What did I learn about loyalty programme fraud on a chilly day in Brighton?

A couple of weeks ago I attended a conference on loyalty fraud in Brighton, where representatives of various loyalty programmes and tech companies got together to discuss issues currently facing the industry.

(If you are in the loyalty sector, you can learn more about the Loyalty Fraud Prevention Association here.)

I was only there as an observer.  I agreed that I would not write about anything that the industry is doing to solve the issues of loyalty fraud, but I did want to write an overview of how the industry sees the problem.

There are effectively three different types of loyalty fraud:

Member fraud – low-level (in context) fraud committed by members, often by exploiting loopholes in how schemes operate

Organised fraud – fraud committed by what you would loosely call ‘organised’ crime

Staff fraud – fraud committed by employees of the airline or hotel company running the programme

‘Member fraud’ is the relatively low level stuff that you will often see discussed on Flyertalk or, for dodgier stuff, on private message boards.

We can argue for hours about where the cut-off point for calling something ‘fraud’ should be.  At a very low level, for example, Heathrow Rewards only allows one account per household and their IT system is designed to pick this up at the point an account is opened.  If you open an 2nd account for your live-in partner – to take advantage of another joining bonus – by tweaking your address to ‘2a High Street’, is that fraud?

At the other extreme, when bmi Diamond Club was still active, it was so badly managed that some people realised that you could get away with virtually anything.  You could fly a First Class redemption ticket on a Star Alliance carrier, send the boarding pass to bmi and they would credit it as a revenue flight, giving you status miles and redeemable miles.  This was 100% certain to work.  Send the same boarding pass in again a year later and they would credit it again, thinking the flight was from the current year.

We take a stiff line, at least in our articles (our comments are less patrolled) about highlighting things like this.  There is commercial self-interest at work since we need the advertising revenue we get from the airline and hotel groups to survive.  I also believe, however, that many of our readers would not want to be associated with a site which promoted such behaviour.

Another example: here is something I never knew but, when you think about it, it is obvious.  In some countries there is a far smaller pool of personal names in use than you get in the UK.  Most Islamic families will have at least one ‘Mohammed’ on the male side for example.   There is also, in clan-based countries, a far smaller pool of surnames.  This makes it far, far easier to find someone else who shares your name and to whom you could arrange to credit your flights or hotel stays, or whom you could encourage to credit their stays to you.  It is apparently a big problem.

‘Organised fraud’ is more serious.   We were shown extracts from the ‘dark web’ where you could pay a few dollars for a file of thousands of loyalty programme membership numbers and member names.  This often comes from data breaches.   You would be shocked by what is available for sale out there.

Programmes don’t help themselves, of course.  In theory stealing from a loyalty programme is very risky.  Book a BA flight with my Avios and you need to fly it before I notice the points have gone.  The same goes for hotel redemptions, although as these are easier to book at short notice it is easier to get away with it.  Apparently in China there is a problem with hacked hotel loyalty accounts being used to book short notice rooms for prostitution.

The real issue is when you can redeem for ‘stuff’ – in particular, stuff that comes electronically.  A couple of years ago, IHG Rewards Club stopped letting members redeem points for Amazon e-gift codes – which appear on screen for immediate use as soon as you click redeem – because it was encouraging hackers to target the programme.  What do we see in 2017?  Hilton Honors launches, with big fanfare, the ability to redeem your points for an ‘instantly available’ Amazon e-gift code …..

The third element is staff fraud.  You see this occasionally in the press, when for example Tesco prosecutes a cashier who has been scanning their own Clubcard every time a customer hadn’t bothered to use one.  This is not so common in the airline industry but in the hotel sector it is possible to create fake bookings with an employee number in, or for an employee (at a franchised hotel which may partly run its own IT system) to get access to guest membership data.

Is loyalty fraud taken seriously?

There is clearly a problem with loyalty fraud.  The people running loyalty programmes are now sharing best practice on how to make sure they address issues like staff and member fraud. 

Firstly, they are now in the process of getting senior management to understand that miles = money (the fraudsters worked this out some time ago!)  Whilst there is a cash cost to loyalty fraud, it is not as direct or as immediately noticeable as, say, using stolen credit cards to purchase rooms or flight tickets.  United Airlines has a very public bounty program for you to try to hack their loyalty program as one way of getting senior management to focus on the issue.

Secondly, trans-national bodies are starting to co-ordinate over jurisdictional issues.  Europol, for example, is working with IATA and other global and regional law enforcement groups on “Global Days of Action” and now has loyalty fraud in its sights as well as stolen credit cards.

Thirdly, although each individual fraud may be relatively low in perceived value to the authorities it is not seen that way by account holders.  With some estimates of the value stored in loyalty accounts globally to be over US$200 billion it is starting to get the attention of prosecutors.

As a trade body, the Loyalty Fraud Prevention Association is working to find solutions to these issues.

And help yourself …..

As a programme member, you also have some responsibility to make sure that your miles are protected.  One executive from a mid-tier airline told me that 70% of their members only logged in to their account once a year.  It is easier for fraudsters to strike when members have so little interest in their points.

(In some ways I see Head for Points as a personal finance website.  Once you understand that your miles and points are worth money – often four to five figures-worth – you should manage them in the same way that you would manage a bank account containing a similar sum.  And yet …. I have to admit that the passwords on some of my family accounts with six figure balances are laughably easy to hack.)

Using a tool like Award Wallet, which is free at the basic level (click here for details), is the best way to keep yourself secure.  Run it once a day and it will automatically check all of your balances and tell you what has changed.  (Of course, you could argue that Award Wallet could get hacked – and would you have any recompense if you had voluntary given AW your password information?  You can get around this by having Award Wallet store your passwords locally and not on their servers.)

So, what did I learn from a day in Brighton in November (except that Brighton in November is a bit chilly …..)?

Loyalty fraud is a problem, but a problem that emerges in a number of distinctly different ways – and can even be an internal problem for companies

The industry is coming together to raise the importance of loyalty fraud both with their own senior management and with cross-jurisdictional policing bodies

At this very moment, someone is probably selling a data file containing at least one of your loyalty programme account numbers on the ‘dark web’

Bits: Heathrow Christmas ad, 50% off Virgin East Coast TODAY, 5000 Miles & More miles with Budget
How to use Avios for domestic Japanese flights - with no taxes!
About Head for Points

We help business and leisure travellers maximise their Avios, frequent flyer miles and hotel loyalty points. Visit every day for three new articles or sign up for our FREE emails via this page or the box to your right.

Comments

  1. What about those who admit to changing their credit card country to Ukraine when booking BA flights, to avoid the credit card surcharge? Fraud too?

  2. I suppose it could be classed as tax avoidance, so a form of fraud?

    • the real harry1 says:

      tax avoidance would be legal in any case – it’s tax evasion that’s illegal

      but I can’t see your point – you mean that by minimising customer fee payment to BA, they pay less tax on income?

    • Last time I checked it is not illegal in every case for people to lie otherwise there would be more people in prisons than out.

    • You mean like flying from other European airports to avoid paying APD?

      • That’s a form of forward planning, not fraud or evasion. I would classify changing countries for your CC charging as fraud, but whatever floats your boat I guess..

  3. You’d have thought that IHG might have learnt something from before – but no, they still only allow a 4-digit PIN to secure your account! Very frustrating when trying to beef-up security on passwords (I’m now using LastPass to generate secure passwords) only to find that the website itself won’t let you do anything to improve it!

    I also wish more sites offered two-factor authentication (2FA) – Amazon UK finally has it, as does AwardWallet, but the more that have it the better!

    • I have emailed IHG regarding this. A single 4 digit pin to access your account is laughably insecure and they aren’t helping their members by keeping it like that. All an attacker needs is an email address and they can very easily guess your pin by brute force.

      • Good luck in getting any sensible reply – total waffle back when I emailed them about this before!

        • Thanks.

          I might publish an article about it. Companies usually don’t perk up until they get some bad press, but I will give them a chance to follow up on my email first.

        • Good plan, if no decent reply and you do publish then please post a link here!

      • My IHG account was hacked and they used my points through Apple Pay to get concert tickets. When I complained they gave me back my points … and a new 4 number pin… sigh…

  4. OT- I have a mere 1,000 AAdvantage points. Is it possible to move these to any other account such as Avios? I have flown AA once and don’t expect to again for the foreseeable future.

  5. Anyone mentioned Tesco Pet Insurance yet?

  6. … by tweaking your address to ‘2a High Street’, is that fraud?…

    I am astounded that you would even ask that question. Using a fake (tweak is a cute word isn’t it?) to obtain benefits that you would not otherwise be entitled to is fraud.

    Mind you, this is the site that suggests people put in an overseas address to obtain bonus miles so maybe I should not be surprised.

    • the real harry1 says:

      you forgot the whole quote:

      ‘If you open an 2nd account for your live-in partner – to take advantage of another joining bonus – by tweaking your address to ‘2a High Street’, is that fraud?’

      that live-in partner is fully entitled to their own Heathrow Rewards a/c, & there is nothing in the T&Cs to forbid it

      how’s it possibly fraud for that second person to get their own Heathrow Rewards a/c? the second person is just submitting an address that works for them & stops HR chucking out a perfectly valid address

    • It depends on the scenario. If you’re doing it to get another person at the same address an account then you ARE entitled to the benefits (see T&Cs that trh1 posted). If you phone Heathrow Rewards they can manually add a 2nd person at the same address, all you’re doing here is circumventing a poorly-written part of their IT, not part of the T&Cs of the programme. Obviously if trying to have multiple accounts in your own name then that is a breach of the T&Cs.

    • I do actually live at 29 and 29a. But I don’t have a live in partner.

  7. memesweeper says:

    OT: if I’ve upgraded from personal Amex Gold MR to Platinum, what is the new bonus, and what is the spend and timescale? There’s no progress bar on the website so I’m starting to be concerned that there’s no bonus, ever!

  8. Try as I might I’ve got little sympathy with any company which releases products so poor in risk assessments that a Terry’s Chocolate Orange could beat them. Now then anyone want to buy some magic beans???

  9. It’s interesting that so many people have different ideas about what constitutes fraud. It has a clear legal definition (look it up), which is totally separate from any company’s T & Cs. Each case would have to be tested in court to determine whether it was actually fraud in the criminal sense.

    One element is the establishment of ownership, which is in itself a civil matter. It would have to be established who the legal owner of the loyalty points was; there was a case involving the theft of a Boots Advantage card; the thief spent the accumulated points but they were deemed to have no financial value and therefore the offender was only guilty of stealing the card itself which was given a nominal value of £1. The points are not tangible property, so can’t belong to anyone.

    • You sure? I have no legal training but
      “A “gain” or a “loss” is defined to consist only of a gain or a loss in money or property (including intangible property), but could be temporary or permanent”
      From Wikipedia. That reliable source!
      https://en.wikipedia.org/wiki/Fraud_Act_2006

    • Check this case related to Virgin Flying club air miles fraud which made headlines back in 2009 itself. So there is definitely a criminal element to it as long as some one can represent the loss in monetary value which airlines or hotel or any hospitality industry can quickly work out.

      http://www.dailymail.co.uk/tvshowbiz/article-1170304/Watchdog-presenter-cleared-police-air-miles-fraud-inquiry.html

      There is another case in the US involving airmiles been used in a corruption case which Rob covered just few weeks back.

      • US law has no bearing on the UK. With the Bradbury case, again, I am not seeing that the actual loyalty points are classed as property, rather the fact that they appear to have been used to “purchase” flights. It would be the flights which would have been considered to have been fraudulently obtained. I would extrapolate from this that using a false address to get extra loyalty points would not be classed as fraud, but if you used the points to buy something, you could be in hot water legally. However, it would stil be far from cut and dried – in the case of a Household Account with BA, for instance, only a % of points redeemed may have been collected “fraudulently”, which would muddy the waters somewhat.

        • If you read other reports about this case, the investigation focused on flights which weren’t paid for (with any currency), and store vouchers being given to a Virgin staff member in exchange for crediting loyalty points to certain accounts. My view is that this is a legal minefield and that would have been acknowledged at the conference!

  10. OT – Quick question … When Accor Platinum is expiring .. is it downgraded to Gold or Classic ?

  11. David Horton says:

    OT – Rob can you send me a referral link for Amex gold please

  12. the real harry1 says:

    O/T – Raffles can you send me this year’s Amazon Black Friday deals please

    • Not allowed! (Not sure if Anika has the list yet actually.)

    • I snagged a nice new 49″ Sony 4K TV w/Android TV & free Amazon Echo at the weekend – price has now jumped back up by over £80! New delivery setup quite nice too, shows you a map when the driver is getting near 🙂

      • the real harry1 says:

        sounds a bit better than mine – but I got the 5 year g’tee from Tesco 🙂

        got this little 50″ beaut (beaut in its time, I hasten to add, 29 Dec 2014) Panasonic TX-P50X60B 50 Inch HD Ready 720p Plasma TV With Freeview HD for £224

        great picture but not a patch on the newer stuff

        if only I can positively wish it (hammers won’t be involved) to go wrong before 28 Dec 2019 lol

  13. I hope that someone from Accor hotels was at the conference. They gave someone else access to my Le Club Hotels account, points and data. Two months after initially complaining to them, they still have not sorted it out or explained how they could have done this. Looks like I am going to have to complain to the ICO about the clear breach of the data protection act.

    • They are notorious for their IT, I suspect some hotels just match on hotel guests surname, I’ve previously had to notify them I’ve received Points in error, ie. Meant for another guest.

  14. “At the other extreme, when bmi Diamond Club was still active, it was so badly managed that some people realised that you could get away with virtually anything.”

    I think that is the understatement of the year. To be fair, this was facilitated in part by the legendary call centre CSRs who would often arbitrarily book you into a class above that you were redeeming for or would ask you to phone back tomorrow and pay the fuel surcharges and taxes for the flight once the ticket had been issued. Upon phoning back they would then argue with you telling you that you had already paid all the additional fees! You would then end up getting the flight free of any charges!

    • Sweet memories. I am told from a reliable source (cough) that changing a points only booking to a cash and points booking would sometimes result in half the points getting re credited to ones account and the cash element not collected.

  15. plastikman says:

    I get daily emails that someone has tried to access my awardwallet account with wrong credentials. It does not convince me their IT is up to the job…..

Add your comment here:

*