Loyalty programme fraud is on the rise. Hackers use a variety of tactics to access customers’ sensitive information and steal their points and rewards. Perhaps more alarming, customers and in some cases even employees exploit loopholes in reward systems. Falling victim to this will destroy customer trust towards your brand and harm your bottom line.
In this blog post, we’ll cover everything to make your loyalty programme robust and secure for you and your customers.
Contents:
What is Loyalty Programme Fraud?
Loyalty programmes increase the lifetime value of a customer through increased retention. However, despite the reciprocal benefits for both customer and brand, loyalty programmes can be subject to misuse and fraud.
Loyalty programme fraud sees intentional exploits of reward schemes. Usually it involves an external threat from hackers trying to gain access to customers' loyalty points' or personal data.
Some dangers can also come from customers who exploit loopholes in reward programmes. For example, trying to generate points from poor referral leads. Internal threats from business employees also exist, claiming unredeemed points for themselves, their friends or family.
In fact, loyalty programme fraud costs operators an estimated cost of over $1 billion every year.
Data breaches leak customer names, DOBs, addresses, email information and credit card details. Personally Identifiable Information is often sold to malignant third parties.
Why is Loyalty Fraud on the Rise?
In 2022 the average cost of data breaches collectively cost companies an eye-watering $4.35 million.
Not only is fraud costing more, it’s becoming more commonplace across the board and more so in the customer loyalty world.
Low awareness exacerbates the problem. Businesses also focus on improving other areas and often overlook the security integrity of loyalty programmes. Now considered an easy target, loyalty programmes accounted for
As such, 27% of all frauds experienced online in 2021 were related to loyalty schemes.
There’s no denying that this number will increase for businesses who continue to overlook the security of their loyalty rewards programme.
Types of Loyalty Programme Fraud & How They Happen
Fraudulent activity takes place in many different ways. The three main groups include hackers, customers and employees, each with their typical go-to tactics that you should look out for.
External Fraud
Hackers or cybercriminals are known as external threats. They use nefarious tactics to infiltrate customer data, loyalty accounts and even loyalty reward systems. Methods vary from:
-
Data breaches
-
Phishing and social engineering (which sees them manipulate victims into divulging sensitive information)
-
Creating fake loyalty programmes
-
Hacking loyalty reward platforms and systems
Friendly Fraud
Friendly fraud comes from existing customers. Some bad actors in your customer base will purposefully violate terms and conditions. Gaming the reward system to their advantage.
This type of customer behaviour costs businesses more money than ever. With some estimates claiming up to 86% of chargebacks are intentionally fraudulent.
Here are other ways some customers and loyalty members commit fraud:
- Excessive engagement with social media e.g., over-sharing the same Tweets or posts from businesses in return for benefits
- Referring poor quality leads for rewards
- Selling points or prizes to others
- Double-dipping points (when they try to simultaneously redeem points on the phone and online)
- Making expensive purchases to accrue points and then cancelling the product or service
- Giving friends and family members access to their account to accrue points on their purchases
Sometimes genuine customers may not recognise a transaction in their bank statements. Resulting in refunds for purchases they actually made. A fine balancing act is essential to maintain positive customer relationships. Yet, you also need to avoid giving opportunists a chance to exploit lenient reimbursements.
Internal Fraud
Company insiders commit over half of fraud. However, remember only a minority of people participate in internal fraudulent activities. Here’s just a few examples of how internal fraud might take place:
-
Employees with authority to distribute points may credit their own accounts or the accounts of their family and friends
-
They may even add points in an account to resolve a problem for customers who don’t exist
-
Redeeming points off customers who forget or are simply not interested in claiming rewards after purchases
Data Breaches
Data breaches pose a major risk for loyalty programmes. Reward schemes were not as secure as legacy bank apps or other forms of software handling sensitive account information. Third party platforms significantly improved robust digital infrastructures. Yet, some in-house built loyalty initiatives are still soft targets.
Cyber criminals infiltrate these loyalty programmes via data sources and pull out sensitive details about their victims. Hackers remotely infiltrate them, bypassing the company's network security, and accessing the customer account. From there, they extract payment details and transaction history.
Account Takeovers
Again, this threat tends to come from external dangers like hackers. Account takeover fraud or an ATO attack locks customers out of their loyalty account.
Fraudsters begin with phishing attacks. Compromising accounts by making small non-monetary changes to the victim’s PII details. This allows hackers to add themselves as an authorised user, gaining permission to change passwords.
Once they've assumed full control of the account cyber criminals process payments. All fraud is destructive but loyalty account takeovers have profoundly devastating effects. In 2021 alone, over 24M US households were victims in this type of loyalty fraud.
Spoofing
Fake loyalty programmes are another form of phishing scam. Customers receive an email supposedly from a brand they know and trust promoting a reward scheme. When they click through on it they reach a fake landing page, fully branded and masquerading as the well-known legitimate brand.
Spoofing is one of the oldest tools in a hacker's repertoire. But it has had plenty of time to evolve more complex methods of lulling visitors into a false sense of security. They’re more convincing and therefore more effective than ever.
A 2021 threat report showed email-based phishing attacks increased by 7.3%.
Loyalty Points Hacking
Accrued points and large amounts of loyalty currency are highly targeted prizes to hackers. They relentlessly search for ways to find them in poorly secured point storage ecosystems. Hackers and fraudsters prey on software weaknesses, easily exploitable infrastructures that are vulnerable to viruses and malware bots.
Not all hacks orientate around breaching data sources to reach personal details. Login details, a reward card number and balance points are enough for hackers to sell on the dark web. Illicit buyers spend the points in quick succession for huge benefits on purchases. Leaving legitimate customers with no points to redeem.
Redemption Fraud
Fake redemptions fall under internal and friendly frauds. Both employees and customers see a way of abusing rewards systems to redeem unqualified points. Certain employees with back-end access to customer loyalty programmes are able to syphon points from accounts.
Similarly, customers might try to redeem rewards from expired promotions or with illegitimate points.
Who Suffers From Loyalty Fraud?
Ultimately, consumers and brands are victims of loyalty fraud. Genuine members of the rewards scheme might experience a reduced quality in reward initiatives. Especially when businesses must enact temporary service shutdown contingencies. This has an overall negative experience on customer experiences.
The brand always suffers, data breaches cause wavering customer trust and without trust there's no loyalty. Customers won’t think twice about abandoning a compromised loyalty programme.
Brands may also be liable to reimburse compromised customers. Recovering inventory losses for a few thousand customer accounts would be particularly damaging. The brand may also face fines and bad press.
Example Cases of Loyalty Fraud
Marriott International Data Breach
In 2020, hackers breached the Marriott International’s property system. All hotels operating under the franchise use an application to help provide services and customer service to guests.
At the end of February, Marriott International detected a large two employee login credentials were used to access an unusual amount of guest information. In fact, the estimated number of compromised accounts racked up to around 5.2 million guests!
In addition to their contact details, their loyalty account information (including points balance and account number) were accessed. In reaction to this, Marriott International Data notified authorities, heightened monitoring and told customers about the breach. Luckily, passwords to loyalty accounts were not compromised. Similarly, Marriott Bonvoy, the hotel company’s loyalty programme, was not believed to have been broken into.
The hotel company was fined £18.4M.
North Face AOT & Points Hack
Hackers broke into 200,000 customer accounts in 2022. The North Face detected unusual activity in early August. They contained and eliminated the threat by the 19th August. Yet, a review of the incident found the attack actually started at the end of July.
The cyber criminals accessed personal details about customers. These included their full names, billing and shipping addresses, purchase history and information about their XPLR Pass Rewards.
Luckily, The North Face doesn't store payment card details on user accounts. Therefore the hackers were unable to access monetary funds directly from customers’ bank accounts. Unfortunately The North Face had no choice but to wipe the tokens on compromised rewards accounts as the hackers had access to them. Users also had to reset passwords and re-enter payment card details linked to the accounts.
6 Loyalty Fraud Detection and Prevention Strategies
Fraud is always a danger but with the right tools and strategies in place it need not be a worry. We’ve listed six ways you can detect and prevent fraud, whether it’s from hackers, customers or employees.
1) Invest in a breach detection system
Organisations should use breach detection technology as a baseline security measure. Particularly for enterprise level brands storing sensitive information and value in user accounts or loyalty programmes.
A breach detection system (BDS) alerts IT teams of suspicious or unusual activity in your entire network. We’ve linked a list of the top ten currently available, some of which are free.
Unlike other security tools, BDS systems target and detect malicious activity in infected devices. Real time analysing makes it harder for hackers to hide in systems, warding them off to seek softer targets.
Your team should also look out for suspicious user behaviour and unplanned changes to the internal code. As well as some of these below:
-
Changes to the website’s design, content and layout not recognised by your team
-
Performance issues on the website, customers struggling to access it and log into their online accounts
-
Volatile traffic volume; is it soaring or suddenly dropping at extreme rates?
-
Administrators struggling to login to the back-end of the loyalty programme to manage functions
A BDS is a great tool that’ll make your infrastructure much more difficult to crack. Without one your system is still vulnerable, even with a cohort of security specialists.
2) Provide multiple security factors
To protect loyal customers against ATOs the best possible action is to secure the login stage. Implementing multiple security factors to login in may seem inconvenient to customers at first.
Of course, you want the loyalty programme to be a seamless, accessible solution. But that should not be at the expense of cyber security. You want to drive it home that these measures are in place for loyalty fraud prevention. What’s more, set up and implementation of multiple security factors are easier than ever.
Below are some examples of how you can make the login stage more secure:
-
Implement a multi-factor authenticator (MFA) for customer logins. This issues one-time passwords (OTPs) via email, SMS or via app that the customer uses to login into their account.
-
Biometrics verification uses customers’ facial identity, fingerprints or voice to login into their account. Many bank apps now use this technology.
-
Rules like barring accounts whose payment card doesn’t match up to the country of the IP attempting to login, prevents hacks
Other options such as CAPTCHAs prevent spam bots from trying to access accounts through brute force. CAPTCHAs uses various methods to do this: including distorted text, “I am not a robot” checkboxes, and identifying images.
3) Educate customers about social engineering
Social engineering involves hackers masquerading as legitimate points of contact. They manipulate customers into divulging sensitive information about themselves or their accounts. Banks now educate their customers about phishing attacks.
Banks constantly remind customers that they’ll never ask for certain information. Likewise, they only email content within preference parameters set in secure apps. Some businesses that reward customer loyalty may omit the educational process. This is because they want to market the loyalty programme in a positive light.
Contrary to that belief, companies taking security seriously actually reassures customers. The way customers digest those warnings depends on the messaging. At a minimum we recommend businesses to:
-
Let new loyalty subscribers know that you will never ask for their sensitive information. For example, their log in details, usernames, passwords, purchase history and reward points balances.
-
Encourage customers to practise due diligence. If something feels off, contact the customer service line to confirm the validity of communications.
-
Set up a dedicated phishing report channel for customers to notify you.
Educating customers on your usual operating and communication procedures insulates them against social engineering.
4) Customise workflows to set up detector triggers
Setting up workflows with rules and set requirements helps curtail friendly fraud. Workflows plug holes and gaps and identify opportunists.
Some examples of workflows could look like:
-
Alerting you of changes to birth dates. Some customers do this to redeem birthday rewards. You can also set one birthday gift per year per customer
-
Setting up notification triggers at each customer touchpoint. This helps you identify any fraudulent activities over the short and long term of any customer journey. For example, unusual point earnings or large amounts of points for small purchases.
These small steps allow you to stop customers from abusing small loopholes. Issuing a notice email to opportunists tends to be enough to deter them from future fraudulent activities. It also makes genuine customers aware of unusual activities.
5) Reduce access to back-end to minimum amount of people
Limiting back end access to a small number of authorised programme managers is the best protection against internal fraud. Great loyalty software allows for just a few users to effectively run and manage a full rewards schemes of any size. The argument for many employees managing the backend is not valid.
Keeping the operating circle small reduces the chance of internal fraud. As any employee who may consider committing fraud will understand they one in a few with access. Meaning the fraudulent activity will be easy to track and trace.
6) Deploy Secure Customer Loyalty Software
A fully secure platform is the best way to help prevent and detect loyalty fraud. The Propello loyalty and reward platform integrates with leading fraud prevention service, SEON
SEON CCO Jimmy Fong commented on the increase in fraud attacks within the customer loyalty and reward space:
“Unfortunately, referral and bonus fraud are massively on the rise. We are proud to learn that our technology is in the right hands with Propello, who also shares our vision to help businesses go-to-market quicker with the right solutions.
Propello CEO, Mark Camp, added:
The most significant advantage (of SEON) is the cost, which gives us a great ROI. That’s saving us on resources we can allocate to fulfilling our mission, which is to help our clients to grow faster by attracting and retaining more customers’
Propello makes security maintenance of your programmes simple and stress free. In addition to the SEON fraud prevention solution, we adhere to the ISO 27001 Information Security Management framework. This includes regular penetration tests. We also operate on an IL4 hosting environment, which is the same type used by the Ministry of Defence.
Is Loyalty Fraud a Concern?
A customer loyalty software platform is the best overall solution that addresses all of your security concerns. Our experienced teams across various departments know what to look out for. Whether it's changing in the code or a phishing attempt on your customers.
The tech department and customer service team at Propello are on hand to help protect your customers and reputation.