Maximise your Avios, air miles and hotel points

We have our first example of Avios / Nectar fraud

Links on Head for Points may support the site by paying a commission.  See here for all partner links.

Last week I wrote an article explaining why Avios fraud may be about to increase, and why you should ensure your account is secure.

Stealing frequent flyer miles is not usually a priority. The requirement to pay for the taxes on the flight you book with a credit card, as well as giving your real name and passport details whilst booking, is not attractive to thieves. This is why British Airways Executive Club accounts are not a top target for hackers.

Now things have changed. Hack into an BA account and you can transfer 50,000 Avios onto a random Nectar card, giving the thief £400 to spend.

Nectar Avios light

We have our first hacked reader

Last night I got an email from a reader who had, literally, discovered that he had been hacked an hour before he contacted me.

The reader had checked his email and found around 70 random pieces of content.  “They were all sign ups to weird sites, requests for quotes to Mexican transport companies etc” he wrote.

Halfway through the list was the email from British Airways Executive Club saying that his account had been linked to a Nectar account.

Cunningly, the hacker had hoped that by spamming the inbox with a large amount of content at once, the Nectar email would be missed.

The email said: “Congratulations, your British Airways Executive Club account has successfully been linked to a Nectar account ending in 9013.”

The reader quickly logged in to his British Airways Executive Club account. 50,000 Avios – the monthly maximum – had been transferred to the Nectar card.

(Our reader does have a Nectar card, but it doesn’t end in 9013. He had not yet linked it to his BA account.)

He called British Airways Executive Club and it locked his account. He has been promised an email from BA “in a couple of weeks”.

It is worth noting that our reader was impacted by the British Airways data breach a couple of years ago, during which his Executive Club account details would have been stolen. It isn’t clear if this is connected or not. It is possible that his details are amongst those BAEC accounts being sold on the ‘dark web’.

Conclusion

As I wrote in my article last week, the Avios / Nectar security is lax. There is no attempt to match surnames or email addresses. You can even link and unlink Nectar cards between multiple accounts.

It is possible that the hacker got away with it. Whilst the reader had his British Airways account locked, BA could not lock his Nectar account.

As long as the hacker had already used the Nectar card once, he could immediately head into Sainsbury’s and spend £400. More likely, he will have ordered £400 of eBay credit and used it to buy something from another eBay account under his control.

PS. It turns out we have had a 2nd example of fraud amongst our readers. After this article was published, someone else got in touch.

“Same thing happened to us too! We got an email saying our Executive Club account had been linked to a Nectar account. And 50k Avios were transferred out. We contacted both BA and Nectar but so far no news (BA said it could take up to 28 days for their audit team to investigate but they said we should get our Avios back).”

How to earn Avios from UK credit cards

How to earn Avios from UK credit cards (April 2024)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

In February 2022, Barclaycard launched two exciting new Barclaycard Avios Mastercard cards with a bonus of up to 25,000 Avios. You can apply here.

You qualify for the bonus on these cards even if you have a British Airways American Express card:

Barclaycard Avios Plus card

Barclaycard Avios Plus Mastercard

Get 25,000 Avios for signing up and an upgrade voucher at £10,000 Read our full review

Barclaycard Avios card

Barclaycard Avios Mastercard

5,000 Avios for signing up and an upgrade voucher at £20,000 Read our full review

There are two official British Airways American Express cards with attractive sign-up bonuses:

British Airways American Express Premium Plus

25,000 Avios and the famous annual 2-4-1 voucher Read our full review

British Airways American Express

5,000 Avios for signing up and an Economy 2-4-1 voucher for spending £15,000 Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points. These points convert at 1:1 into Avios.

American Express Preferred Rewards Gold

Your best beginner’s card – 20,000 points, FREE for a year & four airport lounge passes Read our full review

The Platinum Card from American Express

40,000 bonus points and a huge range of valuable benefits – for a fee Read our full review

Run your own business?

We recommend Capital on Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, along with a sign-up bonus worth 10,500 Avios.

SPECIAL OFFER: Until 12th May 2024, the Capital on Tap Business Rewards Visa card is offering a bonus of 30,000 points, convertible into 30,000 Avios. You must have a Limited Company to apply. Click here to learn more and click here to apply.

Capital on Tap Business Rewards Visa

Huge 30,000 points bonus until 12th May 2024 Read our full review

You should also consider the British Airways Accelerating Business credit card. This is open to sole traders as well as limited companies and has a 30,000 Avios sign-up bonus.

British Airways Accelerating Business American Express

30,000 Avios sign-up bonus – plus annual bonuses of up to 30,000 Avios Read our full review

There are also generous bonuses on the two American Express Business cards, with the points converting at 1:1 into Avios. These cards are open to sole traders as well as limited companies.

American Express Business Platinum

40,000 points sign-up bonus and an annual £200 Amex Travel credit Read our full review

American Express Business Gold

20,000 points sign-up bonus and FREE for a year Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

Category

British Airways and Avios, Sainsbury's and Nectar

Comments (166)

This article is closed to new comments. Feel free to ask your question in the HfP forums.

  • Baji Nahid says:
    6 Feb6 February 05:27

    OMG, didn’t take long at all did it. Horrible people out there wanting to take advantage of others. Hope Karma gets the scammer badly.

  • Baji Nahid says:
    6 Feb6 February 05:29

    Unfortunately, the worst part is that nectar customer services is just absolute balls! I would put money on it that probably these third party contact centre staff could also be involved in these scams (it has happened in the past where customer data is jeopardised)

  • gareth says:
    6 Feb6 February 05:46

    Should you be really spelling out the method publicly??

  • Tom Morris says:
    6 Feb6 February 06:09

    What the best way to avoid being hacked ? Complex passwords ?

    • OpaWoody says:
      6 Feb6 February 07:11

      There are people being awarded PHDs for trying to solve this question. My favourites are…
      – Use long passwords ( at least 32 characters for me) or let IOS chose it for you
      – Don’t reuse passwords across different accounts
      – Use a password manager tool ( so you dont have to remember the long password) e.g. Lastpass, keepass or google “password manager” but IOS also stores passwords
      – Look at haveibeenpwned.com to see if any of your accounts have been hacked
      – Look at your IOS password settings (Settings>passwords) – Apple warns you of potential issues
      – Dont ignore browser warnings e.g. Chrome which warns of password issues
      – Dont share passwords with anyone
      – Use 2 Factor authentication where possible
      – Aim to use 2 factor authentication though an authenticator tool where possible rather than SMS
      Once these become good habits they do not take much time and being able to paste passwords saves time and reduces the chace of being hacked.

      • mradey says:
        7 Feb7 February 07:58

        Agreed.

        Web forms that don’t allow pasting of passwords (usually when creating account/changing password) are a bugbear. Makes long complex passwords hard to use – IOS choice gets around this, if happy with that method.

    • Johnny5a says:
      6 Feb6 February 08:32

      Yes, random character passwords and not to recycle passwords.

  • BJ says:
    6 Feb6 February 06:33

    Solution is simple, BA and Nectar should use OTP, fingerprint or voice recognition to authorise transactions.

    • John says:
      6 Feb6 February 06:40

      Nectar to avios requires a text message or emailed code

    • Lol says:
      6 Feb6 February 06:42

      In the meantime what should we do? I’m wondering whether to transfer my Avios from BAEC to AerClub or Iberia.

      • Brian W says:
        6 Feb6 February 10:20

        I’ve always moved mine in the opposite direction as I preferred them in BAEC not AerClub or IB. I’m now thinking the same, shifting them into AerClub just now as it reduces the risk this new Nectar link has created.

    • Jonathan says:
      6 Feb6 February 07:03

      This is what COT do. It would virtually wipe it out overnight

  • Tom says:
    6 Feb6 February 06:54

    Although the transferred points can be used immediately on eBay or argos websites there is a 24 hour lag before the points can be spent in Sainsburys.

  • krys_k says:
    6 Feb6 February 07:03

    So what’s the mitigation that we should be actioning to prevent this happening to us ?

  • AW says:
    6 Feb6 February 07:09

    Why was this not envisaged, surely it can’t of been hard to see this happening? @Rob security being lax is an understatement don’t you think? This looks as if someone got hold of my password for British Airways they could move 50,000 Avios without so much of a challenge from BA and then have spent them before I even noticed. It is things like this shows how the data breach happened and nobody noticed.

This article is closed to new comments. Feel free to ask your question in the HfP forums.

New to Head for Points?

Welcome!  We’re the UK’s most-read source of business travel, Avios, frequent flyer and hotel loyalty news. Let us improve how you travel. Got any questions? Ask them in our forums.

Latest Forum Posts

Get 40,000 bonus points (worth 40,000 Avios) and £300 dining credit with The Platinum Card

Check reward flight availability instantly for free!

See a whole year of reward seat availability on one page at SeatSpy.com

Get £10 when you spend £150 on your free Currensea card

Booking a luxury hotel?

Our luxury hotel booking service offers you GUARANTEED extra benefits over booking direct. Works with Four Seasons, Mandarin Oriental, The Ritz Carlton, St Regis and more. We've booked £1.7 million of rooms to date. Click for details.

SME? SPECIAL OFFER TO 12TH MAY EARN POINTS WORTH 30,000 AVIOS WITH CAPITAL ON TAP

Get 20,000 bonus points, four airport lounge passes and your first year free with American Express Gold

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.

Got it!