5 Tips for Deterring Loyalty Program Fraud NOW

By Angel Grant

Spring is near, the time when many people start planning their summer vacations. Perhaps they are counting on redeeming long-unused loyalty program points to help pay for airline tickets or hotel rooms. But these program members may be surprised to discover that their loyalty points have been stolen by cybercriminals and fraudsters who have taken over their loyalty accounts and drained them of value.

Loyalty programs and reward programs have become an increasingly common target for fraud since the pandemic and we should anticipate a surge with the current recessionary downturn. Merchant Fraud Journal reported in 2022 that e-commerce retailers saw a 75% increase in users manipulating store reward programs for fraudulent gain in the previous two years.

The rise in fraudulent activity is due in part to pandemic-era lockdowns, when most people were not closely monitoring loyalty points, particularly for hospitality and travel-related programs. Though these accounts may hold thousands of dollars of value, the average consumer doesn’t check their loyalty point status as frequently or closely as accounts from a bank or financial institution, particularly when opportunities to use the points for travel was limited.

The increase in loyalty program fraud also stems from the size of the opportunity: It’s a big target. U.S. consumers have 3.8 billion memberships in consumer loyalty programs, and the American loyalty market is forecasted to reach a value of $55.92 billion by 2026. Adding to the allure for cybercriminals is the fact that almost half of loyalty point accounts in the U.S. are considered inactive, meaning that the value stored in these accounts is ripe for picking.

Given the pervasiveness of loyalty programs, the vast amounts of value held in these accounts, and the fact that few people actually monitor these accounts, it’s no wonder that cybercriminals have taken notice.

Types of loyalty fraud

The most common form of loyalty fraud involves account takeover, or ATO, which is often accomplished via credential stuffing. This occurs when a cybercriminal tests large numbers of compromised credentials (such as usernames and passwords breached from another site) against another site’s website login forms. Because many consumers reuse usernames and passwords across multiple accounts, criminals with stolen credentials find it relatively simple to breach loyalty accounts using automated bots. Once they gain access, criminals can take over the account by changing the username and password, then convert the stored points to gift cards or monetize them on the dark web.

ATO can also be achieved via automated formjacking, a form of client-side attack that involves hijacking loyalty program web forms to skim personal data and payment information as consumers fill in the forms. This hands the attacker the keys to the account, who can plunder the points at leisure.

Member fraud occurs when members themselves defraud the program by “double-dipping” or gaming the system with the goal of gaining points. For instance, a program member could simultaneously redeem points online and by phone, effectively doubling the value of their points. To gain extra sign-up points, members can open multiple loyalty accounts under different identities, then transfer all the points to a single account, or make purchases to optimize reward points but then cancel the purchases as soon as the points are redeemed for cash.

Policy abuse is another form of fraud sometimes engaged in by loyalty members and involves taking deliberate actions to manipulate program policy for personal gain. Bypassing a program’s internal rules may involve sharing coupons or promotional codes or using them in illegal ways, violating merchant policies, or signing up for numerous promotions to illegitimately gain rewards.

Another form of loyalty fraud involves insiders or employees of the business manipulating the program for their own gain. This internal fraud can happen when insiders assign unused or unclaimed points to a different member account, or when points are transferred fraudulently between accounts.

5 tips to protect your loyalty program from fraud

Loyalty programs are valuable tools to help your business drive customer retention, increase brand loyalty, generate revenue, and grow and sustain market share by building stronger relationships with your customers. Here are five best practices to put in place to defend your loyalty point program from fraud, while maintaining a good customer experience for your legitimate members.

1. Prevent account takeover. Detecting account takeover attempts requires monitoring traffic in real time to stop bots from testing stolen credentials and taking over accounts by applying artificial intelligence and client-side telemetry signal collection to identify irregularities and atypical behaviors. Automated ATO mitigation technologies are now available that can identify and eliminate bot-based fraud before it impacts your business by monitoring every transaction for signs of fraud or risky behavior, without disrupting the customer experience.
2. Stop new account fraud. Opening new loyalty accounts—often at scale, using stolen, synthetic, or false identities—offers cybercriminals a number of opportunities to set the stage for fraud. By controlling these fraudulent accounts, criminals can abuse redemption programs, accumulate and resell points, and access goods or services under false pretenses. To protect your loyalty program from new account fraud, your cyber defense solution must be able to detect when criminals attempt to originate multiple fake accounts using automated tools or sophisticated manual techniques.
3. Watch for policy abuse. Make sure that program policy rules are clearly communicated, with simple, easy-to-understand language, to both employees and members, with consequences for policy abuse also clearly stated. Ensure that policies have preventions in place to limit financial losses due to exploitation or manipulation of coupons, promotions, and discounts. If policy abuse does occur, be certain to update your store policies as required.
4. Pay attention to high-risk transactions. Tailor authentication mechanisms for your loyalty program to the level of risk associated with the user’s activity. High risk activities, such as requests to change passwords or cash out large sums of points, should require enhanced security challenges. Anti-fraud technologies are available that use AI and machine learning to analyze transaction behaviors, and employ adaptive authentication, which chooses the most suitable authentication model based on the login attempt’s intended activity. ​
5. Monitor internal behavior. Employees and other insiders within your business can also be threats to your loyalty program. Keep an eye out for and evaluate anomalies to normal staff behaviors and be wary of sharing loyalty program data with employees.

Choose the right tools to protect your loyalty program from fraud
For many businesses, loyalty programs are an important tool for increasing customer retention and brand loyalty, but these programs do expose merchants to the risk of fraud, particularly during recessionary times when consumers that face increased economic uncertainty may be tempted to engage in fraud. However, while it is critical to deter cybercriminals from perpetrating fraud, you must also make sure that your anti-fraud methodologies don’t also create a negative customer experience for the majority of your customers, who simply want to monitor and redeem their hard-earned loyalty points. A new generation of advanced anti-fraud technologies are now available that employ AI and machine learning to constantly monitor your loyalty programs to deter criminals, automated attacks, and those seeking to game the system, while creating a challenge-free environment for legitimate, high-priority customers. Read this case study to learn how an international airline used F5 anti-fraud technologies to protect its frequent flier programs.