risk of rewards fraud in the first place:

  1. Don’t use the same username and password for everything. This is common advice most consumers don’t heed. “Use different passwords for different accounts and change them on a regular basis,” says Coleen Pantalone, professor of finance at the D’Amore-McKim School of Business at Northeastern University. In its annual worst passwords list for 2014, SplashData revealed that “12345” and “password” were the two most commonly leaked passwords. If you’re using the same easily guessable password for all your online accounts, it’s time to make your accounts more secure. If someone gets access to your email account, they can start resetting your passwords, making it harder for you to detect and resolve fraud.
  2. Don’t share your usernames and passwords. Ultra-secure passwords won’t protect your account if you share them with others, even someone claiming to be from your credit card issuer or preferred airline. “Don’t give out personal information when someone calls asking,” Pantalone says. “There are any number of scams that prey on people’s gullibility.”
  3. Be wary of suspicious emails. Email phishing scams are another way that fraudsters steal your information. “Never open email links when you are not sure of the sender,” Pantalone says. “Clicking those links can lead to a hacker infiltrating your computer and stealing your information.” If you get an email from your credit card issuer or loyalty program provider, type the website address into your browser rather than clicking an email link.
  4. Monitor your loyalty accounts for suspicious activity. Wilk recommends consumers closely monitor accounts and card statements so if they notice strange activity, they can contact the company and get it resolved. Services like AwardWallet.com can monitor accounts for you and notify you of balance changes. Also, while it’s nice to accumulate a huge cache of points for a big trip, keep in mind that redemption options can change and points can expire. The possibility of rewards fraud is just one more reason to use your rewards instead of hoarding them indefinitely.

Tags: ,