Maximise your Avios, air miles and hotel points

What did I learn about loyalty programme fraud on a chilly day in Brighton?

Links on Head for Points may pay us an affiliate commission. A list of partners is here.

A couple of weeks ago I attended a conference on loyalty fraud in Brighton, where representatives of various loyalty programmes and tech companies got together to discuss issues currently facing the industry.

I was only there as an observer.  I agreed that I would not write about anything that the industry is doing to solve the issues of loyalty fraud, but I did want to write an overview of how the industry sees the problem.

There are effectively three different types of loyalty fraud:

Member fraud – low-level (in context) fraud committed by members, often by exploiting loopholes in how schemes operate

Organised fraud – fraud committed by what you would loosely call ‘organised’ crime

Staff fraud – fraud committed by employees of the airline or hotel company running the programme

‘Member fraud’ is the relatively low level stuff that you will often see discussed on Flyertalk or, for dodgier stuff, on private message boards.

We can argue for hours about where the cut-off point for calling something ‘fraud’ should be.  At a very low level, for example, Heathrow Rewards only allows one account per household and their IT system is designed to pick this up at the point an account is opened.  If you open an 2nd account for your live-in partner – to take advantage of another joining bonus – by tweaking your address to ‘2a High Street’, is that fraud?

At the other extreme, when bmi Diamond Club was still active, it was so badly managed that some people realised that you could get away with virtually anything.  You could fly a First Class redemption ticket on a Star Alliance carrier, send the boarding pass to bmi and they would credit it as a revenue flight, giving you status miles and redeemable miles.  This was 100% certain to work.  Send the same boarding pass in again a year later and they would credit it again, thinking the flight was from the current year.

We take a stiff line, at least in our articles (our comments are less patrolled) about highlighting things like this.  There is commercial self-interest at work since we need the advertising revenue we get from the airline and hotel groups to survive.  I also believe, however, that many of our readers would not want to be associated with a site which promoted such behaviour.

Another example: here is something I never knew but, when you think about it, it is obvious.  In some countries there is a far smaller pool of personal names in use than you get in the UK.  Most Islamic families will have at least one ‘Mohammed’ on the male side for example.   There is also, in clan-based countries, a far smaller pool of surnames.  This makes it far, far easier to find someone else who shares your name and to whom you could arrange to credit your flights or hotel stays, or whom you could encourage to credit their stays to you.  It is apparently a big problem.

‘Organised fraud’ is more serious.   We were shown extracts from the ‘dark web’ where you could pay a few dollars for a file of thousands of loyalty programme membership numbers and member names.  This often comes from data breaches.   You would be shocked by what is available for sale out there.

Programmes don’t help themselves, of course.  In theory stealing from a loyalty programme is very risky.  Book a BA flight with my Avios and you need to fly it before I notice the points have gone.  The same goes for hotel redemptions, although as these are easier to book at short notice it is easier to get away with it.  Apparently in China there is a problem with hacked hotel loyalty accounts being used to book short notice rooms for prostitution.

The real issue is when you can redeem for ‘stuff’ – in particular, stuff that comes electronically.  A couple of years ago, IHG Rewards Club stopped letting members redeem points for Amazon e-gift codes – which appear on screen for immediate use as soon as you click redeem – because it was encouraging hackers to target the programme.  What do we see in 2017?  Hilton Honors launches, with big fanfare, the ability to redeem your points for an ‘instantly available’ Amazon e-gift code …..

The third element is staff fraud.  You see this occasionally in the press, when for example Tesco prosecutes a cashier who has been scanning their own Clubcard every time a customer hadn’t bothered to use one.  This is not so common in the airline industry but in the hotel sector it is possible to create fake bookings with an employee number in, or for an employee (at a franchised hotel which may partly run its own IT system) to get access to guest membership data.

Is loyalty fraud taken seriously?

There is clearly a problem with loyalty fraud.  The people running loyalty programmes are now sharing best practice on how to make sure they address issues like staff and member fraud. 

Firstly, they are now in the process of getting senior management to understand that miles = money (the fraudsters worked this out some time ago!)  Whilst there is a cash cost to loyalty fraud, it is not as direct or as immediately noticeable as, say, using stolen credit cards to purchase rooms or flight tickets.  United Airlines has a very public bounty program for you to try to hack their loyalty program as one way of getting senior management to focus on the issue.

Secondly, trans-national bodies are starting to co-ordinate over jurisdictional issues.  Europol, for example, is working with IATA and other global and regional law enforcement groups on “Global Days of Action” and now has loyalty fraud in its sights as well as stolen credit cards.

Thirdly, although each individual fraud may be relatively low in perceived value to the authorities it is not seen that way by account holders.  With some estimates of the value stored in loyalty accounts globally to be over US$200 billion it is starting to get the attention of prosecutors.

As a trade body, the Loyalty Fraud Prevention Association is working to find solutions to these issues.

And help yourself …..

As a programme member, you also have some responsibility to make sure that your miles are protected.  One executive from a mid-tier airline told me that 70% of their members only logged in to their account once a year.  It is easier for fraudsters to strike when members have so little interest in their points.

(In some ways I see Head for Points as a personal finance website.  Once you understand that your miles and points are worth money – often four to five figures-worth – you should manage them in the same way that you would manage a bank account containing a similar sum.  And yet …. I have to admit that the passwords on some of my family accounts with six figure balances are laughably easy to hack.)

Using a tool like Award Wallet, which is free at the basic level (click here for details), is the best way to keep yourself secure.  Run it once a day and it will automatically check all of your balances and tell you what has changed.  (Of course, you could argue that Award Wallet could get hacked – and would you have any recompense if you had voluntary given AW your password information?  You can get around this by having Award Wallet store your passwords locally and not on their servers.)

So, what did I learn from a day in Brighton in November (except that Brighton in November is a bit chilly …..)?

Loyalty fraud is a problem, but a problem that emerges in a number of distinctly different ways – and can even be an internal problem for companies

The industry is coming together to raise the importance of loyalty fraud both with their own senior management and with cross-jurisdictional policing bodies

At this very moment, someone is probably selling a data file containing at least one of your loyalty programme account numbers on the ‘dark web’

Comments (108)

This article is closed to new comments. Feel free to ask your question in the HfP forums.

  • JamesB says:

    There is an article on the front page of The Times today regarding loyalty fraud. I noticed too that the number of gift cards available from Etihad Guest has been much reduced, now I know the likely reason why.

  • Andrew says:

    Using Awardwallet won’t help stop you being hacked. All it will do is allow you to spot if you have. As mentioned though this may not help you get any recompense. Even if Awardwallet aren’t responsible for any beach the hotel/airline scheme may be even less inclined to compensate you when they go through the history of your logins and see a large number have come from one of AW’s servers.

    Unlike a bank AW offer no guarantees in the case of a breach (even if it’s their fault) and in my opinion should be avoided if you take security seriously.

    • the real harry1 says:

      yep I avoid them for this reason – then again, I haven’t got 50+ loyalty schemes on the go 🙂

      what is typical here? I’m not a frequent hotel user (and my wife, who is, refuses to play ball) so that cuts it down a lot

      I guess I have about 20+

      BAEC,, Tesco, Nectar (only through Ebay), Virgin, Accor, IB, most multiple ie family, must be a couple more

  • bagoly says:

    Interesting that they didn’t mention staff fraud within Customer Staff as you described in an article recently.
    It’s true that it is not the travel companies which suffer the loss in that case, but should they not still care about it (and think about how to educate senior management of customer companies) ?

  • the_real_a says:

    Loyalty programs really do not help themselves. Air France and IHG use 4 digit “pins” as passwords… Time they look to banks and offer 2 factor authentication when making bookings.

    Its also quite convenient to label loopholes as “fraud” which is nonsense, in this day and age the platforms need sufficient validation to limit whats possible. It ridiculous that you can perform an action online only to find out down the line that you have “contravened” some convoluted rule hidden in the T&C`s. Dare i say we need loyalty schemes to come under the FCS remit?

    • RussellH says:

      Do the use of card readers or hardware tokens to log in count as 2FA? What about the use of card readers or hardware tokens for setting up payees or making individual payments?

      I just changed the password on one of my bank accounts, was disgusted, though not surprised, that their password rules still excluded all non alphanumeric characters and were not case sensitive.

      IHG’s PIN is, frankly, a scandal.

      • Alan says:

        Yes – the idea is something in your possession (code generator, card reader, etc.) in addition to the username/password combo.

  • Yuff says:

    Looks like the Times need to take some notice of the content of their article 😉
    Handy tip though harry 🙂

  • xcalx says:

    “Member fraud – low-level (in context) fraud committed by members, often by exploiting loopholes in how schemes operate”

    Is exploiting a loophole really fraud, if so MSE are always promoting fraud.

    • Alan says:

      I think exploiting a loophole is fine. The other example that Rob gave of opening a second account when the terms expressly say 1 account per household is fraud IMHO.

    • Rob says:

      What’s the difference? If you add an American Airlines number to an redemption it will occasionally credit as a cash flight. Is that fraud or a loophole? Does the fact that BA has to pay AA for the AA miles you get change your view?

      • xcalx says:

        Or how about if Amex were offering a large Tesco gift card for a small number of points which was clearly a mistake and one took advantage of said mistake is that fraud.

        • Alan says:

          No. It isn’t fraud. Unless you the rules state you can’t do it. Is it ethical? That’s a different question. Fraud is where you break rules. If there are no rules broken then there is no fraud.

        • JP says:

          Or buying lots of ink cartridges to get points when they have added an extra 0 to the points you should have got for each cartridge….

        • Rob says:

          Ah yes, those were the days!

          Amex did deliver the gift cards – it could have cancelled the orders very easily.

      • Alan says:

        I think the difference is if a company states that something mustn’t be done. If you find a loophole that doesn’t contravene the Ts&Cs (to the letter rather than spirit) then I think that’s fair game not fraud.

        For the avoidance of doubt I am not judging what anyone does only stating where I think the line between loophole and fraud is.

  • Annie says:

    Just a note after seeing Heathrow Rewards used as an example – nowhere on thier website or T&Cs does it say anything about limiting accounts at one address – I think this is a myth after recently checking it out.

  • Lux says:

    Very interesting, thanks Rob.

    When are BA going to introduce two factor authentication? If we are to treat frequent flyer points as cash, which we kind-of should, then loyalty programmes should have kind-of basic bank security.

    • Tim W says:

      Couldn’t agree more. None of the loyalty programmes I belong to (and there are quite a few!) require anything more than a nod towards security.

      • Rob says:

        Hilton has stepped things up a bit, but over the weekend a reader emailed me to say that his account had been cleaned out, so it clearly isn’t hugely effective.

        Some hotel schemes still put your account number into their monthly emails (I noted today that Marriott isn’t doing that now, it says “Account number: XXX-XXXX-XXX” and then my balance) which doesn’t help.

        • Alan says:

          I find I almost never receive any emails from Hilton (despite all marketing prefs being set to on). However when making a redemption I now receive an email within seconds confirming a redemption has been made. Happens every time. Actual booking email doesn’t arrive for another 10 min or so.

This article is closed to new comments. Feel free to ask your question in the HfP forums.

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.