Maximise your Avios, air miles and hotel points

What will a fraudster pay for your Avios log-in details on the dark web?

Links on Head for Points may support the site by paying a commission.  See here for all partner links.

The other day I came across the Dark Web Market Price Index.  This is a monthly updated list showing what people are paying on the ‘dark web’ (Dream, Point and Wall Street Market, all of which require the Tor browser) for your log-in details to various websites.

The list of prices is huge.  At the top end, Paypal log-in details sell for an average of £280 – that number is driven by a % of the credit balance held in the accounts put up for sale.

At the bottom end, your ASOS log-in details are worth £1.50.  Data like this is primarily useful for helping with ID fraud as part of a broader scam and would not necessarily be used to make fraudulent ASOS purchases.

Avios wing 15

In the travel category, Avios / BA accounts are the clear winner at £6.73 per set of account details.

They would be worth more, but there is clearly a big risk in using a hacked Avios account to book a flight for a future date.  Much of the fraud I hear about is via Avios hotel redemptions.  A fraudster can book and check-in (and hopefully check-out) before you even noticed your points were gone.  I imagine that fraudulent redemption of wine or other goods, sent to ‘safe’ addresses, is also popular.

Airbnb and Uber accounts are also worth £5+.  The value of a hacked Uber account, given it can be used globally, is obvious.  Whilst you can easily block your account any fraudster timing it right (eg taking rides in the early hours of the morning when the UK account holder is likely to be asleep) can easily get more than £5 of value before the plug is pulled.

Airbnb is more interesting.  Hacking into the account of a host allows you to change their banking details and have stay money sent elsewhere.  Hacking into the account of highly rated guests allows you to book high-end properties without suspicion and then burgle them.

Even Facebook accounts with no financial information sell for an average of £3.74 because the treasure trove of personal data you leave there is enough for many forms of identify theft.  (How many of the security questions on your online banking account could be answered by someone who also had access to your Facebook account?  HSBC tends to ask me: Your child’s middle name?  The town where you went to school?  Where did you live in the year 2000?)

It is a fascinating subject, at least for me, especially after what I learnt at the loyalty fraud conference I attended last year.  You can read the full dark web report here.

How to earn Avios from UK credit cards

How to earn Avios from UK credit cards (April 2024)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

In February 2022, Barclaycard launched two exciting new Barclaycard Avios Mastercard cards with a bonus of up to 25,000 Avios. You can apply here.

You qualify for the bonus on these cards even if you have a British Airways American Express card:

Barclaycard Avios Plus card

Barclaycard Avios Plus Mastercard

Get 25,000 Avios for signing up and an upgrade voucher at £10,000 Read our full review

Barclaycard Avios card

Barclaycard Avios Mastercard

5,000 Avios for signing up and an upgrade voucher at £20,000 Read our full review

There are two official British Airways American Express cards with attractive sign-up bonuses:

British Airways American Express Premium Plus

25,000 Avios and the famous annual 2-4-1 voucher Read our full review

British Airways American Express

5,000 Avios for signing up and an Economy 2-4-1 voucher for spending £15,000 Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points. These points convert at 1:1 into Avios.

American Express Preferred Rewards Gold

Your best beginner’s card – 20,000 points, FREE for a year & four airport lounge passes Read our full review

The Platinum Card from American Express

40,000 bonus points and a huge range of valuable benefits – for a fee Read our full review

Run your own business?

We recommend Capital on Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, along with a sign-up bonus worth 10,500 Avios.

Capital on Tap Business Rewards Visa

Huge 30,000 points bonus until 12th May 2024 Read our full review

You should also consider the British Airways Accelerating Business credit card. This is open to sole traders as well as limited companies and has a 30,000 Avios sign-up bonus.

British Airways Accelerating Business American Express

30,000 Avios sign-up bonus – plus annual bonuses of up to 30,000 Avios Read our full review

There are also generous bonuses on the two American Express Business cards, with the points converting at 1:1 into Avios. These cards are open to sole traders as well as limited companies.

American Express Business Platinum

40,000 points sign-up bonus and an annual £200 Amex Travel credit Read our full review

American Express Business Gold

20,000 points sign-up bonus and FREE for a year Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

Comments (72)

This article is closed to new comments. Feel free to ask your question in the HfP forums.

  • RussellH says:

    > I would review the password policies of the site you visit and use the maximum length they support

    Yes, but what is also really poor is how few sites still use case sensitive passwords and passwords that include non alpha-numeric characters. Amex, for one, while it does allow non alpha-numeric characters, the letters are not case sensitive. And you always have to type the full password, which is not good. I once recently had an Amex agent warning me not to use upper case, as their systems did not like it. Creation though, often much maligned here, does allow non alpha-numeric characters and is fully case sensitive. Clydesdale Bank likewise. TSB, though takes no account of case and is strictly alpha-numeric only, so you only have a choice of 36 characters.

    No one else quite as bad as IHG, though, that I am aware of!

    • Doug M says:

      Oh great. Thought you had to be kidding, so just typed my carefully mixed case password all in lower and logged in without issue. Amex, really, that is quite surprising.

      • RussellH says:

        Thinking further about Amex, what is worse is that you always have to type that password in fully and there is no second stage – I would imagine that selecting three characters from the 19 I use and then having to use some other peice of information to get in would be an improvement. Even TSB, and Hargreaves-Lansdown do that, even though they do not allow non alpha-numeric characters. FWIW, is it not perhaps time that someone like the FCA manadted minimum login standards?

        • Polly says:

          We get the odd text security no at times from amex. Think the two level security is essential.

        • Fenny says:

          As long as the mandated standards are applied consistently. I don’t mind what they are, but where you have one place wants no more than 8 characters, one wants 10 including 2 numbers etc, it’s all a mess. If somebody sets a standard – say 16 including alphanumeric and special characters, everyone needs to stick to it. But too many companies will whinge about having to change their systems and won’t bother.

        • AndyGWP says:

          If you have a set / mandated password standard tho, it gets easier to hack it!

          If I know your password is exactly 10 characters long, its easier to hack than if I have to guess how long your password is 🙂

        • RussellH says:

          I did suggest **minimum** standards – I would not want anything to prevent higher standards. I do think ‘no more than 8 characters’ is quite wrong though.

          I would want passwords to have to be case sensitive, and allow all ASCII characters from 33 to 127, with a minimum word length of 11. The standards would need to be enforceable at law, with effective penalties which would have to be applied to an organisation’s policy makers – ideally someone at board level or equivalent.

        • AndyGWP says:

          Apologies – my reply was in response to “If somebody sets a standard – say 16 including alphanumeric and special characters, everyone needs to stick to it.”

          …appreciate it gets difficult to see who’s replying to what when we hit the maximum number of nested replies 🙂

    • Scott says:

      Santander is a 5-digit pin for full access to my current and savings accounts (albeit you also need to know the 8 digit customer ID, rather than e.g. an Email address, and there is an additional security question if logging in from a new device for the first time.)
      They do require a OTP if you wish to transfer money to a new recipient, but it still feels inadequate for a bank.

      • Genghis says:

        Not two passwords and the customer ID? Even so, what’s the risk?

        • Richard says:

          Yes, passcode and password for Santander

        • Scott says:

          No, definitely only one 5-digit pin required for access, other than for the circumstances I mentioned. What’s the risk? – maybe little, but it just seems lax compared to other banks.

        • Genghis says:

          Interesting. It’s a 5 digit pin for me on the app on my phone but then that’s an effective 2FA.

  • Tom says:

    I think it is smart phones and their apps that are the security risk.

    Using only a PC and a VPN, I’ve never had a problem

  • Graham Walsh says:

    Re people’s concern of a password manager’s site being hacked, I use another device to authenticate my login to the Lastpass. It’s called a Yubi Key. You could also use another method such SMS.

    Wonder how much my HfP login is worth 🙂

  • Simon says:

    £280 average for paypal login details wow. Personally I move any balance out straight away to my bank even if just £5-10 in credit. That way when I make my next purchase via paypal I can pay the full amount using my AMEX card to max out avios earnings. Paypal doesn’t seem to let me pay the full amount on a card if I have a credit balance in my account.

    Not sure what everyone else does but hopefully a handy tip. I guess people keeping large credit balances are likely to be eBay power sellers etc..

    • Genghis says:

      What about sending money to an email address and it being changed to linked card (even if zero balance)?

    • Rob says:

      I have had £5k in PayPal before, some overseas HFP clients like to pay with it.

    • Scott says:

      No problems for me paying with a credit card via Paypal, when I have a credit balance in my Paypal account.

This article is closed to new comments. Feel free to ask your question in the HfP forums.

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.