Editor's Note: Coming off of the recent Loyalty Fraud Prevention conference in Atlanta, we have decided that there is no time like the present to devote to this timely - and critical topic. Millions, perhaps billions of dollars are at stake and unlike other sectors, loyalty is one of the places organizations are most vulnerable to attacks, hacks and other forms of fraudulent activity.
Here then, to kick off our month-long series on Loyalty Fraud, are 10 Questions with Laura Hurdelbrink, Loyalty Fraud Product Manager at Connexions Loyalty.
1) Loyalty fraud, just like data fraud, goes largely unreported and therefore un-noticed by the general consumer. How pervasive is the problem?
You’re right – it is usually unnoticed by the consumer. According to a consumer loyalty survey we conducted, 81 percent of customers treat loyalty and rewards points as cash, but an equal number say they have never really thought about the potential of becoming a victim of fraudulent activity.
Fraudsters are focused on loyalty accounts for two primary reasons: rewards accounts are a high-value item (worth $48 billion in the U.S. alone), and most rewards accounts have a relatively low security threshold, making them an easier target than traditional bank accounts. 72 percent of program managers report experiencing fraud.
2) Are there particular industries that are more susceptible or prone to loyalty fraud than others?
Fraudsters are targeting a wide variety of industries. No particular industry is more susceptible. The susceptibility lies in whether or not one company has less protection than another. Fraudsters go for the path of least resistance. If a company has a weak link in protection, they become an easier target to fraudsters.
3) What loyalty models are most vulnerable or is this problem endemic across the board?
The problem is across the board, but again those that don’t have any fraud protection in place on their loyalty programs are going to be the most attractive to fraudsters and the most impacted by loyalty fraud.
However, fraudsters do target rewards that provide instant gratification. Electronic gift cards seem to have an exorbitant amount of fraud for two main reasons:
- They’re delivered nearly instantly and,
- They require no physical shipping address for delivery. Fraudsters use a valid customer’s e-mail address to pass e-mail validation tools and intercept the eGift.
They attempt to transfer the digital product before the customer notices the redemption confirmation email.
4) Are there any early warning signs that companies can look for to detect potential fraud? Where will the first alarms usually sound?
Typically fraudsters will test the waters. They are trying to see how easy it is to infiltrate and how secure the program is. Most companies only learn that fraud is happening when a customer reports an issue. Since most customers don’t monitor and/or manage their loyalty accounts at the same level of importance as their traditional bank accounts, it could be a long time before an incident is reported. Fraudsters start small, they see if they can get in the door, using stolen or leaked credentials, then they try for a small redemption and if that is successful, they go in for the larger attacks.
5) What does loyalty fraud protection look like? What aspects of a company’s program will a security plan cover?
Loyalty fraud protection has many layers.
- Monitor account activity, including registration, login and transactions
- Educate your customers about loyalty fraud
- Go further with identity verification
What can loyalty programs do? To start, they must be ever sensitive to the customer experience. Loyalty members expect their points and miles to be safe, but they also don’t want to endure protections that would interrupt or burden them in how they manage their accounts. Meeting those customer expectations is paramount, which is why many loyalty programs are turning to a combination of a rule-based approach and artificial intelligence (AI) modeling.
Rule-based detections are a great guardrail against loyalty program fraud. A machine learning approach can do the bulk of the heavy lifting, allowing businesses to predict fraud, scale their protections and adapt in real time.
The combination saves valuable time and resources, improves efficiency and, because AI can predict fraud before it occurs, it decreases a potential friction point, improving the customer experience.
6) At the enterprise level, loyalty fraud could have a genuine impact on bottom line. What kinds of things are companies implementing now in order to combat the problem? What kinds of things should they be implementing?
Many companies are still trying to quantify the problem. In many cases, company stakeholders are trying to understand the true impact of loyalty fraud in order to secure funding to combat it.
Calculating the true cost of loyalty fraud goes far beyond the cost of investigations or reimbursement of stolen points and miles. After an instance of loyalty program fraud, a brand risks losing its most valuable asset – loyal customers and the lifetime value they bring to a brand.
For those who have identified the problem and have been able to implement a solution, there are two likely current solutions.
- Manual review - Rely on manual reviews of redemptions to ensure their validity.
- Rule-based approach - Traditional loyalty fraud prevention programs operate based on rules. They leverage a series of static if/then statements which filter out good events from bad events.
For example, if the program is seeing multiple fraudulent online redemptions coming from the same IP address, it can establish a rule that flags all redemptions from that address for further review. In other words, if a redemption transaction comes from IP address X, then it automatically gets more scrutiny.
The ideal fraud solution should pair rule-based with artificial intelligence (AI) to combat fraud. Employing artificial intelligence utilizes a system that learns the difference between good and bad events at scale over time, without human intervention. AI helps uncover fraud incidences before they occur and prevents future attacks.
7) There are essentially 3 different potential sources of fraud:
- Hackers
- Insiders
- Customers
What can you tell us about each of these groups and their propensities for loyalty fraud?
HACKERS
By far, loyalty fraud has surged thanks to organized criminals and hackers, who know how to exploit security holes and customers’ weak passwords in order to snatch miles and points. Their goal is to use program currency to purchase consumer goods or hotel stays, as well as credit cards registered with the account to purchase even more points and miles. They then sell or exchange these items on the black market for cash or desired items.
INSIDERS
While less common than outside fraudsters, employees and other insiders (such as friends and family members) often have access to the loyalty program’s system or to someone who does. That means dishonest people may take advantage of the opportunity to scam or game the program. For example, employees with the right technical knowledge might be able to reallocate frequent flyer miles, insert their own loyalty program information to earn points, or even steal credit card information from customers. In one case detailed on several blogs, a London IT employee reportedly rigged an account to accumulate millions of points and then cashed in for the equivalent of $13,000 before being caught.
CUSTOMERS
Even loyalty program members themselves can game the system and commit fraud. For example, there have been reported instances of “double dipping” between multiple frequent flyer programs — such as when a customer is on the phone with a representative but also logged into the website to attempt to redeem miles at the same time. Customers also have been known to sell miles or points to “mileage brokers” which is against most program rules.
75% of data breaches occur by outsiders while 25% incidents originate from inside jobs.
8) From a consumer standpoint, what kinds of things should people be aware of? What kinds of checks & barriers should they implement?
Many consumers don’t monitor their loyalty accounts until it’s time to redeem an award. Perhaps a frequent flyer program member who doesn’t fly often only checks her account once or twice a year. This allows plenty of time for thieves to track patterns, get into accounts and withdraw points before the program member realizes something has happened. Encourage your members to check their account statements and entice them to log in more frequently, perhaps giving them an incentive to do so with a special promotion. Become educated about breaches and get into a routine of creating unique and challenging passwords. It is also important to change them on a regular basis. They should treat their loyalty accounts as they would any bank or credit card account.
9) If fraud has been detected, what steps should organizations take to shore up consumer and shareholder confidence?
If you experience a loyalty fraud issue, transparency and timing are keys to recovery. The sooner you notify your customer base that there is a problem, the sooner they can react and the more likely they will remain satisfied with your response. The more transparent and forthcoming companies have been in light of loyalty fraud, both publicly to the media and privately to members, the better the business has fared. The companies that engaged in open communication are the ones whose CEOs weren’t fired, whose stock prices didn’t plunge and whose customers remained loyal.
10) Once detected, are loyalty fraudsters easily identifiable? Can they be prosecuted or what measures exist to deter fraud before it happens?
By leveraging experienced fraud investigation teams that are skilled in uncovering fraudulent behaviors and patterns, loyalty fraud can be easy to identify. But, exposing a fraudster’s true identity is sometimes larger than just the information that you have. Most fraudsters are part of a larger, more organized crime unit and are only one component of a larger fraud scheme. Engaging with the appropriate authorities to aid in the investigation increases the likelihood that prosecution will occur.
Laura Hurdelbrink is Loyalty Fraud Product Manager at Connexions Loyalty.
Mike Giambattista is Managing Editor at The Wise Marketer.