Maximise your Avios, air miles and hotel points

We have our first example of Avios / Nectar fraud

Links on Head for Points may support the site by paying a commission.  See here for all partner links.

Last week I wrote an article explaining why Avios fraud may be about to increase, and why you should ensure your account is secure.

Stealing frequent flyer miles is not usually a priority. The requirement to pay for the taxes on the flight you book with a credit card, as well as giving your real name and passport details whilst booking, is not attractive to thieves. This is why British Airways Executive Club accounts are not a top target for hackers.

Now things have changed. Hack into an BA account and you can transfer 50,000 Avios onto a random Nectar card, giving the thief £400 to spend.

Nectar Avios light

We have our first hacked reader

Last night I got an email from a reader who had, literally, discovered that he had been hacked an hour before he contacted me.

The reader had checked his email and found around 70 random pieces of content.  “They were all sign ups to weird sites, requests for quotes to Mexican transport companies etc” he wrote.

Halfway through the list was the email from British Airways Executive Club saying that his account had been linked to a Nectar account.

Cunningly, the hacker had hoped that by spamming the inbox with a large amount of content at once, the Nectar email would be missed.

The email said: “Congratulations, your British Airways Executive Club account has successfully been linked to a Nectar account ending in 9013.”

The reader quickly logged in to his British Airways Executive Club account. 50,000 Avios – the monthly maximum – had been transferred to the Nectar card.

(Our reader does have a Nectar card, but it doesn’t end in 9013. He had not yet linked it to his BA account.)

He called British Airways Executive Club and it locked his account. He has been promised an email from BA “in a couple of weeks”.

It is worth noting that our reader was impacted by the British Airways data breach a couple of years ago, during which his Executive Club account details would have been stolen. It isn’t clear if this is connected or not. It is possible that his details are amongst those BAEC accounts being sold on the ‘dark web’.

Conclusion

As I wrote in my article last week, the Avios / Nectar security is lax. There is no attempt to match surnames or email addresses. You can even link and unlink Nectar cards between multiple accounts.

It is possible that the hacker got away with it. Whilst the reader had his British Airways account locked, BA could not lock his Nectar account.

As long as the hacker had already used the Nectar card once, he could immediately head into Sainsbury’s and spend £400. More likely, he will have ordered £400 of eBay credit and used it to buy something from another eBay account under his control.

PS. It turns out we have had a 2nd example of fraud amongst our readers. After this article was published, someone else got in touch.

“Same thing happened to us too! We got an email saying our Executive Club account had been linked to a Nectar account. And 50k Avios were transferred out. We contacted both BA and Nectar but so far no news (BA said it could take up to 28 days for their audit team to investigate but they said we should get our Avios back).”

How to earn Avios from UK credit cards

How to earn Avios from UK credit cards (April 2024)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

In February 2022, Barclaycard launched two exciting new Barclaycard Avios Mastercard cards with a bonus of up to 25,000 Avios. You can apply here.

You qualify for the bonus on these cards even if you have a British Airways American Express card:

Barclaycard Avios Plus card

Barclaycard Avios Plus Mastercard

Get 25,000 Avios for signing up and an upgrade voucher at £10,000 Read our full review

Barclaycard Avios card

Barclaycard Avios Mastercard

5,000 Avios for signing up and an upgrade voucher at £20,000 Read our full review

There are two official British Airways American Express cards with attractive sign-up bonuses:

British Airways American Express Premium Plus

25,000 Avios and the famous annual 2-4-1 voucher Read our full review

British Airways American Express

5,000 Avios for signing up and an Economy 2-4-1 voucher for spending £15,000 Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points. These points convert at 1:1 into Avios.

American Express Preferred Rewards Gold

Your best beginner’s card – 20,000 points, FREE for a year & four airport lounge passes Read our full review

The Platinum Card from American Express

40,000 bonus points and a huge range of valuable benefits – for a fee Read our full review

Run your own business?

We recommend Capital on Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, along with a sign-up bonus worth 10,500 Avios.

SPECIAL OFFER: Until 12th May 2024, the Capital on Tap Business Rewards Visa card is offering a bonus of 30,000 points, convertible into 30,000 Avios. You must have a Limited Company to apply. Click here to learn more and click here to apply.

Capital on Tap Business Rewards Visa

Huge 30,000 points bonus until 12th May 2024 Read our full review

You should also consider the British Airways Accelerating Business credit card. This is open to sole traders as well as limited companies and has a 30,000 Avios sign-up bonus.

British Airways Accelerating Business American Express

30,000 Avios sign-up bonus – plus annual bonuses of up to 30,000 Avios Read our full review

There are also generous bonuses on the two American Express Business cards, with the points converting at 1:1 into Avios. These cards are open to sole traders as well as limited companies.

American Express Business Platinum

40,000 points sign-up bonus and an annual £200 Amex Travel credit Read our full review

American Express Business Gold

20,000 points sign-up bonus and FREE for a year Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

Category

British Airways and Avios, Sainsbury's and Nectar

Comments (166)

This article is closed to new comments. Feel free to ask your question in the HfP forums.

  • Aston100 says:
    6 Feb6 February 11:38

    No good having strong passwords on BAEC if your email has been compromised.
    Deal with your email account password first and foremost.

    • memesweeper says:
      6 Feb6 February 11:49

      Correctamundo. Secure the account you use for password resets above all others — 2FA is a must.

      • Optimus Prime says:
        6 Feb6 February 12:04

        +1

        Also those security questions such as ‘Mother’s maiden name’, ‘your first school’, ‘Memorable place’ etc should be answered with random words generated by password managers.

        • Chrisasaurus says:
          6 Feb6 February 12:07

          Or expletives I find useful as it helps to identify businesses that don’t store them securely – if the agent audibly gasps then I know the answers weren’t hashed and that they can read them in clear text and by extension they’re compromised

          I stopped using kcom for example as they could read my actual, entire password…

    • RussellH says:
      6 Feb6 February 13:28

      Do not use your e-mail as Username for logging in.

    • Alan says:
      6 Feb6 February 17:35

      Yep. If you use Gmail then very easy to enable 2FA that requires approval on your linked phone before it let’s you login elsewhere.

      • John says:
        6 Feb6 February 18:25

        Problem with that is I’ve had the same gmail account for 15 years with a relatively insecure password, while I’ve gone through about 20 phone numbers and 7 phones. If I lose or break my phone I would be in a lot of trouble if I relied on it for everything.

        • DJ says:
          7 Feb7 February 00:24

          Get 1Password or Authy to sync your one time password. That way you don’t need to fear about not having access to your phone.

      • GeorgeJ says:
        7 Feb7 February 09:48

        Alan, the problem comes when you are somewhere your phone decides not to receive text. I have regularly had the issue and it makes me avoid 2FA in most instances where I need full access at all times.

  • Tony says:
    6 Feb6 February 12:11

    I’ve seen a few comments about moving Avios points to Nectar as it’s more secure with its use of OTP. But what happens if you lose or someone steals your card/key fob (or even makes a copy of it). Can they then use all your Nectar points shopping at Sainsbury’s (booze, gift cards, etc)?

    • The real John says:
      6 Feb6 February 12:18

      Answered in all the nectar articles so far…. yes, as long as you bought something in that sainsburys in the past 12 months and the first time was more than 24 hours ago.

  • Carole says:
    6 Feb6 February 12:55

    I used my Nectar card one day in 2018 and noted that I had £123 in points. By the next morning, I had minus £1950 of points in my account. Someone had spent over £2000 of points overnight, even though I still had the card in my purse.

    The points were spent in various Sainsbury’s and Argos stores in the Bournemouth area, over 100 miles from my home. The thief was able to spend £120 of points at a time as, when points were spent, it took 24 hours before the account was updated.
    I am not sure if this is still the case.

    To their credit, Nectar refunded my points and gave me an additional 2000 points.

    • Peter K says:
      6 Feb6 February 13:16

      How can you get a minus Nectar balance? It’s not a credit facility.

      • Carole says:
        6 Feb6 February 14:50

        The thief spent £120 at a time (I had £123 in the account). However, the Nectar account took 24 hours to update, so by going to various shops in the area, he could continue to spend £120 each time. I believe now that you can only spend Nectar points in Sainsbury’s in stores that you have shopped in previously.

        I still have part of the Nectar account showing the redemptions, but I am unable to post on this page. However, as I had my card at home, I don’t know how the thief was able to redeem the points.

        • TGLoyalty says:
          6 Feb6 February 16:11

          Well well that’s one clever fraudster.

        • John says:
          6 Feb6 February 18:29

          It’s been the case since about 2006. The thief used stores you had been to. They must have copied the barcode somehow. I still haven’t figured out how someone stole£10 of my nectar in my usual sainsburys – we didn’t leave the house that day and it hasn’t happened again.

      • Peter says:
        6 Feb6 February 16:44

        Spend points at Sainsburry on Sunday then on the way home.. you can also spend them on eBay. eBay is instant, Sainsburry weirdly isn’t..

        • John says:
          6 Feb6 February 18:31

          In uni we used to get send new nectar accounts into negative territory every few weeks. Somehow nectar kept letting us open accounts and posted new cards out all to the same address

  • Chrisasaurus says:
    6 Feb6 February 13:05

    Brand new super sophisticated logo yet IHG still have a truly shocking 4 digit PIN to protect accounts with no MFA, no Captcha and I’ve logged into my account from every continent in earth without it raising any suspicions.

    At work I logged in from a hotel, hotels’s IP was (incorrectly as it goes ) geolocated as being in another continent and my account was frozen and my boss notified inside 8 minutes. We are not, by some distance, as well resourced as IHG are but of course we’re protecting our assets and IHG are (not) protecting someone else’s…

    • ChrisC says:
      6 Feb6 February 13:15

      For new accounts you have to create a password at least 8 characters long.

      For existing accounts you can change it from pin to password using the ‘reset’ option

      • RussellH says:
        6 Feb6 February 13:59

        True, but IHG ought to have advised, or better, required all users to strengthen thier PWs when they first allowed it. It was over a year ago it became possible, but I only found out about it here (of course).

      • Chrisasaurus says:
        6 Feb6 February 16:14

        And thanks – that’s a large IHG balance a little safer

        • Alan says:
          6 Feb6 February 17:37

          Yep it’s a small step in the right direction but they should get 2FA enabled for users too.

  • Max says:
    6 Feb6 February 13:34

    BA Exec Club doesn’t seem to support 2FA? Nectar does support it.

  • Frank says:
    6 Feb6 February 17:33

    Great work Rob. I get Avios and Nectar might need a prompt to this more secure but in the meantime why not advertise to the world that there’s a loop hole. Honestly, irresponsible in the extreme.

    • Rob says:
      6 Feb6 February 18:56

      People who hack into this stuff were all over it from Day 1. Anyone who has a pile of BAEC log-ins AND PASSWORDS in their back pockets is smart enough to work this out.

      • GeorgeJ says:
        7 Feb7 February 09:50

        Fully agree Rob, I did reset my password after the BA hack and this article has prompted me to do it again. So thank you!

  • Cabal of rabid baboons says:
    6 Feb6 February 19:25

    Unlike Frank I’m most grateful for highlighting this fraud Rob and I’ll be strengthening a few passwords tonight.

    • Bagoly says:
      7 Feb7 February 13:57

      +1 Good widespread defence depends on sharing information which does indeed mean bad actors can pick up on it. With hard technical hacks, white hats do notify companies privately who usually issue fixes, and only then is the issue publicised.
      But here:
      1) BA are notoriously slow at improving security
      2) The obvious defence is for individual users to change their passwords, which necessarily involves broadcasting the issue.

  • Christopher says:
    6 Feb6 February 20:48

    All this about super strong passwords and password vaults is great, but if you die how can your partner/heir access and use your Avios as the BAEC T&Cs forbid transfer?

    • Vinz says:
      6 Feb6 February 23:46

      There was an article some time ago in which Rob explained how to make sure you include your points details into a will for example.
      Until I do that I’ve created a spreadsheet with all my current assets (points and money) for my husband to use should anything happen to me and I plan to write a will.

    • Rob says:
      7 Feb7 February 11:11

      BA does transfer if they get a private request.

    • Chrisasaurus says:
      7 Feb7 February 15:58

      So the solution is a simple password so your surviving relatives and most of Russia and China have access when they need it instead?

      I don’t at all follow your point – surely a password vault and allowing family members to know the single) password to that makes more sense?

This article is closed to new comments. Feel free to ask your question in the HfP forums.

New to Head for Points?

Welcome!  We’re the UK’s most-read source of business travel, Avios, frequent flyer and hotel loyalty news. Let us improve how you travel. Got any questions? Ask them in our forums.

Latest Forum Posts

Get 40,000 bonus points (worth 40,000 Avios) and £300 dining credit with The Platinum Card

Check reward flight availability instantly for free!

See a whole year of reward seat availability on one page at SeatSpy.com

Get £10 when you spend £150 on your free Currensea card

Booking a luxury hotel?

Our luxury hotel booking service offers you GUARANTEED extra benefits over booking direct. Works with Four Seasons, Mandarin Oriental, The Ritz Carlton, St Regis and more. We've booked £1.7 million of rooms to date. Click for details.

SME? SPECIAL OFFER TO 12TH MAY EARN POINTS WORTH 30,000 AVIOS WITH CAPITAL ON TAP

Get 20,000 bonus points, four airport lounge passes and your first year free with American Express Gold

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.

Got it!