Loyalty Fraud is when a fraudster gains unauthorized access to an account tied to a loyalty rewards program offered by a merchant. The fraudster then either takes direct advantage of the points themselves, exchanges the points for goods they can resell, or uses the points as a pseudo-currency to make purchases on the dark web.
Companies of all sizes struggle with this problem. Customer loyalty is an important factor for success in digital marketplaces. In fact, 74% of marketing and customer experience professionals say customer loyalty is central to their plans for long-term customer retention. Consumer research backs them up. Three in four consumers actively participate in three or more loyalty programs regularly. Therefore, there is great incentive to run large loyalty programs that provide customers with high amounts of value. They are here to stay.
Unfortunately, that high-value attracts fraudsters. The cash value of loyalty program rewards offered in the US alone is at least $48 billion. Specializing in this kind of fraud offers a large pool of potential targets.
In addition, customers remain overwhelmingly lax about securing loyalty program accounts. Many companies only require a username and password to access these accounts. In an era of increasing 2FA security (especially among millennials and the generations after them), this makes loyalty accounts a relatively easy target for fraudsters.
Types of Loyalty Fraud
Three types of loyalty fraud exist:
- External Fraud. Hackers gain access to a loyalty program account. This is a type of account takeover fraud (ATO) attack. First, the dark web circulates “configuration files” that tell hackers how to make account login attempts as quickly as possible on a certain website. Second, hackers sell “data dump” files that provide login/password credential combinations for that site. Finally, fraudsters use the site credentials on the site. They clean out the loyalty points of any account they gain access to.
- Internal Fraud. Internal loyalty fraud schemes are inside jobs. Employees use their access to a merchant’s backend systems to gain access to customer accounts and steal points. Examples include cashing in rewards, syphoning points away, and misdirecting point accreditation. Often, this type of fraud occurs due to a failure to implement known security best practices.
- Friendly Fraud. Authorized loyalty account holders sometimes violate its terms of service in an effort to accure unauthorized benefit. One example of this is when multiple members of a family accrue points on the same account. Another example is the unauthorized resale of points by the account holder to a third party.
Prevent Loyalty Fraud
Successful loyalty fraud schemes usually occur due to account holder or merchant apathy. Despite their value, the value of loyalty programs are both long-term and illiquid assets. As a result, there is a tendency to overlook them. This makes them an easy target for fraudsters. Often, neither the merchant nor the account holder realizes a problem exists until it’s too late.
Both account holders and merchants can take steps to prevent loyalty fraud.
- First, both account holders and merchants should take proactive steps to prevent hackers from gaining access to accounts. For account holders, this means not reusing usernames or passwords across accounts and regularly checking account activity statements for unauthorized activity. For merchants, it’s important to maintain the security of backend technology. Use impenetrable hosting to keep data security, adhere to international ISO security standards, and train personnel on proper security practices such as avoiding phishing scams.
- Second, merchants should limit the speed of point accrual and spending. Merchants should set time limits on both the speed and quantity of point accrual. In addition, limit transfer authorizations to reasonable amounts needed for common transactions. One way to do this is to make accrued loyalty account points inaccessible for a certain length of time.
- Third, merchants should flag mismatches between an account’s expected and actual usage. Machine learning models can monitor account holder behavior for usage that deviates from expectations in a way that indicates fraud. For example, sudden accelerated point accrual/spending, frequent redemptions, or any kind of change in the usage of a long-standing account should be flagged.
- Fourth, account holders should frequently monitor their own account activity. Merchants must educate account holders about the dangers of loyalty fraud and the importance of monitoring accounts. In addition, merchants can help the process along by incentivizing holders to do so.
The High Consequences of Failing to Protect Customers High
Data privacy is increasingly important to customers. Merchants do their best to prevent the data breaches that lead to loyalty fraud. However, hackers are skilled at bypassing merchants’ defenses. Unfortunately, successful attacks can and do occur in all consumer facing industries.
Increased customer awareness of the problem increased regulators’ awareness. The European Union GDPR Directive requires companies doing business with Europeans to protect customer data. The EU already handed down several fines for non-compliance with the directive. Regulatory oversight across all jurisdictions should increase in the future. In the US, failure to comply with HIPAA data protection regulations can result in a $50,000 per compromised customer.
In addition to regulatory fines, companies also face breach remediation costs on their systems’ backends, as well as lawsuits from customers. This last point is arguably the most important. Companies forced to make public admissions of data breaches lose customer confidence and loyalty.
Here are a few examples of successful loyalty fraud by industry:
- Banking. MasterCard suffered a loyalty program data breach that leaked the names and payment card numbers for members of its “Priceless Specials” loyalty program.
- Airlines. British Airways suffered a nearly £200 fine for failing to protect 500,000 customer accounts. Information stolen included credit cards, login details, and even travel bookings.
- Hospitality. A Radisson hotel loyalty points breach required nearly an entire month for the company to discover. EU regulators took notice.
- Food and Beverage. Hackers targeted Dunkin’ Donuts’ DD Perks loyalty points program, forcing the company to tell all customers to change their login credentials.
Increased Opportunity Means Increased Fraudster Activity
Merchant incentives to increase the value and scope of customer loyalty programs means the problem will not go away. However, the tools to prevent loyalty fraud exist. Companies can take steps to increase their own preparedness, as well as customer awareness of the problem.
To learn more about the fraud prevention solutions working to prevent this ongoing and serious problem, check out Merchant Fraud Journal’s special report about how to protect yourself from the biggest fraud trends in 2020.
Sources:
https://www.thewisemarketer.com/data-and-privacy/loyalty-fraud-10-questions-with-laura-hurdelbrink/
https://www-03.ibm.com/press/us/en/pressrelease/53646.wss
https://www.bankinfosecurity.com/blogs/radisson-suffers-global-loyalty-program-data-breach-p-2677