Maximise your Avios, air miles and hotel points

We have our first example of Avios / Nectar fraud

Links on Head for Points may support the site by paying a commission.  See here for all partner links.

Last week I wrote an article explaining why Avios fraud may be about to increase, and why you should ensure your account is secure.

Stealing frequent flyer miles is not usually a priority. The requirement to pay for the taxes on the flight you book with a credit card, as well as giving your real name and passport details whilst booking, is not attractive to thieves. This is why British Airways Executive Club accounts are not a top target for hackers.

Now things have changed. Hack into an BA account and you can transfer 50,000 Avios onto a random Nectar card, giving the thief £400 to spend.

Nectar Avios light

We have our first hacked reader

Last night I got an email from a reader who had, literally, discovered that he had been hacked an hour before he contacted me.

The reader had checked his email and found around 70 random pieces of content.  “They were all sign ups to weird sites, requests for quotes to Mexican transport companies etc” he wrote.

Halfway through the list was the email from British Airways Executive Club saying that his account had been linked to a Nectar account.

Cunningly, the hacker had hoped that by spamming the inbox with a large amount of content at once, the Nectar email would be missed.

The email said: “Congratulations, your British Airways Executive Club account has successfully been linked to a Nectar account ending in 9013.”

The reader quickly logged in to his British Airways Executive Club account. 50,000 Avios – the monthly maximum – had been transferred to the Nectar card.

(Our reader does have a Nectar card, but it doesn’t end in 9013. He had not yet linked it to his BA account.)

He called British Airways Executive Club and it locked his account. He has been promised an email from BA “in a couple of weeks”.

It is worth noting that our reader was impacted by the British Airways data breach a couple of years ago, during which his Executive Club account details would have been stolen. It isn’t clear if this is connected or not. It is possible that his details are amongst those BAEC accounts being sold on the ‘dark web’.

Conclusion

As I wrote in my article last week, the Avios / Nectar security is lax. There is no attempt to match surnames or email addresses. You can even link and unlink Nectar cards between multiple accounts.

It is possible that the hacker got away with it. Whilst the reader had his British Airways account locked, BA could not lock his Nectar account.

As long as the hacker had already used the Nectar card once, he could immediately head into Sainsbury’s and spend £400. More likely, he will have ordered £400 of eBay credit and used it to buy something from another eBay account under his control.

PS. It turns out we have had a 2nd example of fraud amongst our readers. After this article was published, someone else got in touch.

“Same thing happened to us too! We got an email saying our Executive Club account had been linked to a Nectar account. And 50k Avios were transferred out. We contacted both BA and Nectar but so far no news (BA said it could take up to 28 days for their audit team to investigate but they said we should get our Avios back).”

PS. If you are not a regular Head for Points visitor, why not sign up for our FREE weekly or daily newsletters? They are full of the latest Avios, airline, hotel and credit card points news and will help you travel better. To join our 65,000 free subscribers, click the button below or visit this page of the site to find out more. Thank you.

How to earn Avios from UK credit cards

How to earn Avios from UK credit cards (April 2025)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

In February 2022, Barclaycard launched two exciting new Barclaycard Avios Mastercard cards with a bonus of up to 25,000 Avios. You can apply here.

You qualify for the bonus on these cards even if you have a British Airways American Express card:

Barclaycard Avios Plus card

Barclaycard Avios Plus Mastercard

Get 25,000 Avios for signing up and an upgrade voucher at £10,000 Read our full review

Barclaycard Avios card

Barclaycard Avios Mastercard

Get 5,000 Avios for signing up and an upgrade voucher at £20,000 Read our full review

There are two official British Airways American Express cards with attractive sign-up bonuses:

British Airways American Express Premium Plus

30,000 Avios and the famous annual 2-4-1 voucher Read our full review

British Airways American Express

5,000 Avios for signing up and an Economy 2-4-1 voucher for spending £15,000 Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points. These points convert at 1:1 into Avios.

SPECIAL OFFER: Until 27th May 2025, the sign-up bonus on the ‘free for a year’ American Express Preferred Rewards Gold card is increased from 20,000 Membership Rewards points to 30,000 points. Points convert 1:1 into Avios (30,000 Avios!) and many other programmes. Some people may see even higher personalised offers. Click here to apply.

SPECIAL OFFER: Until 27th May 2025, the sign-up bonus on American Express Platinum is increased from 50,000 Membership Rewards points to a huge 80,000 points. Points convert 1:1 into Avios (80,000 Avios!) and many other programmes. Some people may see even higher personalised offers. Click here to apply.

American Express Preferred Rewards Gold

Your best beginner’s card – 30,000 points, FREE for a year & four airport lounge passes Read our full review

The Platinum Card from American Express

80,000 bonus points and great travel benefits – for a large fee Read our full review

Run your own business?

We recommend Capital on Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, and the standard card is FREE. Capital on Tap cards also have no FX fees.

Capital on Tap Visa

NO annual fee, NO FX fees and points worth 1 Avios per £1 Read our full review

Capital on Tap Pro Visa

10,500 points (=10,500 Avios) plus good benefits Read our full review

There is also a British Airways American Express card for small businesses:

British Airways American Express Accelerating Business

30,000 Avios sign-up bonus – plus annual bonuses of up to 30,000 Avios Read our full review

There are also generous bonuses on the two American Express Business cards, with the points converting at 1:1 into Avios. These cards are open to sole traders as well as limited companies.

American Express Business Platinum

50,000 points when you sign-up and an annual £200 Amex Travel credit Read our full review

American Express Business Gold

20,000 points sign-up bonus and FREE for a year Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

Category

British Airways and Avios, Sainsbury's and Nectar

Comments (165)

This article is closed to new comments. Feel free to ask your question in the HfP forums.

  • Matarredonda says:
    6 Feb6 February 08:18

    Thanks Rob for highlighting.
    People with a lot of Avios going to need to be careful to avoid these scum stealing hard earned points which are now effectively money.

  • Rich says:
    6 Feb6 February 08:19

    The point raised about linking to Nectar straight away to stop this is an interesting one.
    Does anyone know if in theory this would work and stop points being transferred anywhere other than the two accounts?

  • Stu says:
    6 Feb6 February 08:20

    It occurred to me that if you were to un-link and re-link your Nectar account 3 times after the initial linking, that would trigger the 4 link annual limit and thus prevent anyone from linking another Nectar account for 12 months?

    Not sure if the limit of 4 linking per annum applies to different accounts though?

    I appreciate this would tie you in terms of not being able to link another Nectar account but to me that’s better than getting 50K Avios pinched!

  • Anna says:
    6 Feb6 February 08:25

    Rob, you’re correct that the hackers will probably get away with this, especially if they’re based abroad (I can’t see many criminals being hugely motivated by a basket of free groceries from Sainsbury’s). I don’t know what BA’s policy is but many companies don’t even involve the police when anything like this happens, and even when they do it’s very. very difficult to trace criminals through IPP addresses. If they are based overseas, you can basically forget it unless there’s a very serious offence being investigated.
    You just have to hope BA decides you’re an innocent victim and reimburses the missing avios, but this isn’t guaranteed either because you’d struggle to prove to them that it wasn’t you who transferred the avios out.

    • Anna says:
      6 Feb6 February 08:28

      (Quickly checks avios balance…)

    • Chris Heyes says:
      6 Feb6 February 11:00

      Hi, Anna i agree with the first part the hackers will probably get away with it.
      and yes most company’s don’t inform the police, even cover it up themselves if they can
      But disagree with the part were you say it’s very difficult to “trace” any hacker can be traced overseas or not.
      It’s just very expensive to do in practice, you need to employ a Hacker Chaser which costs a lot, but it can be done depending on resources.
      London police have there own, but are very stretched, but still manage to shut some down, very few arrests though

      • Anna says:
        6 Feb6 February 11:07

        Hi Chris – sorry, I didn’t mean technologically difficult, what hampers investigations is that it’s not easy to get authority to access someone’s data, you have to jump through hoops to get a RIPA authority including proving that you won’t impinge on anyone else’s privacy (accidentally or otherwise) – known as “collateral intrusion”. Facebook is notorious for refusing to supply member’s details and because the company is based in the US it’s virtually impossible to get them to co-operate.
        Apple is a similar case in point – they refuse to give customer details even to the FBI so in this country the government had to pass a separate law making it an offence to refuse to give your password to the police. You often see criminals taking the relatively minor punishment for this rather than giving up the contents of their phones.

        • memesweeper says:
          6 Feb6 February 11:37

          Im not a criminal and I won’t be giving up my password if I get my collar felt. IMO accused people should not be required to self incriminate.

        • Anna says:
          6 Feb6 February 14:33

          You’re not going to be asked to give up your password unless you’re actively being investigated! Though you might feel differently if you (or your family) were the victim of a massive fraud or sex abuse ring.

          • Brian says:
            7 Feb7 February 21:44

            If my family were the victim of massive fraud why would the police need access to my phone?

        • bafan says:
          6 Feb6 February 16:37

          Same. I also wouldn’t. How can I have the right to remain silent if they can force you to give your password. This country SMH.

  • Anna says:
    6 Feb6 February 08:31

    If hackers can access one BAEC account, can they then transfer avios from the whole HHA? Just wondering whether to change all our passwords now, even though the child members, for example, don’t have any avios of their own to speak of.

  • Sam says:
    6 Feb6 February 08:37

    Was the key issue poor security on the email account? Or reused emails?

    Email is often the gateway into our online lives. It needs to be very secure. As others have said:
    – use a password manager so you can have long(ish) unique passwords
    – use multi factor authentication

    Both Microsoft and Apple are introducing free passwords managers so you really have no excuse. If you don’t trust the cloud, you can get ones stored on a single pc if that is practical for you

    • Sam says:
      6 Feb6 February 08:37

      Reused emails = reused passwords….

    • memesweeper says:
      6 Feb6 February 11:40

      Bitwarden offers free cloud storage of your encrypted password database. They *cannot* read it and you do not need to ‘trust’ the cloud. The code base they use is open and audited. You only need to trust the maths behind the crypto. Strongly recommended for security and convenience.

  • meta says:
    6 Feb6 February 08:49

    Can someone remind me whether you actually need BAEC account password to link Nectar and BAEC? It seems that only BAEC number is sufficient in which case changing your BAEC password won’t help.

    • AJA says:
      6 Feb6 February 08:57

      Yes I had to log in to my BAEC account when I first linked the two. That was via the nectar app. And when transferring 1600 nectar point I got a OTP code via text. No idea if you get a OTP when sending Avios to nectar

      • meta says:
        6 Feb6 February 09:01

        Ah, ok. So you do need the password. So the hacker knew the reader’s BAEC password as well. This isn’t clear from the article.

  • signol says:
    6 Feb6 February 08:58

    A few years ago I had my Nectar account hacked, £40 of points were stolen and used in store in Leicester. (I live in Norwich and could prove it couldn’t have been me. I was at work the whole day). Nectar closed the account, opened me a new one, and refunded the missing points.

    • Lottie says:
      6 Feb6 February 09:16

      Same happened to me about 5 years ago, luckily I’d spent nectar that day in my local shop and the stolen £80 was used in a shop hundreds of miles away. All my points were refunded by Nectar pretty quickly.

This article is closed to new comments. Feel free to ask your question in the HfP forums.

New to Head for Points?

Welcome!  We’re the UK’s most-read source of business travel, Avios, frequent flyer and hotel loyalty news. Let us improve how you travel. Got any questions? Ask them in our forums.

Get 25,000 Avios with the Barclaycard Avios Plus Mastercard

GET A SIGN-UP BONUS OF 18,000 VIRGIN POINTS!

Latest Forum Posts

Get 80,000 bonus points (worth 80,000 Avios) and £400 of dining credit with The Platinum Card (Offer ends 27th May)

Check reward flight availability instantly for free!

See a whole year of reward seat availability on one page at SeatSpy.com

Get up to 10,000 bonus Hilton Honors points

Booking a luxury hotel?

Our luxury hotel booking service offers you GUARANTEED extra benefits over booking direct. Works with Four Seasons, Mandarin Oriental, The Ritz Carlton, St Regis and more. We've booked £1.7 million of rooms to date. Click for details.

SME? GET THE ONLY FREE SMALL BUSINESS CREDIT CARD WHICH CAN EARN AVIOS

Get points worth 30,000 Avios with 'first year free' American Express Gold (ends 27th May)

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.

Got it!