Airline loyalty programs first appeared in the early 1980s, with American Airlines pioneering the idea of offering rewards to their frequent travelers. Today, loyalty programs are widespread, with an estimated 3.3 billion memberships in the U.S. alone. Organizations ranging from global brands like Starbucks to small businesses like the local pet store use them to build customer loyalty and deliver value back to consumers.

However, as these programs and their underlying technologies evolved, one core factor was overlooked: system security. Loyalty programs now found themselves vulnerable to a new form of fraud — the theft and misuse of miles and points.

Loyalty fraud is often overlooked, but air miles and loyalty points are essentially a form of currency, just as valuable as cash and credit cards. And the impacts of loyalty fraud can be just as damaging as traditional form-of-payment fraud.

The Risk to Airlines and Consumers

How big of a problem is loyalty fraud today? We examined the current state of loyalty fraud in air travel to find out.

According to the white paper, “Benchmark Study: 2018 Global Airline Online Fraud Management,” published by Phocuswright in cooperation with CyberSource, ARC and IATA, 82% of airlines offer loyalty programs where travelers accrue miles for redemption. “Points and miles purchased with a stolen credit card” was selected by 60% of respondents as one of the most common types of loyalty fraud (a sizable increase from 49% in the 2014 study). The second-highest selection was “loyalty account theft” (where a loyalty account is taken over by someone other than the owner), which was chosen by 52% of respondents — up from just 39% in 2014.

The report states, “Both techniques can be used by fraudsters to buy numerous tickets or purchase merchandise, accrue thousands of loyalty points, and cash them in before the fraud is discovered, which brings the added downside of additional chargebacks from cardholders.

“These are significant increases from the 2014 study,” it continued, “which punctuates that loyalty program fraud is on the rise. Airlines must progressively adopt fraud detection and management techniques for their loyalty programs as they grow in importance.”

Airlines aren’t the only ones affected by loyalty fraud. Consumers are more susceptible to this type of fraud than they might expect, according to Chargebacks 911.

“Looking at Loyalty Points:

  • U.S. consumers maintain approximately 3.3 billion loyalty program memberships.
  • Stored points and miles are valued at $48 billion in the U.S. alone.
  • 81% of consumers view loyalty points as cash.
  • One in three program members only check their balance once every few months. One in ten never check their balance.”

The Chargebacks 911 article continues:

“That’s bad news, especially considering the lax attitude many consumers have toward security:

  • More than 8 in 10 consumers reuse the same password across multiple sites.
  • 3 in 10 consumers share a password with two or more other people.
  • 6 in 10 consumers have been forced to reset a password within the last 60 days.”

Miles and Points Are Essentially Cash

In addition to flights and hotel stays, points can be used to obtain tangible goods and services, including gift cards. In many ways, this makes points equivalent to cash.

Loyalty fraud, or points fraud, is difficult to detect. This is because fraudsters obtain enough information, through social engineering or other means, to hack into these accounts and genuinely appear to be the real user. Historically, there has been limited security, both on the part of the consumer and the companies managing these programs. This makes loyalty points easily accessible to fraudsters. To make matters worse, the victim of loyalty fraud won’t know of their loss until they check their balance or decide to use the points. By then, it’s often too late.

Greater security measures are needed from both consumers and loyalty programs — similar to those taken with bank accounts by consumers and banking institutions.

The Breach

According to Barracuda Networks, airline phishing schemes are a highly effective form of attack that criminals use to gain access to systems and personal information. In fact, when examining data from hundreds of thousands of corporate customer email inboxes, analysis showed that these attacks were successful 90% of the time. This is an astounding number, albeit not necessarily surprising.

In these instances, hackers impersonate a trusted source — either a travel agency or a likely employee — with an email that appeared to be a reservation confirmation or an e-ticket. In some instances, an email attachment may conceal an advanced, persistent threat (i.e., malware). In other instances, it would direct the unwitting employee to a website designed to look like the airline’s website, at which point the user would enter their login credentials. The attacker can capture these credentials for future use, either to monitor corporate activity and communications or steal information. In some instances, that information may be related to a loyalty program.

Given the fact that these types of attacks are so successful in a well-controlled (and more actively patrolled) corporate environment, the broader traveling population is likely more susceptible to similar attacks by criminals posing as travel agents, suppliers and other trusted entities. Once credentials are stolen, criminals can leverage the stolen information to gain nearly unfettered access to loyalty points.

However, fraudsters aren’t only impersonating travel agencies to gain credentials and access to the points associated with them, but also to use those points. In this editorial, Michael Smith, managing partner of Airline Information and cofounder of the Loyalty Fraud Prevention Association (LFPA) cites research conducted by Airline Information. According to Smith, “the most pressing loyalty fraud problem involved criminals posing as ‘travel agents’ using either stolen or illegally bought miles to turn into tickets, which are then sold to unsuspecting customers. Often the customer does not know this is case until they try to claim the frequent flyer miles earned on the itinerary.”

Because most consumers don’t check their miles balances frequently, fraudsters’ actions can easily go unnoticed for months.

Make sure to join us during ARCs Fraud Awareness Month in September where Peter Maeder from LFPA will be presenting during the following webinar: Trends in Loyalty Fraud – What You Should Know. View all upcoming ARC events.

What Are Stolen Miles Worth?

Comparitech estimates that one mile has a monetary value of 1 to 2 cents, which means a 100,000-mile balance is worth roughly $1,500. The value may vary depending on the demand for that program’s miles and other market factors.

How do fraudsters obtain these miles and loyalty points? On dark web marketplaces such as Dream Market, reward points from over a dozen different airline programs can be obtained, including Skywards, SkyMiles and Asia Miles.

Delta SkyMiles and British Airways Miles are often the most commonly found airline miles on these sites. These miles have a range of pricing, with the following rates on Dream Market per this September 2018 article in Forbes:

  • 100,000 BA Executive Club miles = $884
  • 200,000 BA Miles = $45
  • 45,000 Delta SkyMiles = $844

The value of these miles is calculated based on preference of the seller rather than supply and demand. Cryptocurrency is the tender of choice on dark web marketplaces, and because the value of cryptocurrency is fairly volatile, the true cost of the miles often fluctuates.

Once the fraudster has obtained these miles, they sometimes extract the value by booking travel, as previously described — but they also have access to a range of products and services, including gift cards. These gift cards are highly desirable to fraudsters because gift cards don’t require an ID or PIN and therefore easier to use.

There is also a marketplace known as a “grey market,” where unused miles can be purchased, generally to book business- and first-class upgrades. Customers receiving these upgrade tickets may be in for a surprise at the ticket counter when their ticket is cancelled by the airline for the improper use of someone else’s miles.

For victims of stolen miles, there is very little that can be done. Once the miles are stolen, they are gone — unless the airline or reward program chooses to refund stolen points. This has a direct impact on the company’s bottom line but can help retain a valued loyalty customer — which puts these companies in a challenging position.

The Impact to Travel Brands

Fraudsters are eager to gain access to consumers’ loyalty accounts. These accounts are often easy for fraudsters to access — whether that’s because consumers don’t know how to properly protect them, because they don’t consider their financial value or through highly effective attacks on the organizations who manage the programs.

Unfortunately, this can have a serious impact on travel brands:

  1. Loyalty Programs Suffer – Fraud attacks discourage loyalty program participation, defeating the value of the program’s existence. Considering the fact that banks purchase billions of airline miles each year for their own credit card rewards programs, this would be a serious threat.
  2. Sensitive Data Can Be Compromised – Loyalty programs store valuable personal data, similar to that of banks, making them a prime target for fraudsters.
  3. The Bottom Line Is Impacted Research shows that 1 in 4 program members would cancel a reward membership if their account were compromised, with 17% stating they would stop doing business with that company. A customer impacted by fraud could put the program between a rock and a hard place. If the brand highly values a loyalty customer, they will likely replace the stolen points, ultimately handing out double points. If the brand decides not to replace the points, it runs the risk of losing that valuable customer.

What We Can Do About It

As previously referenced, program membership is estimated at 3.3 billion in the U.S. While this is a significant number, more than half of these are reported as inactive. Low levels of security, combined with the amount of personal data that remains even on an inactive account, provides fraudsters with ample opportunity to obtain highly sensitive information. Additionally, a fraudster who gains access to one account can try the same login credentials to access the consumer’s other accounts — amplifying the risk of loss and identity theft.

Loyalty programs can implement a number of solutions to safeguard against system weaknesses. Adopting two-factor authentication, for one, can be a powerful solution, as well as a good defense to safeguard against system vulnerabilities.

If two-factor authentication is not an immediate option for your program, consider some of the following actions to create a safer environment for your company and your customers:

  • Monitor account activity. A sudden spike in activity on a dormant account might be a red flag. Ask your customers to verify security information and confirm their identity before granting access to any of the points in their account.
  • Adopt stricter login credentials. Remind customers to change their passwords twice a year, at a minimum. Make it a requirement to create strong, unique passwords that use alphanumeric and unique characters. Apply CAPTCHA solutions to prevent botnet attacks.
  • Coach your customers. Your customer plays a key role in the fight against loyalty fraud, and account security is in their best interest. Collaboration between you and your customer is key in the fight against loyalty fraud. You both benefit and you are both responsible for each other’s security. Ensure your customers are aware of security best practices such as:
    • Checking account balances regularly
    • Updating passwords
    • Setting up activity notifications
    • Reporting suspicious activity
    • Contact inactive users. Establish an outreach timeline, and contact the customer at the point they’re considered “inactive.” Have they lost interest or are they unable to engage with the service? Locking inactive accounts is another preventative measure, but many businesses are concerned this could create customer friction and disengagement. Being upfront and explaining why it was done — for their security — most customers will understand and gladly contact you to unlock their account.

The above solutions serve as a starting point, but more can be done to secure your program. There are many solution providers who can assist in establishing a program specific to your business.

Recent data breaches and ongoing cyberattacks show that loyalty fraud programs remain an easy target — until security improves.

If you have questions about how your organization can fight loyalty fraud, contact ARC’s risk management team at stopfraud@arccorp.com.


The following sources were referenced for this article:

1. https://blog.gemalto.com/financial-services/2017/05/02/loyalty-program-points-hackers-watch-phishing-scams-risk/

2. https://www.cybersource.com/content/dam/cybersource/en-EMEA/documents/DP_Datasheet_LFM.pdf

3. https://chargebacks911.com/loyalty-fraud/

4. https://postfunnel.com/three-types-loyalty-frauds-cost-business-millions/

5. https://blog.sift.com/2018/loyalty-program-fraud/

6. https://www.rsa.com/en-us/blog/2018-11/loyalty-points-fraud-why-reward-programs-are-a-growing-target

7. https://www.forbes.com/sites/donnafuscaldo/2018/09/20/hackers-have-a-new-target-frequent-flyer-miles/#5c1c43b01d7f

8. http://www.loyaltyfraudassociation.org/editorials/385-loyalty-fraud-on-the-increase

9. https://www.comparitech.com/blog/information-security/how-much-are-stolen-frequent-flyer-miles-worth-on-the-dark-web/