Maximise your Avios, air miles and hotel points

Is your Avios account now at greater risk from hackers?

Links on Head for Points may pay us an affiliate commission. A list of partners is here.

We have written before about how British Airways Executive Club account details are openly sold on the ‘dark web’.

However, whilst there is a market for your stolen log-in details, Avios has never been a big target for hackers.

Why? Because the options for spending your points if your account is hacked are slim. Not zero, but slim.

Avios wing 15

Unless you were planning to fly within hours, you’d be a bit dim to book a flight using Avios from a hacked account. Not only would you need to find a stolen credit card to pay the taxes, but you’d need to supply your real name for the ticket. The chance of being arrested at the airport is high.

The Avios hotel booking platform also carries risk. You could book a room under a false name from a hacked Avios account and turn up a couple of hours later. The risk of getting caught is lower, especially as getting the police on site would be harder than at an airport, but it remains too risky for most hackers.

The Laithwaites wine redemption offers are open to fraud if you hack an Avios account but you still need to provide a drop-off address for the wine. This route is also of no interest to hackers based outside the UK.

There is one factor which makes your loyalty scheme a target for hackers

I went to a conference on loyalty fraud a couple of years ago which was eye-opening. (If you work in loyalty, you might be interested in the Loyalty Security Association.)

You would never think of some of the things that go on. For example, in the Middle East, there are only a handful of surnames. This makes it easier to ‘share’ loyalty accounts.

In China, there are apparently criminal gangs who train people to get jobs at hotel reception desks in order to siphon off loyalty and payment information.

There is also a lot of scope for ‘fixing’ names on bookings due to common surnames and the trend to have a made-up ‘English’ name as a first name.

In general, though, loyalty programmes only become major targets for fraud when it is possible to transfer points into something close to untraceable cash.

For years, the weak spot was Amazon gift codes. Many programmes offered the option of redeeming points for Amazon credit. If your account was hacked, it could be emptied for Amazon gift codes within minutes. Those codes become virtually untraceable because they can be added to any Amazon account.

Over the year many programmes have dropped Amazon gift codes for this reason. I was surprised when Hilton Honors brought it back a while ago.

Nectar Avios light

What has this got to do with Avios?

From last Monday, you can convert Avios into Nectar points. This article explains how to link your Avios and Nectar accounts and make transfers.

Nectar points are virtually as good as cash. You can swipe a Nectar card in a Sainsbury’s supermarket or Argos store and walk out with free items.

The details on the Nectar account do not even need to match the personal details on the linked BA account.

Once points are on a Nectar card, they can also be sent to an eBay account as credit. From there, the hacker could buy an item off themselves, using a 2nd eBay account which they also control. This would turn the eBay credit into real cash sitting in a PayPal account. Whilst a Sainsbury’s shop requires the hacker to be in the UK, the eBay route can be managed from anywhere.

Avios accounts are now less secure – not for any technological reason, but because hackers now know that there is an easy way of turning Avios points into pseudo-cash which cannot be easily traced. They will make more of an effort to access them.

Is there anything you can do?

Stick to the obvious and you will be fine. Keep your Avios account secure with a strong password which you do not also use on other sites.

(I can hear Rhys laughing at this point, since he knows that there are few people worse than me for setting weak passwords.)

If you rarely access your account, consider using a service such as AwardWallet to keep track of balance changes. Consider whether it is better having points sitting in Nectar or Avios from a security perspective. It is highly likely that you won’t have problems, but there are things you can do to help yourself.


How to earn Avios from UK credit cards (February 2023)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

In February 2022, Barclaycard launched two exciting new Barclaycard Avios Mastercard cards with a bonus of up to 25,000 Avios. You can apply here.

You qualify for the bonus on these cards even if you have a British Airways American Express card:

Barclaycard Avios Plus card

Barclaycard Avios Plus Mastercard

25,000 Avios for signing up and an upgrade voucher for spending £10,000 Read our full review

Barclaycard Avios card

Barclaycard Avios Mastercard

5,000 Avios for signing up and an upgrade voucher for spending £20,000 Read our full review

There are two official British Airways American Express cards with attractive sign-up bonuses:

SPECIAL OFFER: Until 21st February 2023, the sign-up bonus on the British Airways Premium Plus American Express card is increased to 35,000 Avios from 25,000 Avios. You can apply here.

British Airways American Express Premium Plus

35,000 Avios (ONLY to 21st February) and the famous annual 2-4-1 voucher Read our full review

British Airways American Express

5,000 Avios for signing up and an Economy 2-4-1 voucher for spending £12,000 Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points.

American Express Preferred Rewards Gold

Your best beginner’s card – 20,000 points, FREE for a year & four airport lounge passes Read our full review

The Platinum Card from American Express

30,000 points and unbeatable travel benefits – for a fee Read our full review

Run your own business?

We recommend Capital On Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, along with a sign-up bonus worth 10,500 Avios.

Capital On Tap Business Rewards Visa

Get a 10,000 points bonus plus an extra 500 points for our readers Read our full review

You should also consider the British Airways Accelerating Business credit card. This is open to sole traders as well as limited companies and has a 30,000 Avios sign-up bonus.

British Airways Accelerating Business American Express

30,000 Avios sign-up bonus – plus annual bonuses of up to 30,000 Avios Read our full review

There are also generous bonuses on the two American Express Business cards, with the points converting at 1:1 into Avios. These cards are open to sole traders as well as limited companies.

American Express Business Platinum

40,000 points sign-up bonus and a £200 Amex Travel credit every year Read our full review

American Express Business Gold

20,000 points sign-up bonus and free for a year Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

Comments (94)

This article is closed to new comments. Feel free to ask your question in the HfP forums.

  • Freddy says:

    Another tip is to regularly change your password. I regularly do when I envitably lock myself out my own account and have to reset the password

    • memesweeper says:

      Regular password changes are no longer recommended as best practice according to the poachers-turned-gamekeepers at GCHQ’s NCSC.

      Unique, per account, and long passwords, and stored in a strong password manager definitely *are* best practices. I’d unreservedly recommended Bitwarden who’s free offering includes all the features most people will ever need. Warning: loose your Bitwarden password and you’ve lost all the passwords. There’s no reset via email option (this is a good thing).

      • Julian says:

        You’ve just identified the main risk factor of password managers. That is firstly needing a long and complicated password to access the one you use to keep it safe that you may then forget.

        And secondly that if someone hacks your password holding utility through a key logger they can then access every single one of your passwords.

        • Robert says:

          You’re right, but having a single very strong password, with two factor authentication, on a password wallet, that allows you to generate and remember a different strong password for every account on every website, is still better than having weak passwords or the same passwords for all the sites you visit. Some of the password wallets also allow you to set up recovery options with time triggers… for example Lastpass will let another trusted account have access to your wallet after a given time period (‘dead man’s switch’).
          You need to decide what’s the bigger risk for you, but I’d suggest that a password manager is the best option for most people. Check out 1Password or Lastpass.

      • Rob says:

        Correct. Studies have shown that people who regularly change their password (in my banking days it was compulsory every 6 weeks) choose a very easy one.

      • cinereus says:

        Exactly this. Regular password changes are pointless. Unique strong passwords are more than enough if used properly.

      • Dave says:

        Sorry if I’m being dense – but why is ‘all my passwords kept in one place’ (Password Manager) a good idea?

        • Rob says:

          Password manager software is ultra-secure and effectively unhackable. You can create very complex passwords for websites because you will never need to remember them – all of your log-ins, across all devices, will be done via the password manager software. You only need to remember one password – the password for the manager software.

  • Andrew says:

    The eBay credit can only be used at and also doesn’t work for international sellers on – so it only works for sellers in GBP. This limits the international fraud interest a bit.

    • Rob says:

      If you are setting up fraudulent eBay accounts anyway then whether you do them off or .com presumably makes little difference?

      • Andrew says:

        For that purpose yes. But stealing nectar points to buy stuff, less attractive.

    • The real John says:

      But some UK sellers also ship overseas – are you saying you can’t use nectar if your address is outside the UK?

  • Tom says:

    Password manager with 2FA and Ubikey. They aint getting in with a randomly generated password rotated regularly.
    I recommend Dashlane.

  • Mikeact says:

    And of course, the other thing is when actually setting up an account. Being asked stupid set up questions…mothers maiden name…first school…..favourite pet etc.. etc.. Do not give these out, just make up something. My first school could be, BananaPie, or any other such rubbish (as long as you don’t forget!)

    • Al says:

      Make and model of first car always surprises me as a ‘security question’. I’m sure there are plenty of people with exotic first cars, but I reckon Corsa, Fiesta or Polo would get you past the security of a fair number of UK accounts.

      • RussellH says:

        So I should be all right then. I use my second car, which while a well known model at the time, was already on the way out, production having ceased 5 years before I bought the car 49 years ago.

        • Mikeact says:

          Forget the actual model….call it a CrispPacket…it really doesn’t matter. Nobody trying to access your account would have any idea.

  • Mikeact says:

    And I personally, wouldn’t say which Cloud based password manager I use on here, or anywhere else for that matter. There’s enough recommendations available out there.

  • AJA says:

    If you’ve linked your BA and Nectar cards you will see both balances in the Nectar app when you click on the BA to Nectar transfer option so no need for any other app nor even to log into BA. Obviously you are at risk if you lose your phone but it means you don’t need the physical Nectar card as you can show the card in the app when you want to scan it to earn or burn nectar points.

    • Andrew says:

      Except at the petrol station. Mobiles are forbidden at the pumps so you need to use your card or keyfob.

      Yesterday got a 500 Nectar points when I fill up with £30 of fuel at Sainsbury’s. It was on one of the printed offers rather than the App – a good reason to say “yes” to a receipt.

      • lumma says:

        You get the paper vouchers regardless of whether or not you choose a receipt in my experience

      • James says:

        The paper vouchers are unrelated to whether you ask for a receipt.

      • AJA says:

        True you definitely should not use your mobile when using pay at pump. But you can scan the app on your mobile when paying inside the kiosk.

  • Rob says:

    Perhaps worth mentioning as part of this debate. When we were looking into why HfP was running slowly in early January, it turned out that we were getting 500,000 automated attempts PER MONTH to log in to the site’s admin area. That is one ever 5 seconds, 24/7.

    This is only a tiny part of the reason the site was running slowly but goes to show the scale of the issue. We have now dealt with this.

    • kitten says:

      what could they get from the admin area? am I being dim?

      • Rob says:

        Everything. Change our passwords and ransom us. Inject malware into the site. Huge number of options.

  • Littlefish says:

    Interesting comments as ever. I have a BA household account.
    From a security point of view, are our points best held in Nectar (Sainsburys) or in Avios (BA)?
    Am I safer NOT setting up a Avios : Nectar transfer, until just before I’d want to use it? (or can Mr Hacker do that anyhow?)

    • Rob says:

      Safer in BA. Lose your Nectar plastic card and anyone can walk into a Sainsbury’s and spend them (OK, you need to make a cash purchase first to activate the card, but it’s not tricky).

      There is no need to link to Nectar unless you are making a transfer, but remember the limits on linking and unlinking each year.

      • John says:

        If you lose your card it’s likely to happen near to a sainsburys you’ve used before anyway

      • Colin MacKinnon says:

        Remember the Nectar vault? I thought it a great idea because my Nectar fob kept breaking off my key ring.
        Now just have the app.

This article is closed to new comments. Feel free to ask your question in the HfP forums.

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.