Loyalty programme fraud is on the rise. Yet, for many it’s a term they’ve never encountered. This is a problem for businesses particularly for those nurturing loyalty with customers. Hackers use a variety of tactics to access customers’ sensitive information and steal their points and rewards. Perhaps more alarming, customers and even employees exploiting loopholes in reward systems. Which only serves to harm your bottom line and destroy customer trust towards your brand.
In this blog post, we’ll cover everything from the different types of loyalty fraud to ways you can detect and prevent fraudulent activities.
What is Loyalty Programme Fraud?
Loyalty programmes are implemented to reward customers and in turn can increase the lifetime value of a customer through increased retention. However, despite the reciprocal benefits for both customer and brand, loyalty programmes can be subject to misuse and fraud.
Loyalty programme fraud sees intentional exploits of reward schemes. Usually it involves an external threat from hackers trying to gain access to customers' loyalty points' or personal data. But some dangers can also come from customers who exploit loopholes in reward programmes. For example, trying to generate points from poor referral leads. There’s also been times of internal threats, which sees business employees claim unredeemed points for themselves, friends or family.
The danger of such fraudulent activities from external threats leads to data breaches as sensitive information about customers stored in the reward programme may be accessed by hackers. Such details often include customer names, DOBs, home and email addresses, and credit cards details. Personally identifiable information (PII) is usually sold to malignant third parties.
Customers who exploit or “game” loyalty programme schemes – considered bad actors – cost businesses lots of money.
In fact, loyalty programme fraud costs operators an estimated cost of over $1 billion every year.
Bad actors also tend to share exploits with others, clearly identifying businesses and victims as easy marks which only exacerbate the issue.
Employees who take advantage of neglected loyalty accounts to benefit themselves also break the trust between brand and customer. As members might feel the business doesn’t do enough to protect their interests. Thus breaking down hard earned trust and loyalty.
Why is Loyalty Fraud on the Rise?
In 2022 the average cost of data breaches collectively cost companies an eye-watering $4.35 million.
Not only is fraud costing more, it’s becoming more commonplace across the board. But no place more than customer loyalty.
There are numerous factors as to why this is. First of all, awareness of the problem is low. Businesses continue to prioritise other areas and often overlook loyalty programmes. Not good, particularly when in comparison to other financial based services loyalty programmes are already considered easy targets.
As such, 27% of all frauds experienced online in 2021 were related to loyalty schemes.
There’s no denying that this number will increase for businesses who continue to overlook the security of their loyalty rewards programme.
Types of Loyalty Programme Fraud & How They Happen
Fraudulent activity takes place in many different ways. The various types of loyalty fraud come from three main groups: hackers, customers and employees, each with their typical go-to tactics that you should look out for. Below we’ve listed a few examples.
Hackers or cybercriminals are known as external threats. They use nefarious tactics to infiltrate customer data, loyalty accounts and even loyalty reward systems. Methods vary from:
Phishing and social engineering (which sees them manipulate victims into divulging sensitive information)
Creating fake loyalty programmes
Hacking loyalty reward platforms and systems
Customers who intentionally violate terms and conditions in order to game reward systems to their advantage are committing friendly fraud. This type of customer behaviour costs businesses more money than ever.
With some estimates claiming up to 86% of chargebacks are intentionally fraudulent.
Here are other ways some customers and loyalty members commit fraud:
Excessive engagement with social media e.g., over-sharing the same Tweets or posts from businesses in return for benefits
Referring poor quality leads for rewards
Selling points or prizes to others
Double-dipping points (when they try to simultaneously redeem points on the phone and online)
Making big purchases to accrue points & then cancelling the product or service
Family & friend fraud (allowing people other than the account holder to access benefits and accrue points with their purchases – unless shared accounts are allowed)
There are some instances when the customer may not recognise a transaction in their bank statements. As a result they ask for a refund and get their money back from a purchase they’ve made. A fine balancing act is required to effectively identify genuine errors from good customers and intentional loyalty programme fraud from bad actors.
Over half of all fraud is committed by company insiders. That’s not to say your own employees will definitely scam. It’s always a minority. Still, it’s worth knowing just how this type of fraud may look, so you know what to look out for. Here’s just a few examples of how internal fraud might take place:
Employees with authority to distribute points may credit their own accounts or the accounts of their family and friends
They may even add points in an account to resolve a problem for customers who don’t exist
Redeeming points off customers who forget or are simply not interested in claiming rewards after purchases
Data breaches pose a major risk for loyalty programmes. At one time reward schemes were not as secure in comparison to say bank apps, crypto exchanges or any other form of software that usually handles sensitive information. Of course, there’s been improvements made by specialist loyalty platform providers. Yet, loyalty initiatives built in-house are still considered soft targets.
Breaches happen when cybercriminals infiltrate data sources in order to pull out sensitive details about the victim. In the case of a loyal customer platform, hackers infiltrate them remotely, bypassing the company’s network security, and accessing the customer’s loyalty account to extract payment details and transaction history.
Again, this threat tends to come from external dangers like hackers. Account takeover fraud or an ATO attack sees customers get locked out of their loyalty accounts. Fraudsters start by using phishing attacks to compromise accounts and make small non-monetary changes to the victim’s PII details. This allows them to add themselves as an authorised user, thereby gaining permission to change the password.
Cyber criminals process payments once they’ve got full control of the account. All fraud poses danger but takeovers of loyalty accounts have profoundly devastating effects. Many customers forget to check their loyalty memberships for weeks. In the meantime, valuable rewards are stolen and PII details accessed. In 2021 alone, over 24M US households were victims in this type of loyalty fraud.
Fake Loyalty Programmes
Fake loyalty programmes are another form of phishing scam. Customers receive an email supposedly from a brand they know and trust promoting a reward scheme. When they click through on it they reach a fake landing page, fully branded and masquerading as the well-known legitimate brand. This tactic is known as spoofing.
Although it’s one of the oldest tricks in the books, spoofing has had plenty of time to evolve more complex methods of lulling visitors into a false sense of security. As a result, they’re more convincing than ever. A 2021 threat report showed email-based phishing attacks increased by 7.3%.
Loyalty Points Hacking
Accrued points and large amounts of loyalty currency are highly targeted prizes to hackers. They relentlessly search for ways to find them in poorly secured point storage ecosystems. Hackers and fraudsters prey on software weaknesses, easily exploitable infrastructures that are vulnerable to viruses and malware bots.
Not all hacks orientate around breaching data sources to reach personal details. Sometimes breaking into a loyalty account for login details, a reward card number and its points balance is enough for hackers to sell on the dark web.
Illicit buyers spend the points for huge benefits on purchases that are made in quick succession. When the legitimate customer eventually goes into a store, tries to redeem their points for a discount, they’re told they don’t have enough points and realise their rewards points have been completely wiped.
Fake redemptions fall under internal and friendly frauds. Both employees and customers see a way of abusing rewards systems to redeem unqualified points. Certain employees with back-end access to customer loyalty programmes are able to syphon points from accounts.
Similarly, customers might try to redeem rewards from expired promotions or with illegitimate points.
Who Suffers From Loyalty Fraud?
Ultimately, consumers and brands are victims of loyalty fraud. For members of the rewards scheme who play by the rules, they might experience a reduced quality in reward initiatives as businesses enact temporary service shutdown contingencies.
However, it can safely be argued that no matter who commits the fraud: hacker, employee or customer, it’s the brand who always suffers. Data breaches cause customer trust to waver and as we know trust is fundamental to loyalty. Customers won’t think twice to abandon compromised loyalty programmes.
Brands may also be liable to reimburse customers who lose money and points. Having to recover inventory losses, particularly damaging when a few thousand customer accounts are hit. Not to mention the fines. Plus the fact that major hacks often make the news too! Bad publicity - contrary to what some people might say – is not good publicity.
Example Cases of Loyalty Fraud
Marriott International Data Breach
In 2020, hackers breached the Marriott International’s property system. All hotels operating under the franchise use an application to help provide services and customer service to guests.
At the end of February, Marriott International detected a large two employee login credentials were used to access an unusual amount of guest information. In fact, the estimated number of compromised accounts racked up to around 5.2 million guests!
In addition to their contact details, their loyalty account information (including points balance and account number) were accessed. In reaction to this, Marriott International Data notified authorities, heightened monitoring and told customers about the breach. Luckily, passwords to loyalty accounts were not compromised. Similarly, Marriott Bonvoy, the hotel company’s loyalty programme, was not believed to have been broken into.
The hotel company was fined £18.4M.
North Face AOT & Points Hack
Hackers broke into 200,000 customer accounts in 2022. The North Face detected unusual activity in early August, managing to contain and eliminate the threat by the 19th August. Yet, a review of the incident found the attack actually started at the end of July!
The cyber criminals accessed personal details about customers. These included their full names, billing and shipping addresses, purchase history and information about their XPLR Pass Rewards.
Luckily, The North Face doesn't store payment card details on user accounts. Therefore the hackers were unable to access monetary funds directly from customers’ bank accounts. Unfortunately The North Face had no choice but to wipe the tokens on compromised rewards accounts as the hackers had access to them. Users also had to reset passwords and re-enter payment card details linked to the accounts.
6 Loyalty Fraud Detection and Prevention Strategies
Fraud is always a danger but with the right tools and strategies in place it need not be a worry. We’ve listed six ways you can detect and prevent fraud, whether it’s from hackers, customers or employees.
1) Invest in a breach detection system
Breach detection technology comes as hardware or software and should be used as a minimum for robust cybersecurity. Particularly for enterprise level brands who are storing sensitive information and value in user accounts or loyalty programmes.
A breach detection system (BDS) alerts IT teams of suspicious or unusual activity in your entire network. We’ve linked a list of the top ten currently available, some of which are free.
The ability to target malicious activity in infected devices, malware and other vulnerabilities, in real time and through various techniques, sets BDS apart from other typical security tools. Making the job for hackers to hide in the systems a lot more difficult, and in doing so warding them off to find other softer targets.
In addition, your team should also look out for suspicious user behaviour and unrecognised changes to the internal code. As well as some of these below:
Changes to the website’s design, content and layout not recognised by your team
Performance issues on the website, customers struggling to access it and log into their accounts
Volatile traffic volume; is it soaring or suddenly dropping at extreme rates?
Administrators struggling to login to the back-end of the loyalty programme to manage functions
A BDS is a great tool that’ll make your infrastructure much more difficult to crack. Without one your system is still vulnerable, even with a cohort of techy eggheads on your team. The majority of data breaches are actually due to human error. But by using the above points as guidelines, employees in the back-end of your network and systems know what to look out for too. Making your infrastructure doubly hard for hackers to break into.
2) Provide multiple security factors
To protect customers against ATOs the best possible action is to secure the login stage. Implementing multiple security factors to login in may seem inconvenient to customers at first.
Of course, you want the loyalty programme to be a seamless, accessible solution. But that shouldn’t come at the expense of cybersecurity. You want to drive it home that these measures are in place for loyalty fraud prevention. What’s more, set up and implementation of multiple security factors are easier than ever.
Below are some examples of how you can make the login stage more secure:
Implement a multi-factor authenticator (MFA); this issues one-time passwords (OTPs) via email or SMS that the customer uses to login into their account
Biometrics verification uses customers’ facial identity, fingerprints or voice to login into their account; many bank apps now use this type of technology
Rules like barring accounts whose payment card doesn’t match up to the country of the IP attempting to login, prevents hacks
Other options such as CAPTCHAs prevent spam bots from trying to access accounts through brute force. CAPTCHAs uses various methods to do this, including distorted text, “I am not a robot” checkboxes, and ticking images with certain things in them (e.g., traffic lights or buses).
3) Educate customers about social engineering
Social engineering involves hackers masquerading as legitimate points of contact. They manipulate customers into divulging sensitive information about themselves or their accounts. More people are switched on about phishing attacks when it comes to banks, due to the notable changes in communications.
Banks constantly remind customers that they’ll never ask for certain information. Likewise, they only email content within preference parameters set in secure apps.
Loyalty programmes usually lack this type of communication because they want to market incentives and rewards in a positive light. It might make customers think twice about joining up to a loyalty scheme if communications are constantly stoking fear about hackers and scammers. Contrary to that belief, companies taking security seriously actually reassures customers. It’s all in the messaging.
How well it’s detected depends on the quality of the education customers receive from brands. At a minimum we recommend businesses to:
Let new loyalty subscribers know that your team will never ask for sensitive information e.g., log in details, usernames and passwords, reward points balances or purchase history
Encourage customers to practise due diligence; if something feels off, contact the customer service line to confirm validity of communications
Set up a phishing report channel for customers to notify you; this can be passed on to third parties or your own cybersecurity team for insights about threats
Educating customers on your usual operating and communication procedures helps prevent social engineering because it makes them more effective at detecting it. Also, encourage customers to contact your team should they feel something is suspicious. Even if it turns out to be genuine, they shouldn’t feel like they’ve wasted the business’ time or overreacted.
4) Customise workflows to set up detector triggers
Setting up workflows with rules and set requirements helps curtail friendly fraud. Opportunists always find loopholes in loyalty programmes. Workflows plug holes and gaps, making your promotions and incentives fair and rewarding, whilst keeping them in budget.
Some examples of workflows could look like:
Alerting you of changes to birth dates; some customers do this to redeem birthday rewards so you can set one birthday gift per year per customer
Setting up notification triggers at each customer touchpoint to identify fraudulent activities such as: unusual point earnings, or large amount of points from the back of small purchases etc.,
Setting minimum price rules to first purchases in order to redeem a welcome coupon
Just some of these small steps allow you to stop customers from abusing small loopholes. Workflows are great for not only preventing loyalty fraud. They’re also a sure way of detecting unusual and suspicious activities in accounts. Issuing a notice email to opportunists tends to be enough to deter them from future fraudulent activities. And if it’s not them, they’ll no doubt make this known, which could lead to uncovering an external threat.
5) Reduce access to back-end to minimum amount of people
Limiting back end access to a certain number of authorised programme managers is the best practice of reducing internal fraud. Great loyalty software accommodates just a few users to effectively run and manage a full rewards scheme. Regardless of audience size. Therefore, the argument that there needs to be loads of managers in the back-end is void.
By doing this, you keep the operating circle small. Programme abuse is less likely to happen when employees know they’re just one of a few with access. It means should someone try to redeem customer points to their own accounts for example, the fraudulent activity will be easy to track.
6) Deploy Secure Customer Loyalty Software
A fully secure platform is the best way to help prevent and detect loyalty fraud. The Propello Platform works with leading fraud prevention service, SEON
SEON CCO Jimmy Fong commented on the increase in fraud attacks within the customer loyalty and reward space:
“Unfortunately, referral and bonus fraud are massively on the rise. We are proud to learn that our technology is in the right hands with Propello, who also shares our vision to help businesses go-to-market quicker with the right solutions.
Propello CEO, Mark Camp, added:
The most significant advantage (of SEON) is the cost, which gives us a great ROI. That’s saving us on resources we can allocate to fulfilling our mission, which is to help our clients to grow faster by attracting and retaining more customers’
Propello makes security maintenance of your programmes simple and stress free. In addition to the SEON fraud prevention solution, we adhere to the ISO 27001 Information Security Management framework, including regular penetration tests. We also operate on an IL4 hosting environment, which is the same type used by the Ministry of Defence!
The outsourced platform option means there’s no need for you to provide a wide pool of personnel to manage loyalty programmes, making employee fraud all that more difficult.
Is Loyalty Fraud a Concern?
That’s not a bad thing! As always, we’re on hand to help out and offer insights. Give us a call or drop a line for a quick, friendly natter.
See you in the next one!