Maximise your Avios, air miles and hotel points

Is your Avios account now at greater risk from hackers?

Links on Head for Points may pay us an affiliate commission. A list of partners is here.

We have written before about how British Airways Executive Club account details are openly sold on the ‘dark web’.

However, whilst there is a market for your stolen log-in details, Avios has never been a big target for hackers.

Why? Because the options for spending your points if your account is hacked are slim. Not zero, but slim.

Avios wing 15

Unless you were planning to fly within hours, you’d be a bit dim to book a flight using Avios from a hacked account. Not only would you need to find a stolen credit card to pay the taxes, but you’d need to supply your real name for the ticket. The chance of being arrested at the airport is high.

The Avios hotel booking platform also carries risk. You could book a room under a false name from a hacked Avios account and turn up a couple of hours later. The risk of getting caught is lower, especially as getting the police on site would be harder than at an airport, but it remains too risky for most hackers.

The Laithwaites wine redemption offers are open to fraud if you hack an Avios account but you still need to provide a drop-off address for the wine. This route is also of no interest to hackers based outside the UK.

There is one factor which makes your loyalty scheme a target for hackers

I went to a conference on loyalty fraud a couple of years ago which was eye-opening. (If you work in loyalty, you might be interested in the Loyalty Security Association.)

You would never think of some of the things that go on. For example, in the Middle East, there are only a handful of surnames. This makes it easier to ‘share’ loyalty accounts.

In China, there are apparently criminal gangs who train people to get jobs at hotel reception desks in order to siphon off loyalty and payment information.

There is also a lot of scope for ‘fixing’ names on bookings due to common surnames and the trend to have a made-up ‘English’ name as a first name.

In general, though, loyalty programmes only become major targets for fraud when it is possible to transfer points into something close to untraceable cash.

For years, the weak spot was Amazon gift codes. Many programmes offered the option of redeeming points for Amazon credit. If your account was hacked, it could be emptied for Amazon gift codes within minutes. Those codes become virtually untraceable because they can be added to any Amazon account.

Over the year many programmes have dropped Amazon gift codes for this reason. I was surprised when Hilton Honors brought it back a while ago.

Nectar Avios light

What has this got to do with Avios?

From last Monday, you can convert Avios into Nectar points. This article explains how to link your Avios and Nectar accounts and make transfers.

Nectar points are virtually as good as cash. You can swipe a Nectar card in a Sainsbury’s supermarket or Argos store and walk out with free items.

The details on the Nectar account do not even need to match the personal details on the linked BA account.

Once points are on a Nectar card, they can also be sent to an eBay account as credit. From there, the hacker could buy an item off themselves, using a 2nd eBay account which they also control. This would turn the eBay credit into real cash sitting in a PayPal account. Whilst a Sainsbury’s shop requires the hacker to be in the UK, the eBay route can be managed from anywhere.

Avios accounts are now less secure – not for any technological reason, but because hackers now know that there is an easy way of turning Avios points into pseudo-cash which cannot be easily traced. They will make more of an effort to access them.

Is there anything you can do?

Stick to the obvious and you will be fine. Keep your Avios account secure with a strong password which you do not also use on other sites.

(I can hear Rhys laughing at this point, since he knows that there are few people worse than me for setting weak passwords.)

If you rarely access your account, consider using a service such as AwardWallet to keep track of balance changes. Consider whether it is better having points sitting in Nectar or Avios from a security perspective. It is highly likely that you won’t have problems, but there are things you can do to help yourself.


How to earn Avios from UK credit cards (March 2023)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

In February 2022, Barclaycard launched two exciting new Barclaycard Avios Mastercard cards with a bonus of up to 25,000 Avios. You can apply here.

SPECIAL OFFER: Successfully apply for either of the Barclaycard Avios credit cards by 2nd April 2023 and you will be entered into a free draw to win ONE MILLION AVIOS! Full details are on the application forms here (free) and here (paid). This competition is exclusive to Head for Points readers. T&C apply.

You qualify for the bonus on these cards even if you have a British Airways American Express card:

Barclaycard Avios Plus card

Barclaycard Avios Plus Mastercard

25,000 Avios for signing up and an upgrade voucher for spending £10,000 Read our full review

Barclaycard Avios card

Barclaycard Avios Mastercard

5,000 Avios for signing up and an upgrade voucher for spending £20,000 Read our full review

There are two official British Airways American Express cards with attractive sign-up bonuses:

British Airways American Express Premium Plus

25,000 Avios and the famous annual 2-4-1 voucher Read our full review

British Airways American Express

5,000 Avios for signing up and an Economy 2-4-1 voucher for spending £12,000 Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points.

American Express Preferred Rewards Gold

Your best beginner’s card – 20,000 points, FREE for a year & four airport lounge passes Read our full review

The Platinum Card from American Express

30,000 points and unbeatable travel benefits – for a fee Read our full review

Run your own business?

We recommend Capital On Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, along with a sign-up bonus worth 10,500 Avios.

Capital On Tap Business Rewards Visa

Get a 10,000 points bonus plus an extra 500 points for our readers Read our full review

You should also consider the British Airways Accelerating Business credit card. This is open to sole traders as well as limited companies and has a 30,000 Avios sign-up bonus.

British Airways Accelerating Business American Express

30,000 Avios sign-up bonus – plus annual bonuses of up to 30,000 Avios Read our full review

There are also generous bonuses on the two American Express Business cards, with the points converting at 1:1 into Avios. These cards are open to sole traders as well as limited companies.

Until 30th March 2023, the sign up bonus on American Express Business Platinum is increased to 120,000 Membership Rewards points – click here. The bonus on American Express Business Gold is increased to 60,000 Membership Rewards points – click here. T&C apply, see the application forms for details.

American Express Business Platinum

Crazy 120,000 points bonus (to 30th March) and a £200 Amex Travel credit every year Read our full review

American Express Business Gold

60,000 points sign-up bonus (to 30th March) and free for a year Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

Comments (94)

This article is closed to new comments. Feel free to ask your question in the HfP forums.

  • Gtellez says:

    Another option to keep your avios safe would be transferring them to Iberia. So, the hackers would need to hack both accounts (BA and Iberia) before sending them to Nectar/eBay.

    • RussellH says:

      Trouble with Iberia is that they do not allow stong passwords. It must be exactly 6 chars.
      And unless they have since changed it, only fully numeric passnumbers work with Combine my Avios.

  • Hugh says:

    Rob, can i suggest, now that you’ve just publicly stated your passwords are “weak” you get a password manager like 1password etc and get some strong passwords 😁

    • RussellH says:

      Perhaps Rob is just saying that his pws are weak, in an attempt to draw hackers attention away from the rest of us…

    • Rhys says:

      Trust me I’ve been trying…..

  • bafan says:

    I do the Apple “suggest password” thing which is great – but if Apple ever locked me out I would be beyond ****** lol.

    • lumma says:

      Firefox has this option too, but due to ridiculous password rules, some websites won’t accept the passwords despite them being a random mixture of numbers and upper and lowercase letters.

      Problem with using it is when you need to access the account on a different machine and you have no idea what the password is.

      • Rhys says:

        Yes, I love this option in Firefox.

        You can download the Lockwise app to access your Firefox passwords elsewhere – or just log in to your sync account if you’re using Firefox on another device.

      • RussellH says:

        Rdiculous password rules are indeed a problem. Some trustworthy authority needs to put pressure on organisations to require properly strong passwords.
        Some sites still restrict pws to only 10 or 12 chars.
        I have not checked recently, but I assume Amex passwords are still not case-sensitive?
        My Amex password is 19 chars long, but is probably less secure than a case sensitive one of 15 chars.
        And Barclaycard is really bad, with just a 6 figure passmumber and a 7 or 8 letter “memorable word”. Their 2FA can be by-passed if you have the card in your hand, which means that it is potentially open to a card thief.

    • BuildBackBetter says:

      Every third party tool / password manager has that risk.
      One advantage with iOS (and probably some other password managers) is you have automatic backup in cloud and also can get the passwords to sync between different devices.

      • Julian says:

        Can’t the Password Manager Apps themselves be hacked? That always strikes me as a very big risk as well………..

        Also what is BA/IAG’s policy on reinstating any stolen Avios if you can show that your Avios balance has gone done due to your genuinely being defrauded rather than using them yourself?

  • NigelthePensioner says:

    Having 2 ebay accounts and selling something to yourself? Less 10% for ebay and less 10% for paypal! Even then @ 0.8p per Avios?? Hmmm…….not convinced by this. How many people would buy something for £8000 off ebay using paypal? This represents 1000000 Avios before the astronomical charges imposed by the deal.

    • PabloEscobar says:

      Ebay have now dropped paypal as payment processor and are managing payments directly. With regular £1 final value fees it is now cheaper than before to cash out nectar points. I recently sold an imaginary smartphone to my mate to help him cash out his nectar points. Total cost £1.

      • John says:

        Only for about 25% of sellers so far. They want to drop paypal entirely but adyen does not allow some transaction categories which are lucrative for ebay.

        Make a habit of selling fictitious items and the tax man may come for you. Heard reports they are investigating “private sellers” getting over £4000 of ebay sales in a year

        • PabloEscobar says:

          I’m not even remotely close to 4k pa but good to know what the threshold is.

        • The_real_a says:

          Haha, I was told that the investigation was net negative. After investigation it was found that the majority were actually owed benefits or tax credits! The investigation was quietly dropped in favour of the higher grossing accounts.

          • Rob says:

            I realised yesterday that I have been paying back £1700 of child benefit for the last 3 years that we never actually received in the first place, since we elected to stop receiving it in December 2017!

            There goes a large part of my life trying to extract that money back from the Revenue.

          • RussellH says:

            Not a surprising conclusion at all.
            Far too many people are quite happy to complain about benefit fraud, and far too few are happy to complain about tax evasion.
            Of course benefit fraud exists, but the huge effort spent on combating it just makes it much harder for those who are entitled to benefits.

      • Anuj says:

        Erm eBay still take around 3% for payment processing

    • ChrisC says:

      The calculus on value is different between the one you have as an individual wanting best value and that of a hacker who just wants goods they can flog off for actual cash or to be able to withdraw the cash and the loss because of the fees isn’t relavant for them.

      • Rob says:

        Yes, you need to look at this as the equivalent of a jewellery thief flogging off his takings in the pub for 10% of their usual value.

      • Andrew says:

        The cap is 300 to earn. There is no cap to spend which is what the issue here is.

    • lumma says:

      eBay and PayPal fees are not 10% each

  • Baji Nahid says:

    More so likely to encounter the fraud carried out by the BA Shopping Portal clawing back your avios months later. YMMV.

    I do wonder however, if your avios were hacked or stolen, would AGL or BA replace these for you? How does it go from here?

    • Koenig says:

      I thought this just happened to me. Usually for some completely inexplicable reason and their system is just so hard to use, you end up giving up chasing the “computer says no” responses…

    • Anna says:

      It seems to depend on whether they think you’re involved in the dubious activity or consider you may have been careless with your security details. If they decide they’re not replacing your missing avios you’ll probably have a bit of a fight on your hands to get them reinstated. Probably a good argument for earn and burn!

  • Niklas Smith says:

    In November about 60 accounts on the Swedish Railways loyalty scheme (SJ Prio) hacked and points stolen. After this not only did SJ require all 1.3 million members to change passwords but they also introduced a requirement to use BankID (a high-security digital ID developed by Swedish banks and used by almost all Swedes) when redeeming points.

  • BuildBackBetter says:

    Don’t you get an email when a nectar account is linked to your avios account? If I remember correctly, there was an OTP too?

    • ChrisC says:

      I got an email from both Nectar and BA.


      • Louie says:

        One time password?

        • ChrisC says:


          If I remember there was a 6 digit code sent to my phone. I don’t regard that as a password thoughbut as authentication – they aren’t the same,

          I always delete the texts as soon as I’ve finished with the code.

  • Alan says:

    Sounds like BA and Nectar need to implement 2FA urgently. I’ve got it activated on every service that offers it, synced via Authenticator Plus. Last Pass is also superb for managing passwords across devices.

This article is closed to new comments. Feel free to ask your question in the HfP forums.

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.