An estimated $3.1 billion in redeemed loyalty points are deemed to be fraudulent, according to the Loyalty Security Association. Yet half of all merchants say program fraud protection is a low priority. Mix the two, and we have a rise in loyalty program pillaging. Here’s how to spot a points pirate, and protect your brand’s reputation.
By: Jenn McMillen
Reward Points are Treasure, and Treasure Gets Stolen
Therefore, guess what? Loyalty program points are being plundered, at epidemic rates.
The spate of smash-and-grab thefts in Los Angeles may be grabbing headlines (with $25,000 in designer purses stolen from Nordstrom, how could it not?). However, loyalty reward theft represents a far more insidious theft, and it’s taking place right under your nose.
From 2018 to 2019, the most recent year for available data, loyalty program fraud rose 89%. This should surprise no one. Loyalty points have monetary value, and there are $48 trillion worth of unspent points out there – often unwatched and forgotten, as nearly half (45%) of reward program members are inactive. (In the U.S. alone, program members are sitting on more than $140 billion worth of unused rewards points, according to data from Gartner.)
Considering that only $3.1 billion of that $48 billion in unspent treasure is stolen, there’s a lot of untapped opportunity out there for scammers.
Oh, the Many Kinds of Rewards Fraud
Despite the rise of reward program fraud, 42% of merchants say they do not have the skills, and nearly 50% do not have the resources, to prevent it. Scammers, meanwhile, are honing their reward-robbing skills.
Loyalty program fraud takes a few forms. It occurs when a hacker tunnels into someone’s rewards program, when a scammer creates a shell program designed to steal consumer information, or it can be perpetrated by consumers using dishonest practices to gain points. Generally, these schemes fall into one of four categories:
Account pirating. These are hacks in which the perpetrator breaks into an account, usually by using a member’s stolen personal identification number (thanks, dark net) or via an automated cyber-attack (like a phishing email). Such “credential stuffing” – cyberattacks in which lists of user names, email addresses and passwords are the booty – reached a staggering 100 billion from 2018 to 2020, according to cloud-computing provider Akamai Technologies. Once inside, the thief can raid the reward points, redeeming them for money or transferring them to another account. Arrrrgh!
Knock-off accounts. You won’t find these fake accounts selling off of a curbside card table or out of the back of a van, but they are virtually the same as that faux Louis Vuitton handbag your aunt carries. The fraudster creates bogus accounts, often using stolen identities, and then accrues points, transfers them to other accounts in the portfolio, redeems them and even sells them. A hacker may even trade points for a tangible reward and then sell it. Untraceable gift cards are evidently a popular item.
Transactional looting. An offspring of account pirating, transactional fraud takes place when point pirates steal information from the loyalty members’ credit card accounts, digital wallets or other payment methods linked to their memberships. They then go to town making transactions they won’t have to pay for, gaining more points they can quickly redeem in the process. Many also sell this information on the dark net (contributing to the aforementioned credential stuffing, detailed under “account pirating”).
Breaking policy. This is a practice that tragically may be performed by legitimate loyalty members. They seek and take advantage of loopholes in the policy, or weaknesses in the platform, such as signing up for many credit cards that are linked to the same rewards initiative or booking a hotel room for a friend (who pays) in order to gain the points. Sometimes the user may not see this as a nefarious act – giving coupons or promotional codes to friends and family is sharing! But as the rewards operator, you pay. The one upside is the recipient may like the offer and enroll in your program.
How to Put a Points Pirate in the Crosshairs
Spotting a scam requires detecting sudden, notable irregularities in an account or group of accounts. That level of detection requires monitoring.
If you are among the 50% of organizations that don't have the resources, hire a company that does. Some payment protection companies, such as Forter, offer account protection to block fakes, policy abuse prevention and multi-authentication services (think text codes). In my opinion, multi-factor authentication should be the standard, as well as automated emails to remind members to change their passwords every six months.
If you believe your program is the target of a scam, seek help from organizations such as the Loyalty Security Association, your state attorneys general or the Federal Trade Commission. And act now – $3 billion in reward points can buy a lot; it’s what Kanye West estimated his worth to be in 2020, according to Forbes.com. Unstopped, such theft can cause significant material loss to a company. Reward program plundering has emerged from petty theft to organized crime for a reason.
Jenn McMillen, nationally renowned as the architect of GameStop’s PowerUp Rewards, is Founder and Chief Accelerant of Incendio, a firm that builds and fixes marketing, consumer engagement, loyalty and CRM programs. Incendio provides a nimble, flexible and technology-agnostic approach without the big-agency cost structure and is a trusted partner of some of the biggest brands in the U.S.
Recommended Read: Four Degrees of Loyalty Fraud