Loyalty and rewards programs have become a powerful tool in customer retention and engagement in a time of skyrocketing customer acquisition costs.
In a Talker poll, 68% of respondents said a retailer’s loyalty program was an important factor in deciding whether and where to buy — reflecting shopper sentiment repeated over the years. Gifting platform Snappy found not only that 70% of survey respondents said loyalty programs were a key factor in deciding where to buy, but also that 76% reported spending more when a loyalty and rewards program was involved.
But shoppers aren’t the only ones who find loyalty programs attractive. As merchants have upped their payment fraud protection game, fraud rings are moving through the buying process looking for vulnerabilities. Combine that with online brands’ embrace of loyalty and rewards programs as an incentive for consumers to create accounts and you can see where this is going.
Not every online brand was diligent about creating the necessary security for customer accounts in the rush to encourage sign-ups. And the truth is, consumers aren’t always vigilant about monitoring their loyalty and rewards accounts, checking balances only when it’s time to buy.
Consider airline frequent flyer miles, one of the most valuable categories of loyalty points for both consumers and fraudsters. A typical leisure traveler might review an airline account once or twice a year, leaving plenty of time for a fraudster or fraud ring to crack the account and make off with the valuable miles. The story is similar when it comes to other loyalty and rewards programs.
Consumers belong to an average of 16.6 loyalty programs but actively use fewer than half of them, leaving the rest open to plunder.
Since this type of fraud is so common and yet still hard to fight, we’re here to help with an overview of the problem plus steps retail leaders can take to protect customers and limit their own liability. After all, few things could more quickly turn a consumer against a brand than having their reward points cleaned out.
Fraudsters cash in big on loyalty and rewards program scams
With billions of dollars at stake across countless loyalty and reward programs, it’s important to understand how vulnerable these points-to-dollars programs are.
While stories of frequent flier accounts being hacked and cleaned up occasionally erupt on social media platforms and forums such as Reddit, consumers’ awareness around loyalty point theft might still be limited.
The points become as useful as cash in the hands of fraudsters and fraud rings are becoming better and figuring out ways to use the accounts, points and miles once they have control of them. For starters, they might sell the accounts on the dark web. Hackers sometimes combine miles or points from several accounts to acquire more valuable items. Signifyd Senior Director, Product Jeff Wixted described an intricate scam to illustrate the creativity that goes into exploiting stolen airline miles:
- First, the fraudster buys a refundable ticket using the account holder’s credit card on file in the account.
- Next, they buy an add-on to the ticket — a seat upgrade, a checked bag, etc. — using a debit card in their own name.
- Then they go to the airline website and cancel the ticket.
“And they’ll social engineer this over the telephone with an agent to say, ‘Can you just credit the entire value of this ticket back to my debit card?’” Wixted explains.
The key to the fraudsters’ success is account takeover fraud — a form of online fraud that has grown dramatically in recent years. A so-called ATO attack gives fraudsters the advantage of appearing to be the rightful account holder.
Carding attacks often signal reward program fraud
The form of fraud is often initiated by a barrage of carding attacks — repeated and often automated attempts to break into accounts by trying a dizzying number of user name and password combinations. The idea is to determine which stolen cards are still valid and which have been canceled by the rightful cardholder. The Merchant Risk Council reported last year that six in 10 of the 1,100 merchants it surveyed said they’d seen an uptick in account takeover fraud in the most recent 12 months
Fraudsters are casting a wide net in the rewards and loyalty program fraud arena; therefore, all industries are at-risk. These criminals look for opportunities to scam companies with the weakest anti-fraud measures in place. If a company leaves an opening in fraud protection, fraudsters can find and exploit it for their gain.
It’s all part of fraud’s expanding footprint. Ecommerce fraud has become industrialized and increasingly sophisticated in recent years. Massive fraud operations working out of compounds in Southeast Asia and elsewhere run multifaceted scam operations that can strike quickly and at scale.
Fraud moves fast. But merchants and shoppers can get ahead of these scams to protect their vested interests. It’s still a new fight in an evolving landscape, so any steps to stop loyalty and rewards program fraud can help.
Retailers and customers can fight back against loyalty fraud
The best loyalty and rewards programs come with a thoughtful online fraud prevention solution steeped in awareness and vigilance. Fraudsters will test the waters at all unguarded entry points, and most companies only learn about their program’s fraud vulnerabilities when consumers report issues — long after the fraudsters have pulled off their heists.
Since consumers do not monitor or manage their loyalty accounts the same way they monitor their traditional savings and checking accounts, it could be weeks or months before the customer notices issues and files an incident report with the business. Fraudsters often start small, peeking into a rewards program account’s vulnerable entry path and using stolen or leaked credentials to see how far they can get. Once they determine that they can get account access without tipping off an account holder, they exploit the account for larger attacks.
Protecting customers and maintaining the popularity and ease of use of loyalty and rewards programs is a tricky line to walk. Here are some ways to encourage customers to protect their rewards as if they were cash:
- Educate customers on all aspects of your rewards and loyalty programs, such as its cash value and its appeal to fraudsters, while emphasizing account security.
- Monitor customer account activity, including registration, login, transactions and email confirmation requests.
- Implement multi-factor authentication for loyalty and rewards program activities wherever possible.
- Turn to innovative, machine learning solutions that detect and prevent fraud at the account level.
One powerful way to protect online accounts is to turn to a vast network of ecommerce data that surfaces patterns that provide insights into the identity and intent behind online activity. Signifyd’s Account Protection solution, for instance, relies on transaction, behavioral and historic data from thousands of merchants around the world.
More work to be done on protecting accounts
Merchants that offer rewards and loyalty programs in this era of increased ATO pressure must do their share of monitoring. Automated solutions are helpful year-round and particularly during high-volume traffic times, such as Black Friday or Cyber Monday, when fraud rings take advantage of high volume to test stolen credentials with a series of automated attacks.
Keeping customers happy, engaged and returning to shop again is the goal of loyalty and rewards programs. Your customer experience strategy requires investments that keep up with the latest fraud trends, such as account takeover and friendly fraud.
Any time a customer loses time and money, whether from a poor shopping experience or a rewards scam that steals their hard-earned points, it directly threatens your revenue stream.
Stay ahead of the fraud curve by protecting loyalty and rewards programs through proactive monitoring and customer education. The rewards from these preventative steps will add up to increased revenue and more satisfied customers — a classic win-win.
Signifyd head of storytelling Mike Cassidy contributed to 2025 an update of this post.
Want to get the most from your loyalty and rewards program? Let’s talk.
