Maximise your Avios, air miles and hotel points

Is your Avios account now at greater risk from hackers?

Links on Head for Points may pay us an affiliate commission. A list of partners is here.

We have written before about how British Airways Executive Club account details are openly sold on the ‘dark web’.

However, whilst there is a market for your stolen log-in details, Avios has never been a big target for hackers.

Why? Because the options for spending your points if your account is hacked are slim. Not zero, but slim.

Avios wing 15

Unless you were planning to fly within hours, you’d be a bit dim to book a flight using Avios from a hacked account. Not only would you need to find a stolen credit card to pay the taxes, but you’d need to supply your real name for the ticket. The chance of being arrested at the airport is high.

The Avios hotel booking platform also carries risk. You could book a room under a false name from a hacked Avios account and turn up a couple of hours later. The risk of getting caught is lower, especially as getting the police on site would be harder than at an airport, but it remains too risky for most hackers.

The Laithwaites wine redemption offers are open to fraud if you hack an Avios account but you still need to provide a drop-off address for the wine. This route is also of no interest to hackers based outside the UK.

There is one factor which makes your loyalty scheme a target for hackers

I went to a conference on loyalty fraud a couple of years ago which was eye-opening. (If you work in loyalty, you might be interested in the Loyalty Security Association.)

You would never think of some of the things that go on. For example, in the Middle East, there are only a handful of surnames. This makes it easier to ‘share’ loyalty accounts.

In China, there are apparently criminal gangs who train people to get jobs at hotel reception desks in order to siphon off loyalty and payment information.

There is also a lot of scope for ‘fixing’ names on bookings due to common surnames and the trend to have a made-up ‘English’ name as a first name.

In general, though, loyalty programmes only become major targets for fraud when it is possible to transfer points into something close to untraceable cash.

For years, the weak spot was Amazon gift codes. Many programmes offered the option of redeeming points for Amazon credit. If your account was hacked, it could be emptied for Amazon gift codes within minutes. Those codes become virtually untraceable because they can be added to any Amazon account.

Over the year many programmes have dropped Amazon gift codes for this reason. I was surprised when Hilton Honors brought it back a while ago.

Nectar Avios light

What has this got to do with Avios?

From last Monday, you can convert Avios into Nectar points. This article explains how to link your Avios and Nectar accounts and make transfers.

Nectar points are virtually as good as cash. You can swipe a Nectar card in a Sainsbury’s supermarket or Argos store and walk out with free items.

The details on the Nectar account do not even need to match the personal details on the linked BA account.

Once points are on a Nectar card, they can also be sent to an eBay account as credit. From there, the hacker could buy an item off themselves, using a 2nd eBay account which they also control. This would turn the eBay credit into real cash sitting in a PayPal account. Whilst a Sainsbury’s shop requires the hacker to be in the UK, the eBay route can be managed from anywhere.

Avios accounts are now less secure – not for any technological reason, but because hackers now know that there is an easy way of turning Avios points into pseudo-cash which cannot be easily traced. They will make more of an effort to access them.

Is there anything you can do?

Stick to the obvious and you will be fine. Keep your Avios account secure with a strong password which you do not also use on other sites.

(I can hear Rhys laughing at this point, since he knows that there are few people worse than me for setting weak passwords.)

If you rarely access your account, consider using a service such as AwardWallet to keep track of balance changes. Consider whether it is better having points sitting in Nectar or Avios from a security perspective. It is highly likely that you won’t have problems, but there are things you can do to help yourself.


How to earn Avios points from UK credit cards

How to earn Avios from UK credit cards (October 2021)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

There are two official British Airways American Express cards. Both have increased sign-up bonuses until 2nd November 2021:

British Airways BA Amex American Express card

British Airways American Express

10,000 Avios for signing up, no annual fee and an Economy 241 voucher for spending ….. Read our full review

British Airways BA Premium Plus American Express Amex credit card

British Airways American Express Premium Plus

40,000 Avios and the UK’s most valuable credit card perk – the 2-4-1 companion voucher Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points, such as:

Nectar American Express

American Express Preferred Rewards Gold

Your best beginner’s card – 30,000 points, FREE for a year & two airport lounge passes Read our full review

American Express Platinum card Amex

The Platinum Card from American Express

60,000 points and an unbeatable set of travel benefits – for a fee Read our full review

The 30,000 points bonus on Amex Gold runs to 9th November 2021. The 60,000 points bonus on The Platinum Card runs to 2nd November 2021.

Run your own business?

We recommend Capital On Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card:

Capital On Tap Business Rewards Visa

The most generous Avios Visa or Mastercard for a limited company Read our full review

You should also consider the British Airways Accelerating Business credit card. This is open to sole traders as well as limited companies. This card has a limited time offer of 60,000 Avios when you sign up:

British Airways Accelerating Business American Express card

British Airways Accelerating Business American Express

60,000 Avios sign-up bonus – plus annual bonuses of up to 30,000 Avios Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

(Want to earn more Avios?  Click here to visit our home page for our latest articles on earning and spending your Avios points and click here to see how to earn more Avios this month from offers and promotions.)

Comments (94)

  • Bagoly says:

    Excellent risk analysis point – risks are not always about the direct technical computer parameters.

    I have just changed our BA passwords.
    It looks as though that USD20M fine was indeed not enough to get BA to sort out the basics of cyber security – the field for Current Password allows Chrome’s password stash to autocomplete it!
    From just that evidence it might be a Chrome issue rather than a BA issue, but the fact that on the Norwegian site I do not find the same issue strongly suggests that it is BA at fault.

    • Alba says:

      Allowing autocomplete on password fields is a good security practice. It allows people to use password managers – which typically generate unique complex passwords. This is far more secure than reusing a memorable password.

      • Bagoly says:

        Yes, but not on the field where you enter existing password in order to set a new password – i.e. prevents someone passing changing your password.

        • Danny says:

          Respectfully, this is nonsense. If you have access to the device where the Chrome password is being autocompleted, you already have access to the stored password in plaintext, regardless of what’s happening on the change password page.

    • Catman says:

      You’ve told Chrome to remember the password…. You can’t blame BA for that

      • Alan says:

        Exactly – Chrome autocomplete is nothing to do with BA!

        • BP says:

          There is a way a website can instruct web browsers not to autocomplete but Chrome was the first browser to ignore this completely as it’s now best practise to have a password manager autocomplete for you.

  • Kevin says:

    Although worth remembering that in the terms, ‘every month, a maximum of 80,000 Nectar points and 50,000 Avios can be converted’. Yes, this is still a lot, but not quite the same as losing 500k in one go.

  • Dawn says:

    Talking passwords – I didn’t realise that on the Apple iphone all the passwords can be accessed by Settings/Passwords until someone in the Apple store told me. I thought I was the only person who didn’t realise this until I found none of my friends knew this either.

    • Rhys says:

      Yes, but you need to use face or touch ID to log in

      • Dawn says:

        You do indeed 🙂 I’m just glad they are there – definitely one of the most useful things I learned – I’m not very tech savvy as you can see.

      • Rob says:

        All your saved passwords can be seen in Chrome as well.

    • ChrisC says:

      What I didn’t see until recently is that it tells you if you have used the same details on more than one site and if the password may have been in a breach so you can change it.

      • ChrisC says:

        And I just access it via my passcode. I don’t use Face or Touch ID

      • Tocsin says:

        If this is Chrome? It can also get confused – it keeps trying to save a ‘new’ password that is the last of the ‘put in three numbers from your secret PIN’ part of a login.

        It also reports a password breach on the same site, which I suspect is related to that confusion!

  • Callum Funnell says:

    OT – can anyone confirm if BA make a point of confirming flight cancellations as late as they possibly can? I have flights to Rio booked for early next month booked with the 241 avios deal from last year. They’re not currently selling the route for this date or any surrounding dates which leads me to believe they already know its cancelled, is that likely the case?
    Thanks.

    • Rob says:

      Put it this way, a friend of mine recently was in the same boat – flights removed from sale but still showing as operating. The cancellation was eventually put through 2 days before departure.

      Someone at BA has probably done the maths and realised that it makes them £x extra profit in cancellation fees and encourages x% to take a Future Travel Voucher when otherwise they would have wanted cash.

    • kitten says:

      this sounds to be a bit abusive of the excuse currently allowing airlines to say covid makes all cancellations no matter how late free of compensation requirement as “exceptional circumstances”.

      it will be very nice when we get to a point where covid is not an excuse for airlines failing to give decent notice of cancellations when they’ve stopped selling well over the minimum notifuication period (to avoid paying compo) of 14 days and yet the airline is now notifying only much shorter time before the flight.

      Virgin did one on someone reported yesterday – cancelled their SFO flight so wants the person to go via East Coast NY – adding an extra flight of about 5 hours plus a 6 hour layover, putting passenger in this position only a few days before to make most of the options “airline keeps passenger”s money” options

  • Skyshare says:

    A few years ago my Avios account was hacked and a hotel booking made. I phoned BA to query it and during the call the hacker was booking more rooms! BA cancelled the bookings and refunded the points after I had set a new password.

  • Olly says:

    I regularly have a Chrome Password Manager pop-up advise me to check passwords. Unfortunately, over the years I have amassed over 400 of them, which it’s telling me to check, so does anybody know if a way of solving the issue without going onto the 400 plus sites and changing them individually, as I’ve been procrastinating due to the anticipated time out will take to do it?

    • Mikeact says:

      Especially when mine says you’ve used the same password on x sites….and none of them are ‘easysimple’ to crack. One of them says, ’14 years to crack’ .

    • TT says:

      LastPass will solve this for you

  • ADS says:

    “Unless you were planning to fly within hours, you’d be a bit dim to book a flight using Avios from a hacked account”

    Point of information – whilst BA allows Avios bookings for same day flights, Avios.com require booking to be made at least 24 hours before flying.

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.