How to Stop Fraud in Loyalty Programs


Whether it’s a local grocery store, a national restaurant chain or international airlines, loyalty programs have become an ingrained part of modern consumer life. While providing your name and email when making a purchase may seem like a harmless extra step to add, loyalty programs are becoming increasingly valuable sources for fraud.

Loyalty programs are soft targets for fraud, explained Amir Mousa, internal audit section head for Al Ain Holding Group in his session at the 2019 ACFE Fraud Conference Middle East. The industry is estimated to be worth $48 billion, but loyalty programs are far less protected than banks — which has led to 72% of these programs experiencing issues with fraud.

Mousa explained that as the programs have evolved, loyalty points are becoming equivalent to cash. “Now you can go to airline websites and buy anything with their points,” he said.  “Coffee machines, concert tickets — anything you can think of.” Those points are also often transferable between partner companies and can be redeemed for temporary promotions. Despite their value, customers aren’t as vigilant monitoring their loyalty point account balances as they are with their bank accounts.

Loyalty programs can be targeted by three main fraud schemes. The first is when customers take advantage of loopholes in the programs and exploit the reward structure for gain. This causes a significant loss to the issuing organization. One example is when an American civil engineer, David Phillips, discovered that the company Healthy Choice was running a promotion where customers could earn up to 1,000 travel miles to the airline of their choice for every 10 product barcodes they mailed back to the company. Healthy Choice never specified the size of the barcodes needed, or a minimum value of item needing to be purchased. Phillips saw an opportunity and bought 12 thousand individual pudding cups, which he redeemed for more than 1.2 million airline miles.

Another fraud scheme is when employees or business partners defraud loyalty programs. One example Mousa shared was an airline agent who created loyalty accounts from the information of thousands of passengers. The agent put in accurate passenger details, but used his email instead of the passengers’, which allowed him to accumulate approximately 2.6 million air miles. He was finally caught when a victim customer went into his account to use miles to buy a trip, checked their balance and discovered it was zero. The customer brought the issue to the parent company, they investigated, and the employee ended up in prison.

The most public fraud scheme that loyalty programs are targeted by are fraud from outside attacks, like data breaches and hacking. International hotel chain Hilton discovered they had been breached in 2014. While that included customers’ credit card numbers, it also included usernames and passwords for their loyalty program. A couple of months after the breach they discovered the loyalty account information on the dark web, where 100,000 points, which could be worth $500, were being sold for $5. Loyalty programs by definition are meant to be easy to use and access for consumers, but Mousa explained, “It’s easy for customers, but it’s also easy for fraudsters and hackers.”

Mousa gave five suggestions for organizations with loyalty programs to follow:

  • Spread awareness. Discuss fraud schemes in loyalty programs with employees and offer training or education on the topic.

  • Track account activity. If an organization is vocal and transparent that they are tracking activity in their accounts, it’s a proactive way to prevent fraud against customers and employees alike.

  • Monitor the behavior in accounts. If a customer’s behavior suddenly changes from their baseline, that’s a red flag to follow up on.

  • Implement multiple security features. Since loyalty points can be as valuable as cash, they should be protected with similar security barriers. Organizations should use security questions and multi-factor authentication.

  • Communication. Companies need to communicate immediately with customers when they find anomalies.

When a commodity is as good as cash, it will always try to be taken advantage of. And, with so much money tied up in loyalty programs, anti-fraud professionals need to know how to stop loyalty program fraud. Luckily, for fraud examiners, the same prevention and detection techniques can be applied to points as they are for cash; it’s just about communicating the similarities.