Rise in Avios theft causes ‘Combine My Avios’ to Iberia to be pulled

Recent months have seen a substantial rise in Avios fraud on British Airways Club accounts. What is odd is that I haven’t been able to work out how it is being done, and seemingly neither does British Airways.

The entire ‘Combine My Avios’ system between BA and Iberia / Aer Lingus has now been taken down.

BA is saying on social media that this is in advance of a new platform coming soon, but it seems too much of a coincidence for it to be anything other than a fraud prevention measure.

How have British Airways Club accounts been secretly drained?

Here’s the weird thing. I can’t work it out.

Looking at reports, this has been going on for at least 10 months. It is only in the last couple of months that it seems to have reached critical mass, perhaps as hackers share their techniques or manage to automate the process.

To explain what is happening, we need to take a step back.

When you move Avios between British Airways and Qatar Airways, British Airways and Finnair or British Airways and Loganair (or indeed British Airways and Nectar), you create a permanent link between your two accounts.

It means, for example, that you can view your Nectar balance on ba.com or your BA balance at qatarairways.com, and that transfers can be done quickly.

Creating a permanent link reduces fraud, to the extent that a hacker can’t link their own Qatar, Finnair or Loganair account to your BA account if you have already done it yourself.

Avios transfers with Iberia and Aer Lingus are different

The Qatar Airways, Finnair and Loganair partnerships were all set up in the last couple of years and are built on modern technology.

Transfers between BA and Iberia / Aer Lingus have been possible for a decade and work differently.

Each time you want to move Avios, you need to use ‘Combine My Avios’ to create a one-off link between your accounts. After you’ve done the transfer, the link is broken. You start from scratch next time you want to move Avios.

Because there is no permanent link, hackers can attempt to link an Iberia or Aer Lingus account to any BA account at any time.

However ….

Long-term HfP readers will know that the security checks required to transfer Avios between BA and Iberia have always been bizarrely high. EVERYTHING between your accounts had to match – full name, email, date of birth.

It was tricky. What made it worse is that Iberia accounts have three name fields – first name, first surname, second surname – and if you put your surname in the wrong box when setting up your Iberia account you were in trouble.

There are also restrictions on when Iberia Club accounts can be used to make transfers. Transfers are banned until your Iberia account is 90 days old and had some third party activity, eg a flight credit or an American Express Membership Rewards transfer.

As you can see above, there is no longer a link to Iberia or Aer Lingus transfers on the avios.com website. The functionality has also been pulled from the Iberia website.

The hack

Bearing all the above in mind, the Avios thefts that have been going on over the last 10 months make no sense.

This is what seems to have been happening:

• hackers open an Iberia Club account

• hackers link the Iberia Club account to a British Airways Club account

• hackers drain the British Airways Club account into the Iberia Club account (your BA account will show ‘Avios Transfer | Combine My Avios Debit IBPL’ against the withdrawal)

This is despite the fact that:

• Iberia Club accounts shouldn’t be able to accept transfers until they have some activity on them and are 90 days old

• Iberia Club accounts shouldn’t be linkable to BA accounts unless every personal detail matches, including date of birth and email address

• Avios held in Iberia Club are not (as far as I know) easily redeemable for ‘cash-like’ products such as Amazon gift cards – it’s a bit dumb to steal Avios and then use them to book a flight for yourself – so what are they being used for? Same day hotel bookings in China appear to be one answer.

Irrespective of the above, hackers have been able to open Iberia Club accounts, link them to British Airways Club accounts and drain them. Confirmation emails are either not being sent or are being sent but are drowned out by a chunk of spam spent at the same time.

What can you do to protect your Avios?

Given all of the above, it seems that there is no way to protect yourself from this fraud. Even people with 2FA (from the BA trial last year, not currently offered) or highly complex Apple / Google-generated passwords are being hit looking at reports.

British Airways has probably done you a favour by removing the ability to move Avios between BA and Iberia / Aer Lingus accounts.

The good news is that British Airways will always replace your stolen Avios, although it may take a few weeks.

Hopefully we will soon see a new ‘Combine My Avios’ system where you can permanently link your BA and Iberia accounts, which will have the additional benefit of making genuine transfers easier.