Maximise your Avios, air miles and hotel points

We have our first example of Avios / Nectar fraud

Links on Head for Points may support the site by paying a commission.  See here for all partner links.

Last week I wrote an article explaining why Avios fraud may be about to increase, and why you should ensure your account is secure.

Stealing frequent flyer miles is not usually a priority. The requirement to pay for the taxes on the flight you book with a credit card, as well as giving your real name and passport details whilst booking, is not attractive to thieves. This is why British Airways Executive Club accounts are not a top target for hackers.

Now things have changed. Hack into an BA account and you can transfer 50,000 Avios onto a random Nectar card, giving the thief £400 to spend.

Nectar Avios light

We have our first hacked reader

Last night I got an email from a reader who had, literally, discovered that he had been hacked an hour before he contacted me.

The reader had checked his email and found around 70 random pieces of content.  “They were all sign ups to weird sites, requests for quotes to Mexican transport companies etc” he wrote.

Halfway through the list was the email from British Airways Executive Club saying that his account had been linked to a Nectar account.

Cunningly, the hacker had hoped that by spamming the inbox with a large amount of content at once, the Nectar email would be missed.

The email said: “Congratulations, your British Airways Executive Club account has successfully been linked to a Nectar account ending in 9013.”

The reader quickly logged in to his British Airways Executive Club account. 50,000 Avios – the monthly maximum – had been transferred to the Nectar card.

(Our reader does have a Nectar card, but it doesn’t end in 9013. He had not yet linked it to his BA account.)

He called British Airways Executive Club and it locked his account. He has been promised an email from BA “in a couple of weeks”.

It is worth noting that our reader was impacted by the British Airways data breach a couple of years ago, during which his Executive Club account details would have been stolen. It isn’t clear if this is connected or not. It is possible that his details are amongst those BAEC accounts being sold on the ‘dark web’.

Conclusion

As I wrote in my article last week, the Avios / Nectar security is lax. There is no attempt to match surnames or email addresses. You can even link and unlink Nectar cards between multiple accounts.

It is possible that the hacker got away with it. Whilst the reader had his British Airways account locked, BA could not lock his Nectar account.

As long as the hacker had already used the Nectar card once, he could immediately head into Sainsbury’s and spend £400. More likely, he will have ordered £400 of eBay credit and used it to buy something from another eBay account under his control.

PS. It turns out we have had a 2nd example of fraud amongst our readers. After this article was published, someone else got in touch.

“Same thing happened to us too! We got an email saying our Executive Club account had been linked to a Nectar account. And 50k Avios were transferred out. We contacted both BA and Nectar but so far no news (BA said it could take up to 28 days for their audit team to investigate but they said we should get our Avios back).”

How to earn Avios from UK credit cards

How to earn Avios from UK credit cards (April 2024)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

In February 2022, Barclaycard launched two exciting new Barclaycard Avios Mastercard cards with a bonus of up to 25,000 Avios. You can apply here.

You qualify for the bonus on these cards even if you have a British Airways American Express card:

Barclaycard Avios Plus card

Barclaycard Avios Plus Mastercard

Get 25,000 Avios for signing up and an upgrade voucher at £10,000 Read our full review

Barclaycard Avios card

Barclaycard Avios Mastercard

5,000 Avios for signing up and an upgrade voucher at £20,000 Read our full review

There are two official British Airways American Express cards with attractive sign-up bonuses:

British Airways American Express Premium Plus

25,000 Avios and the famous annual 2-4-1 voucher Read our full review

British Airways American Express

5,000 Avios for signing up and an Economy 2-4-1 voucher for spending £15,000 Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points. These points convert at 1:1 into Avios.

American Express Preferred Rewards Gold

Your best beginner’s card – 20,000 points, FREE for a year & four airport lounge passes Read our full review

The Platinum Card from American Express

40,000 bonus points and a huge range of valuable benefits – for a fee Read our full review

Run your own business?

We recommend Capital on Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, along with a sign-up bonus worth 10,500 Avios.

SPECIAL OFFER: Until 12th May 2024, the Capital on Tap Business Rewards Visa card is offering a bonus of 30,000 points, convertible into 30,000 Avios. You must have a Limited Company to apply. Click here to learn more and click here to apply.

Capital on Tap Business Rewards Visa

Huge 30,000 points bonus until 12th May 2024 Read our full review

You should also consider the British Airways Accelerating Business credit card. This is open to sole traders as well as limited companies and has a 30,000 Avios sign-up bonus.

British Airways Accelerating Business American Express

30,000 Avios sign-up bonus – plus annual bonuses of up to 30,000 Avios Read our full review

There are also generous bonuses on the two American Express Business cards, with the points converting at 1:1 into Avios. These cards are open to sole traders as well as limited companies.

American Express Business Platinum

40,000 points sign-up bonus and an annual £200 Amex Travel credit Read our full review

American Express Business Gold

20,000 points sign-up bonus and FREE for a year Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

Category

British Airways and Avios, Sainsbury's and Nectar

Comments (166)

This article is closed to new comments. Feel free to ask your question in the HfP forums.

  • IO says:
    6 Feb6 February 08:59

    Off topic. I need to pay a big HMRC tax bill. What stops me signing up to Curve metal for one month, paying through this to avoid the 1.5% fee and then dropping back down? From what I can see this is ok? Only risk is Curve might charge me for the metal card?

  • Phil says:
    6 Feb6 February 09:12

    Can anyone recommend a good password manager?

    • Buxton says:
      6 Feb6 February 09:19

      I use 1Password personally, heard good things about LastPass also.

    • Baresi says:
      6 Feb6 February 09:32

      I use Nordpass iv also got Nordvpn too….

    • sayling says:
      6 Feb6 February 10:24

      Very happy with LastPass

    • Doug M says:
      6 Feb6 February 10:47

      Another vote for 1Password. Others may have this too, but 1Password has multiple vaults which can if you wish be shared. I have 2 accounts, one for personal and one for work. Multi vaults in each, so easy to share some things and not others. Apps for Android and IOS, browser extension so easy to use on Firefox and Chrome, maybe others too. Generates random password of varying lengths and using limited characters if required.
      I have no association with 1Password beyond using it.

    • Magic Mike says:
      6 Feb6 February 11:34

      KeePass – it’s open source and does not rely on the cloud. Clients for most operating systems.

    • memesweeper says:
      6 Feb6 February 11:42

      Bitwarden.

      All the features you need in the free version.

      Open source and audited.

      Convenient *and* secure.

    • Chrisasaurus says:
      6 Feb6 February 12:08

      Most of the known ones are safe and therefore are infinitely better than done

      Apple keychain is a godsend of course but I also use roboform personally and have for years

    • Alan says:
      6 Feb6 February 17:33

      Last Pass is excellent IME – using it ON Windows and Android.

  • Dance-Ace-Base says:
    6 Feb6 February 09:31

    These “hackers” were able to login to the victims BAEC account, so their password was weak or probably not even changed after the previous BAEC hack.

    Linking to your own Nectar account won’t help if someone has access to your BAEC account because once in your account they can unlink yours and link theirs.

    You would be very safe if BAEC implemented 2FA for account login and OTP verification for transfers. Given a large number of Avios holders would consider Avios to have significant cash value it is utterly remiss of BAEC to not offer this.

    The only thing you need to do to protect your BAEC account is have a strong password and change it once in a while. If you haven’t changed it in the past few months, change it today.

    You should protect your Nectar account with a string password and by not discarding receipts that show the last 4 digits of your Nectar card.

    • Dance-Ace-Base says:
      6 Feb6 February 09:32

      * don’t use “string” as your password

    • Tom says:
      6 Feb6 February 09:50

      I agree, sometimes my BAEC balance is healthier than my bank balance:)

    • Dance-Ace-Base says:
      6 Feb6 February 10:21

      As well as being a weak or previously hacked password, a common route is a password exposed in a hack (or more often a breach due to lax security) of a different system.

      Don’t use the same password at different accounts.

      LinkedIn got breached, Adobe got breached, a thousand others did. If an email/password combo gets breached in one place, hackers try that same combo everywhere else.

      Don’t use the same password at different accounts.

      • Doug M says:
        6 Feb6 February 10:50

        If you do only one thing towards security it’s don’t use the same password in more than one place.

    • David says:
      6 Feb6 February 11:04

      Dance-Ace-Base: “These “hackers” were able to login to the victims BAEC account, so their password was weak or probably not even changed after the previous BAEC hack.”

      What an incredibly bold statement to make.

      I certainly would never make such a statement.

      • BP says:
        6 Feb6 February 11:30

        This is almost certainly “password stuffing” where credentials compromised elsewhere are tried against BA until an attempt is successful. Email address is an almost universal identifier and human nature is to use the same password everywhere.

        If the BA breach data was used then this could make the process far more efficient by only targeting email addresses of confirmed BA customers.

        It might not even be recent activity. The attacker could have been sitting with a pile of credentials until an opportunity like Nectar came about.

      • Chrisasaurus says:
        6 Feb6 February 13:10

        Nothing bold about it – If someone logged into the account to perform the transfer they either circumvented authentication (essentially requiring them to work at baec) brute forced the password (if not weak then all but impossible) or knew the password (keylogger, phishing or educated guess eg password stuffing)

        • David says:
          7 Feb7 February 13:31

          Chrisasaurus – you entirely miss the point. And it is an incredibly bold statement, it says either one of two things occured:
          – weak password, or
          – not changed after BAEC hack

          The poster has no means to know if this is the case, and they are defamatory to the person in the story.
          As you yourself point out, there are a multitude of ways the password could have been correctly entered.

          The post I quoted IS incredibly bold, and not one I would make.

    • Chrisasaurus says:
      6 Feb6 February 13:00

      So, this fascinates me and I’ve read so many papers without coming to a conclusion.

      Changing passwords only makes sense with a password manager otherwise they will we weaker, in order to remember them, either through reuse, or using a super clever formula you think is unique to create your password but newsflash: not as clever as you think it is

      But even if using a password manager the only reason to ever change a unique high entropy password is to guard against it having been compromised (eg in a breach) but changing your password every 90 days still leaves you exposed to that for 89 of them – where do you draw the line?

  • Rich says:
    6 Feb6 February 09:35

    I’ve run into issues with Nectar account security in the past. I was signed up to their Nectar Canvas survey service and somebody was trying to use a brute force attack to access my Nectar Canvas account.
    I imagine my email address was sold to someone on the dark web, but luckily I use a password manager so they weren’t able to access my account. I really hope one day both BA and Nectar switch over to two factor auth. There’s no reason why accounts holding this much financial value should be relying on just a password to gain access.

  • Navara says:
    6 Feb6 February 10:38

    Bring back paper Airmiles you can keep under the mattress ✈️

  • Dave B says:
    6 Feb6 February 11:03

    This email spam storm happened to me around 18 months ago. Points were used to by some 5* hotel rooms in St. Petersburg, and my home address was altered to include a Moscow compliant postcode. Around 3 months investigation I got my avios back. I still get some spam after unsubscribing or adding to spam folder.

  • Andrew Cooper says:
    6 Feb6 February 11:04

    Also probably better to say their control rather than assume the hacker was male.

    • Super Secret Stuff says:
      6 Feb6 February 11:26

      I was just about to say it makes me chuckle how often people assume hackers are male

  • RussellH says:
    6 Feb6 February 11:06

    FWIW, I have just moved almost all my avios into my Avios.com/AerClub a/c, and updated and lengthened the passwords on both BA and Aerclub. In the course of which I discovered that BA do not permit the percent symbol % in their PWs. Why?
    I had already strengthened my Nectar PW before linking.

    • memesweeper says:
      6 Feb6 February 11:46

      Why? They cannot properly sanitise their form/database inputs. It’s lame but commonplace — search online for ‘ little Bobby tables ‘ cartoon for an illustration.

    • RussellH says:
      6 Feb6 February 11:50

      And the BA PW is limited to 20 chars…

      • Stu says:
        6 Feb6 February 18:28

        I pointed this out on page 2, and it’s ridiculous that it will accept a 25 character password and curtail it at 20, then when you try to login again, it tells you ‘wrong password’ because you’re still inputting 25 characters via the password manager but it’s only expecting the first 20!

This article is closed to new comments. Feel free to ask your question in the HfP forums.

New to Head for Points?

Welcome!  We’re the UK’s most-read source of business travel, Avios, frequent flyer and hotel loyalty news. Let us improve how you travel. Got any questions? Ask them in our forums.

Latest Forum Posts

Get 40,000 bonus points (worth 40,000 Avios) and £300 dining credit with The Platinum Card

Check reward flight availability instantly for free!

See a whole year of reward seat availability on one page at SeatSpy.com

Get £10 when you spend £150 on your free Currensea card

Booking a luxury hotel?

Our luxury hotel booking service offers you GUARANTEED extra benefits over booking direct. Works with Four Seasons, Mandarin Oriental, The Ritz Carlton, St Regis and more. We've booked £1.7 million of rooms to date. Click for details.

SME? SPECIAL OFFER TO 12TH MAY EARN POINTS WORTH 30,000 AVIOS WITH CAPITAL ON TAP

Get 20,000 bonus points, four airport lounge passes and your first year free with American Express Gold

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.

Got it!