Over a decade ago, I came across the story of a member of Qantas’s Frequent Flyer programme who had all the points in his account taken and turned into a large flat-screen TV. Nothing unusual about that, except the fact that he hadn’t made the transaction, and the TV wasn’t delivered to his home! This was the first account takeover (ATO) fraud I ever came across.
That led to a presentation on the topic of loyalty fraud at our Airline and Travel Payment Summit. Such was the industry demand that we put together 30 workshops on the topic. The resulting feedback was that a group was needed to help deal with the ever-changing nature of loyalty fraud. Along with my colleague from Airline Information, Chris Staab, we set up what is now the Loyalty Security Alliance (LSA) as an independent forum to share best practices and to help the programmes get ahead (or at least keep up with) fraud and fraudsters.
Fraud has been around since loyalty programmes started – at the LSA we often refer to these as ‘traditional’ frauds. ATO is a more recent (and growing) trend.
The easiest way to think of fraud in a loyalty programme sense is that people are trying to get benefits that they aren’t entitled to. Now, that’s not a legal definition, but it helps give an insight into why this type of fraud is committed. Loyalty fraud is often carried out by a programme’s customers – sometimes their most loyal ones. Airlines often run status match offers for top-tier members, giving them status in another programme, and some of those best customers try to defraud this system.
Another group are company employees. Think of a supermarket cashier swiping their own loyalty card to collect points at the checkout, where a customer doesn’t offer their own card. There is a good chance that the employee will not think that is fraud or stealing. But back to our broad definition, the programme isn’t designed to give that benefit to the cashier.
Those are just a couple of examples – there are numerous types, flavours, and mixtures of all these ‘traditional’ loyalty frauds. If it’s possible for people to either game the system or exploit a loophole, then they will. It is true that exploiting a loophole does not equal committing fraud – in terms of a legal definition. Woolworths, a supermarket chain in New Zealand, launched its reward programme in that market. There was a loophole that allowed multiple accounts/bonus transfers to be created. Sure enough, people were creating accounts to take advantage of the bonuses which were, no doubt, designed to be a one-off. While this doesn’t strictly qualify as legal fraud, it isn’t a financial model that can last.
Earlier in 2024, I presented on this topic at a conference, and I asked the attendees how much value/money was sitting in loyalty programme accounts across the world. Most of them were not aware that it runs into hundreds of billions. There’s no exact official figure, as many programmes are private and don’t publish their numbers. But take a couple that do. The liability in dollars sitting on the balance sheet of American Express for membership rewards was USD 13.7 billion at the end of December 2023. For the SkyMiles programme of Delta Airlines, it was USD 7.6 billion (February 2022) – which is money set aside when customers redeem their balances.
Back to our Qantas member and his flat-screen TV – those points in his taken-over account were turned into near cash – that TV could then easily be sold for real money. We only have one published and public ‘hard’ number – also from Australia – from an annual loyalty research paper which found that 3% of Australian loyalty members had been victims of loyalty account takeover fraud*. This might seem a small percentage, but the Qantas programme is huge, and their balance sheet liability is around USD 1,94 billion. Therefore, if it is your hard-earned rewards getting taken over and turned into something other than what you want, then that fraud is very personal.
There is good news: it’s not all doom and gloom – and that’s not just because, with LSA, we’re there to help. There are a good number of other companies out there that have set up and are delivering services that can help too.
ATO falls into two main categories. The first is prevention. You need to stop people from getting into the account in the first place, and companies can help by using artificial intelligence (AI) and other technologies to keep accounts safe. These specialise in detecting bots – and a lot of ATOs are caused by them. Criminals – especially organised crime – have easy access to automated tools that use stolen data to crawl the web, pushing at every online account door until one opens.
The second area is detection – should the account become compromised, then you need to know that well before the customer does and stop the value in the account from being stolen. Interestingly enough, the fraudsters who access the accounts and take the value often then sell this information on the dark web. So, if you have a large programme, then regular monitoring of what’s being sold on the dark web is a very good practice to know if your customer accounts are being taken over.
All this sounds very tech orientated. However, loyalty programme managers shouldn’t see it as a cybersecurity issue and consider that the techs in IT should look after it. Yes, data breaches are one-method accounts that can be compromised – but poor programme design can also make it easier for accounts to be taken over. Steve Francis, the Cyber & Intelligence Solutions lead at Mastercard, talks about ‘cyber health’, and I think that’s a good way for programme managers to think of it. If you end up just trying to cure the symptoms caused by a poor programme design, then all the tech in the world is only going to be of minor impact.
If they want to read more about the topic, there is a dedicated chapter on loyalty fraud in the second edition of ‘The Complete Guide to Loyalty Programs’ which you can get on Amazon. Alternatively, the LSA website has a lot of good reference material.
You can also contact me or Chris Staab directly – he can share with you details of the various LSA webinars, the most recent one being with the US Department of Homeland Security (and the extensive back catalogue of other sessions), covering a wide range of frauds and the prevention techniques you can take to protect your programme.
*According to 2019 Love or Money Research.
Michael Smith, co-founder of the Loyalty Security Alliance, has extensive experience in cybersecurity and loyalty programs. His efforts have played a key role in encouraging collaboration among industry stakeholders to address security challenges. As part of his work for Airline Information, he has contributed towards organising events and providing education for professionals in the loyalty industry, thus playing an important role in facilitating security and fraud discussions amongst loyalty experts. He is dedicated to enhancing security measures and promoting best practices to combat fraud in loyalty programs.
Ai Connects is the online hub for Airline Information events, offering a comprehensive platform for industry professionals. From conferences to webinars, it serves as a central resource for networking, insights, and updates within the aviation and travel sectors. Access the latest developments shaping the future of air travel, explore trends, and connect with key players through their website.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now