Maximise your Avios, air miles and hotel points

We have our first example of Avios / Nectar fraud

Links on Head for Points may support the site by paying a commission.  See here for all partner links.

Last week I wrote an article explaining why Avios fraud may be about to increase, and why you should ensure your account is secure.

Stealing frequent flyer miles is not usually a priority. The requirement to pay for the taxes on the flight you book with a credit card, as well as giving your real name and passport details whilst booking, is not attractive to thieves. This is why British Airways Executive Club accounts are not a top target for hackers.

Now things have changed. Hack into an BA account and you can transfer 50,000 Avios onto a random Nectar card, giving the thief £400 to spend.

Nectar Avios light

We have our first hacked reader

Last night I got an email from a reader who had, literally, discovered that he had been hacked an hour before he contacted me.

The reader had checked his email and found around 70 random pieces of content.  “They were all sign ups to weird sites, requests for quotes to Mexican transport companies etc” he wrote.

Halfway through the list was the email from British Airways Executive Club saying that his account had been linked to a Nectar account.

Cunningly, the hacker had hoped that by spamming the inbox with a large amount of content at once, the Nectar email would be missed.

The email said: “Congratulations, your British Airways Executive Club account has successfully been linked to a Nectar account ending in 9013.”

The reader quickly logged in to his British Airways Executive Club account. 50,000 Avios – the monthly maximum – had been transferred to the Nectar card.

(Our reader does have a Nectar card, but it doesn’t end in 9013. He had not yet linked it to his BA account.)

He called British Airways Executive Club and it locked his account. He has been promised an email from BA “in a couple of weeks”.

It is worth noting that our reader was impacted by the British Airways data breach a couple of years ago, during which his Executive Club account details would have been stolen. It isn’t clear if this is connected or not. It is possible that his details are amongst those BAEC accounts being sold on the ‘dark web’.

Conclusion

As I wrote in my article last week, the Avios / Nectar security is lax. There is no attempt to match surnames or email addresses. You can even link and unlink Nectar cards between multiple accounts.

It is possible that the hacker got away with it. Whilst the reader had his British Airways account locked, BA could not lock his Nectar account.

As long as the hacker had already used the Nectar card once, he could immediately head into Sainsbury’s and spend £400. More likely, he will have ordered £400 of eBay credit and used it to buy something from another eBay account under his control.

PS. It turns out we have had a 2nd example of fraud amongst our readers. After this article was published, someone else got in touch.

“Same thing happened to us too! We got an email saying our Executive Club account had been linked to a Nectar account. And 50k Avios were transferred out. We contacted both BA and Nectar but so far no news (BA said it could take up to 28 days for their audit team to investigate but they said we should get our Avios back).”

PS. If you are not a regular Head for Points visitor, why not sign up for our FREE weekly or daily newsletters? They are full of the latest Avios, airline, hotel and credit card points news and will help you travel better. To join our 65,000 free subscribers, click the button below or visit this page of the site to find out more. Thank you.

How to earn Avios from UK credit cards

How to earn Avios from UK credit cards (April 2025)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

In February 2022, Barclaycard launched two exciting new Barclaycard Avios Mastercard cards with a bonus of up to 25,000 Avios. You can apply here.

You qualify for the bonus on these cards even if you have a British Airways American Express card:

Barclaycard Avios Plus card

Barclaycard Avios Plus Mastercard

Get 25,000 Avios for signing up and an upgrade voucher at £10,000 Read our full review

Barclaycard Avios card

Barclaycard Avios Mastercard

Get 5,000 Avios for signing up and an upgrade voucher at £20,000 Read our full review

There are two official British Airways American Express cards with attractive sign-up bonuses:

British Airways American Express Premium Plus

30,000 Avios and the famous annual 2-4-1 voucher Read our full review

British Airways American Express

5,000 Avios for signing up and an Economy 2-4-1 voucher for spending £15,000 Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points. These points convert at 1:1 into Avios.

SPECIAL OFFER: Until 27th May 2025, the sign-up bonus on the ‘free for a year’ American Express Preferred Rewards Gold card is increased from 20,000 Membership Rewards points to 30,000 points. Points convert 1:1 into Avios (30,000 Avios!) and many other programmes. Some people may see even higher personalised offers. Click here to apply.

SPECIAL OFFER: Until 27th May 2025, the sign-up bonus on American Express Platinum is increased from 50,000 Membership Rewards points to a huge 80,000 points. Points convert 1:1 into Avios (80,000 Avios!) and many other programmes. Some people may see even higher personalised offers. Click here to apply.

American Express Preferred Rewards Gold

Your best beginner’s card – 30,000 points, FREE for a year & four airport lounge passes Read our full review

The Platinum Card from American Express

80,000 bonus points and great travel benefits – for a large fee Read our full review

Run your own business?

We recommend Capital on Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, and the standard card is FREE. Capital on Tap cards also have no FX fees.

Capital on Tap Visa

NO annual fee, NO FX fees and points worth 1 Avios per £1 Read our full review

Capital on Tap Pro Visa

10,500 points (=10,500 Avios) plus good benefits Read our full review

There is also a British Airways American Express card for small businesses:

British Airways American Express Accelerating Business

30,000 Avios sign-up bonus – plus annual bonuses of up to 30,000 Avios Read our full review

There are also generous bonuses on the two American Express Business cards, with the points converting at 1:1 into Avios. These cards are open to sole traders as well as limited companies.

American Express Business Platinum

50,000 points when you sign-up and an annual £200 Amex Travel credit Read our full review

American Express Business Gold

20,000 points sign-up bonus and FREE for a year Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

Category

British Airways and Avios, Sainsbury's and Nectar

Comments (165)

This article is closed to new comments. Feel free to ask your question in the HfP forums.

  • Duncan Stevenson-Price says:
    6 Feb6 February 07:24

    Best way to mitigate this: use a password manager to generate strong, unique passwords for every website or service you use.

    • Stu says:
      6 Feb6 February 07:45

      It angers me that BA restrict passwords to 20 digits. I changed mine just last week using a password manager, generated a 25 character password which it accepts but then only saves the first 20 characters. So when I try to re-login, it says my password is wrong – thankfully I sussed it out after I changed it again and saw the note about the 20 character limit. BA IT really is the pits!

      • memesweeper says:
        6 Feb6 February 07:56

        Azure AD tops out at sixteen characters, and that’s considered a very strong platform — if your sixteen are randomly generated and unique then that’s sufficient.

      • Duncan Stevenson-Price says:
        6 Feb6 February 07:57

        Are they still doing that? Gross.

        Why companies want to force their customers to use a shorter password is beyond me.

        At least 20 characters is a reasonable length. The ones that really annoy me are sites that say “8-12 characters” or something.

        I’ve found 16 characters to be a common maximum length for some reason. Very frustrating!

        • Pete M says:
          6 Feb6 February 08:10

          What about Iberia Plus at SIX letters or numbers?! 😂

          • Johnny5a says:
            6 Feb6 February 08:33

            IHG was 4 digit pins

          • Aliks says:
            6 Feb6 February 10:12

            Guys, you don’t need really long passwords. 8-10 with Numbers, Letters and Symbols is good enough provided the system locks up if you type the wrong password at most 10 times.

            Hackers don’t waste time trying millions of passwords, and on a decent system they only get a few attempts before it locks up. Mostly they want to trick you into allowing them to reset your password.

            Far more important is to not reuse passwords. If you use “I’madufus4” as your password on every system, then sooner or later you will be caught out.

            Some clueless website will store your password in clear text, and when their password file is hacked, all your accounts are vulnerable.

    • Doug M says:
      6 Feb6 February 10:33

      The longer the password the greater the resistance to brute force attacks. But I’m not sure this is much if a problem. Certainly good advice is never reuse a password, and wherever possible enable 2FA. As said by someone else authentication apps much better than SMS for the 2FA.

  • Andrew says:
    6 Feb6 February 07:30

    It seems your Avios are safer stored in Nectar than BA? At least there are proper controls through OTPs to transfer out of Nectar. BA must do something similar for transfers.

    • TGLoyalty says:
      6 Feb6 February 07:52

      But there’s no control on spending it in Sainsbury’s other than having used that card in that store the night before.

      • Andrew says:
        6 Feb6 February 08:01

        But as long as you keep a daily eye on your account there’s a limit to how much someone can spend in one go at Sainsbury’s. Not ideal but seems better than having 50k taken out of your BA account.

        • Anna says:
          6 Feb6 February 08:34

          I think once your BA account is frozen though, you then can’t use it until the matter has been resolved, which could be months down the line. This is obviously hugely inconvenient if you want to make any bookings.

        • TGLoyalty says:
          6 Feb6 February 08:45

          A daily eye on your nectar account!

          Hardly a solution.

          • AJA says:
            6 Feb6 February 09:07

            How inconvenient is it to do that though? It takes less than 10 seconds to click on the Nectar app?

          • TGLoyalty says:
            6 Feb6 February 09:11

            It’s not about inconvenience it’s just not an actual solution.

            The real solution is 2FA protection on sending avios to nectar.

          • AJA says:
            6 Feb6 February 09:22

            It’s a method that is practical and easy to implement though. No different to checking and reviewing bank or credit card accounts on a regular basis. It’s easier than regularly changing passwords though I do agree 2FA would be good.

          • Andrew says:
            6 Feb6 February 09:31

            Yes not a solution but a way to deal with it until BA/Nectar make it more secure

  • BJ says:
    6 Feb6 February 07:34

    Holding them in Nectar seems more secure as they have recently tightened security, requiring text/email authorisation as discussed by John. However, the transfer caps hamper this. The suggestion by Lol to hold them in AerClub or Iberia might also be a good short term solution. Stronger passwords that are frequently changed obviously.

  • Heathrow Flyer says:
    6 Feb6 February 07:57

    Beat them to it by transferring your 50k out on the 1st of the month. That way no further manual transfers can be made out. You can thank me later 😉

    • Andrew says:
      6 Feb6 February 08:02

      Unless as others suggest, your Nectar is also hacked and points stolen.

      • BJ says:
        6 Feb6 February 08:18

        I have been collecting Nectar points for years, probably since it started, and I’ve never had an problem. The physical card is the weakest point, they should just scrap them and rely on app or registered credit or debit cards.

    • BJ says:
      6 Feb6 February 08:14

      TIA 😀

  • memesweeper says:
    6 Feb6 February 08:02

    Strong and *unique* passwords are essential. The only practical way to do this is a password manager.

    Pre-linking your Nectar and Avios accounts might help. Maybe linking and unlinking so many times a new account can’t be linked?

    • Andrew says:
      6 Feb6 February 08:05

      Can a BA account be linked to another nectar if it’s already linked to one? In Rob’s example it was a BA account new to nectar.

      • Rob says:
        6 Feb6 February 09:34

        No. It needs to be unlinked and then relinked – but this is quickly done.

        • Geoff says:
          6 Feb6 February 11:46

          But presumably you can link and unlink up to the limit which would prevent further changes for the next quarter?

          Is it 4 links and 4 unlinks – or 4 link/unlinks? Ideally you need it to lock when it is linked as you want.

          • Geoff says:
            6 Feb6 February 12:01

            Or is the linking limit at the Nectar end only, in which case this wouldn’t help?

    • Jay says:
      6 Feb6 February 08:47

      This would seem the best way. Max out the linked accounts to 4. The weak point is then the barcode of the nectar card but that is a more localised issue.

  • ChrisC says:
    6 Feb6 February 08:06

    I see why people are suggesting to hold avios in nectar as it looks to be more secure but it’ll be a problem when you want to spend them on that CW reward ticket but can’t be because of the monthly transfer limit.

    And there is little security on nectar if you lose your card and don’t realise for a couple of days and someone has spent a chunk of points on shopping with little or no tracking to see who used it.

    Hopefully this will encourage BA to improve security on BAEC accounts.

    • memesweeper says:
      6 Feb6 February 11:33

      ‘ Hopefully this will encourage BA to improve security on BAEC accounts.’

      In the short term I think it’s far more likely they’ll stop transfers out altogether if this is a widespread issue. Given the speed of this first report it’s a distinct possibility.

  • AJA says:
    6 Feb6 February 08:09

    Once you’ve linked your accounts you should be relatively secure though as you can check both Nectar and BAEC balances in the Nectar app so you can see any movement in either account. Presumably you also get a notification that you’re un-linking accounts since you get notifications when you link them so that would tell you if someone is trying to hack either account. Or am I being too naive?

  • Sue says:
    6 Feb6 February 08:14

    So to be clear. When you talk about an Avios account what you mean is a BA Executive account???

    • Stu says:
      6 Feb6 February 08:17

      No, he means an Avios account, the old style one which is effectively used for Aer Lingus points.

      • Sue says:
        6 Feb6 February 09:41

        Now I really confused as article talks about BA account being hacked. Plus I thought old style Avios accounts were now dead. Help please ?

    • IanM says:
      6 Feb6 February 09:51

      Yes presumably BA Exec account, avios is dead.

      • Stu says:
        6 Feb6 February 11:09

        No, Avios isn’t dead, it is the holding account for Aer Lingus Avios!

This article is closed to new comments. Feel free to ask your question in the HfP forums.

New to Head for Points?

Welcome!  We’re the UK’s most-read source of business travel, Avios, frequent flyer and hotel loyalty news. Let us improve how you travel. Got any questions? Ask them in our forums.

Get 25,000 Avios with the Barclaycard Avios Plus Mastercard

GET A SIGN-UP BONUS OF 18,000 VIRGIN POINTS!

Latest Forum Posts

Get 80,000 bonus points (worth 80,000 Avios) and £400 of dining credit with The Platinum Card (Offer ends 27th May)

Check reward flight availability instantly for free!

See a whole year of reward seat availability on one page at SeatSpy.com

Get up to 10,000 bonus Hilton Honors points

Booking a luxury hotel?

Our luxury hotel booking service offers you GUARANTEED extra benefits over booking direct. Works with Four Seasons, Mandarin Oriental, The Ritz Carlton, St Regis and more. We've booked £1.7 million of rooms to date. Click for details.

SME? GET THE ONLY FREE SMALL BUSINESS CREDIT CARD WHICH CAN EARN AVIOS

Get points worth 30,000 Avios with 'first year free' American Express Gold (ends 27th May)

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.

Got it!