Fraudsters are pouncing on $48 trillion in unspent rewards points

Practically every B2C organization employs some type of loyalty program, and for good reason — companies love the uptick in spending and brand allegiance; customers love the free lattes and round-trip flights.

But no one is a fan of loyalty fraud. Except fraudsters, of course, snatching their share of the $48 trillion in unspent rewards points and either using them or selling them for profit. The latest ace up fraudsters’ sleeves has only become more prevalent during the pandemic. Even before the pandemic, loyalty fraud had doubled from 2017 to 2018.

Scroll down for the full download on loyalty fraud — including what happens when a company doesn’t combat it with an intelligent fraud prevention solution. (Hint: the negative impact stretches far beyond pocketbooks.)

Pointing in the wrong direction

From July 2018 to June 2020, fraudsters used stolen passwords to launch roughly 100 billion credential stuffing attacks. More than half of these incidents targeted retail, travel, and hospitality industries, companies that reward repeat guests with frequent flyer miles and complimentary hotel stays, free products and discounts. Airlines and hotel chains were especially hit hard post-pandemic — customers aren’t likely to access their rewards (and report a discrepancy) if they aren’t traveling.

Loyalty points are also emerging as a new virtual currency with increased spending flexibility, further incentivizing bad actors to target these accounts. For example, some brands allow customers to buy products on Amazon using their points.

Loyalty fraud, a form of account takeover (ATO), works like this. Hackers buy passwords off the dark web; then, after cracking the right login combination, they can sell a customer’s hard-earned loyalty rewards on the dark web for money (after the 2014 Hilton Honors hack, 250K Hilton Honors points sold for $3.50). If a customer uses the same password across multiple rewards accounts, hackers can access those points, too.

If a customer’s lucky, they’ll merely get their points drained and subsequently replenished — an issue costing merchants $1 billion per year — while fraudsters spend them or peddle them for profit. But personal info is what fraudsters are really after: credit card numbers, social security numbers, even seemingly harmless details like names, dates of birth, and phone numbers.

Points are one thing; accumulating an entire portfolio of personal information for a given individual — and seizing assets far more lucrative than loyalty rewards — is an account hijacker’s dream scenario.

The intangibles

When assessing the impact of loyalty fraud, it’s easy to get caught up in the financial costs: millions of dollars in reimbursed points, including refunding merchants like Amazon in the case of fraudulent points-for-product transactions; fines and lawsuits (if a data breach occurs); lost lifetime value of customers who jump ship. And don’t forget the time (i.e. money) customer support spends assuaging irate customers, investigating claims, and restoring stolen points.

But the intangible effects of loyalty fraud — which ultimately carry their own share of financial harm — may deal the most damage.

One of the first dominoes felled by a rampant loyalty fraud problem, particularly one rooted in a data leak, is customer churn. The outcry from affected users, in tandem with negative PR, is a serious reputation killer. A brand can’t create a Trusted User Experience without trust from its customer base. And building, or rebuilding, that trust with existing users — and new users isn’t possible without the help of a data-driven antifraud platform.

With ATO losses up 72 percent year-over-year, and loyalty fraud comprising a significant chunk of that number, brands must enlist a solution with ample data, and algorithms powerful enough to preempt fraudulent activity in real time — before points, personal details, and customer trust is lost.

Want to score points with your customers? Try Deduce for free today and see how our Identity Network of more than 450 million anonymized user profiles can neutralize ATO threats for companies of all sizes.