Maximise your Avios, air miles and hotel points

Rise in Avios theft causes ‘Combine My Avios’ to Iberia to be pulled

Links on Head for Points may support the site by paying a commission.  See here for all partner links.

Recent months have seen a substantial rise in Avios fraud on British Airways Club accounts. What is odd is that I haven’t been able to work out how it is being done, and seemingly neither does British Airways.

The entire ‘Combine My Avios’ system between BA and Iberia / Aer Lingus has now been taken down.

BA is saying on social media that this is in advance of a new platform coming soon, but it seems too much of a coincidence for it to be anything other than a fraud prevention measure.

'Combine My Avios' to Iberia pulled

How have British Airways Club accounts been secretly drained?

Here’s the weird thing. I can’t work it out.

Looking at reports, this has been going on for at least 10 months. It is only in the last couple of months that it seems to have reached critical mass, perhaps as hackers share their techniques or manage to automate the process.

To explain what is happening, we need to take a step back.

When you move Avios between British Airways and Qatar Airways, British Airways and Finnair or British Airways and Loganair (or indeed British Airways and Nectar), you create a permanent link between your two accounts.

It means, for example, that you can view your Nectar balance on ba.com or your BA balance at qatarairways.com, and that transfers can be done quickly.

Creating a permanent link reduces fraud, to the extent that a hacker can’t link their own Qatar, Finnair or Loganair account to your BA account if you have already done it yourself.

Avios transfers with Iberia and Aer Lingus are different

The Qatar Airways, Finnair and Loganair partnerships were all set up in the last couple of years and are built on modern technology.

Transfers between BA and Iberia / Aer Lingus have been possible for a decade and work differently.

Each time you want to move Avios, you need to use ‘Combine My Avios’ to create a one-off link between your accounts. After you’ve done the transfer, the link is broken. You start from scratch next time you want to move Avios.

Because there is no permanent link, hackers can attempt to link an Iberia or Aer Lingus account to any BA account at any time.

However ….

Long-term HfP readers will know that the security checks required to transfer Avios between BA and Iberia have always been bizarrely high. EVERYTHING between your accounts had to match – full name, email, date of birth.

It was tricky. What made it worse is that Iberia accounts have three name fields – first name, first surname, second surname – and if you put your surname in the wrong box when setting up your Iberia account you were in trouble.

There are also restrictions on when Iberia Club accounts can be used to make transfers. Transfers are banned until your Iberia account is 90 days old and had some third party activity, eg a flight credit or an American Express Membership Rewards transfer.

'Combine My Avios' to Iberia pulled

As you can see above, there is no longer a link to Iberia or Aer Lingus transfers on the avios.com website. The functionality has also been pulled from the Iberia website.

The hack

Bearing all the above in mind, the Avios thefts that have been going on over the last 10 months make no sense.

This is what seems to have been happening:

  • hackers open an Iberia Club account
  • hackers link the Iberia Club account to a British Airways Club account
  • hackers drain the British Airways Club account into the Iberia Club account (your BA account will show ‘Avios Transfer | Combine My Avios Debit IBPL’ against the withdrawal)

This is despite the fact that:

  • Iberia Club accounts shouldn’t be able to accept transfers until they have some activity on them and are 90 days old
  • Iberia Club accounts shouldn’t be linkable to BA accounts unless every personal detail matches, including date of birth and email address
  • Avios held in Iberia Club are not (as far as I know) easily redeemable for ‘cash-like’ products such as Amazon gift cards – it’s a bit dumb to steal Avios and then use them to book a flight for yourself – so what are they being used for? Same day hotel bookings in China appear to be one answer.

Irrespective of the above, hackers have been able to open Iberia Club accounts, link them to British Airways Club accounts and drain them. Confirmation emails are either not being sent or are being sent but are drowned out by a chunk of spam spent at the same time.

What can you do to protect your Avios?

Given all of the above, it seems that there is no way to protect yourself from this fraud. Even people with 2FA (from the BA trial last year, not currently offered) or highly complex Apple / Google-generated passwords are being hit looking at reports.

British Airways has probably done you a favour by removing the ability to move Avios between BA and Iberia / Aer Lingus accounts.

The good news is that British Airways will always replace your stolen Avios, although it may take a few weeks.

Hopefully we will soon see a new ‘Combine My Avios’ system where you can permanently link your BA and Iberia accounts, which will have the additional benefit of making genuine transfers easier.

Category

British Airways and Avios, Iberia and Iberia Club

Comments (117)

  • Evan says:
    30 Aug30 August 06:43

    I somehow managed to do a same day transfer back in January. Had to set up a new Iberia account to transfer points I had orphaned with Vueling.
    I recall it was a total PITA to do, but was surprised when my points went straight over.

    It was only 242 points, so maybe there was a threshold for the 90 day rule.

    Also did a similar thing with Aer Lingus in April. Only 60 points that time.

    Reply
  • Ron Vale says:
    30 Aug30 August 06:46

    i have 150k on Iberia and 168 on Aer Lingus. which i intended to put back into my BA account . Are these now lost forever or do i go to BA/Avios on bended knee to see if they can be reallocated… to do this without notice is p…poor customer service

    Reply
  • Kwab says:
    30 Aug30 August 06:46

    But you seem to be going on the premise that this is all bring conducted externally. If this is someone/people within BA or Iberia then I imagine executing this theft could be fairly straightforward. Internally, they may also have worked out what has happened but externally saying “ We are upgrading to a much better system” creates better optics!

    Reply
    • masaccio says:
      30 Aug30 August 07:13

      I read that organised crime has infiltrated car manufacturers to get key encoding equipment to criminals to generate keys, so this doesn’t seem that implausible. And with 100 billion (???) Avios out there in the wild, that’s an attractive target.

      Reply
    • aroundtheworld says:
      30 Aug30 August 07:50

      insider is definitely the most likely, but Ross’ theory is also interesting.

      I’m aware back in the day a less nefarious but equally insider issue at Amadeus where tech employees siphoned expiring miles into their own accounts…

      Reply
    • NorthernLass says:
      30 Aug30 August 08:11

      Certainly what you get in some industries is low-paid call centre workers abusing systems like this or even deliberately applying for such roles to be able to exploit the weaknesses either for themselves or on behalf of others. If you get paid a pittance then, say, being given the equivalent of £50 to drain a few loyalty accounts is tempting. They’ll also justify it by the fact that it’s effectively victimless as BA will refund the missing avios to the account holders.

      Reply
      • Londonsteve says:
        30 Aug30 August 12:57

        This. While all of this is pure speculation at this stage and will probably remain that way, as I doubt IAG will ever reveal the truth, anywhere you have low paid (often agency) staff with the ability to engage in fraud for monetary benefit the risk is heightened. Staff on permanent contracts that are employed directly and feel fairly compensated for their work are inherently going to kick around longer and are better known to the employer, as well as less likely to risk their job by defrauding their employer. Low paid agency staff can appear a tempting way to reduce overheads without considering the myriad harms that can arise, including but not limited to fraud, weak knowledge due to a lack of training and/or lack of experience, staff treating the job as a short term gig and by farming out referencing to an external agency that’s only interested in getting as many people through the door as possible, you introduce a security weakness as you’ll never really know who you’re letting into your systems. Standards of service and productivity will tend to decline with the consequent deterioration in customer satisfaction. Penny wise, pound foolish.

        Reply
        • kevin86 says:
          30 Aug30 August 13:19

          Slightly off topic, but I’ve worked in places where staff have been let go of and soon after replaced by significantly more expensive external consultants (even after you take into account NI, benefits etc). They can still show they’ve reduced headcount though. Madness

          Reply
          • Rob says:
            30 Aug30 August 13:54

            BA etc do this too – outsource lounge catering, claim you’ve reduced headcount by 300 etc.

            Even people like John Lewis are huge on this. By outsourcing as much as possible, the remaining direct employees get a higher end of year bonus (when they get back to paying them). Most restaurant staff at John Lewis are now external, as are warehousing staff.

          • flyforfun says:
            30 Aug30 August 14:53

            There’s a new(?) metric that our CEO is obsessed with. Earning Per Employee. We’re higher than our industry competitors so the knives have been out, cutting a bit from here, a department or two from there and it won’t stop for another 2 years or so. Even outsourced firms are being replaced with cheaper staff, but even if they are cheaper somehow, they don’t have the historical knowledge the people before them knew.

          • Londonsteve says:
            30 Aug30 August 15:45

            I’ve previously been employed in the City via an agency at twice the cost due to an internal ‘hiring freeze’. It makes a mockery of the hiring freeze as the overall staffing bill still increases and by a factor of twice what it needs to. Directly employed headcount doesn’t change however and I don’t doubt my terms of employment were much weaker than someone employed directly such that I could have been given the sack overnight.

  • Keval says:
    30 Aug30 August 06:48

    I’m gobsmacked reading this article this morning as I was the victim of attempted avios fraud last weekend. The hackers sent thousands of random emails to the email address linked to my avios account, signing me up to all sorts of newsletters and websites, in the hope I would miss the email from BA which notified me that the email address linked my avios account had been changed. Fortunately I was looking at my emails as all this was happening and immediately called BA as soon as I saw the email change notification and then they locked my account before my avios could be drained. This is all terrible from BA though, they need to do a much better job of protecting people’s data. This all is reflective of the decline of this company in general!

    Reply
    • Christian says:
      30 Aug30 August 08:55

      Even stranger is that the hackers likely know which accounts are topped up with avios before commencing kind of this behaviour. You don’t hear of people getting hacked like this over amounts of avios that are any less than 6 figures.

      Reply
      • memesweeper says:
        30 Aug30 August 10:17

        … see above comments about an insider. Although the insider might be doing nothing more than tipping off someone else about high-value accounts to target (which carries a low risk of being caught and involves no hacking skills).

        … an alternative explanation is a highly skilled actor can compromise a very large number of accounts, but only follows through on accounts with balances >100k Avios. The number of BAC accounts with small balances will be in the high millions, so my best guess is the attackers have good information, rather than hacking thousands of accounts to find suitable targets.

        Reply
  • Ross says:
    30 Aug30 August 07:00

    This is a great mystery. I do have a devious theory about this which, in a “Hound of the Baskervilles” way fits all the facts but people won’t like.

    Devious theory: There is no transfer to Iberia. What is being spoofed is the BA Avios account history, including the supposed transfer to Iberia. That’s the hack: a database injection showing a history of Avios accumulation and a beastly fraudulent transfer by bad guys.

    The payoff is that false Avios are refunded by BA and can be cashed out in a myriad of ways.

    It would explain the lack of confirmation emails, lack of 2FA, need to cash out, need to match all data.

    The reason people won’t like it is because it suggests the victims are not, in fact, victims. Yet if you were smart:

    You would create some *real* victims first (just edit their account to have gone to zero, no real transfer), then you would see if Avios are being compensated by following FlyerTalk of similar … if so you pose as a victim on a couple of very high value accounts.

    This would fit the “recent escalation” pattern.

    If you were in the Iberia and BA databases, you could make the above look even more convincing (by faking the receipt accounts).

    Other thoughts:
    I fear that for BA-Iberia transfers, neither company appears to store, after the transaction, the numbers of the sending or receiving accounts. If this is true it would be mad, but would explain why working out what is going on is harder. It would also explain the “new system” supposedly being developed.

    Reply
    • Ross says:
      30 Aug30 August 07:04

      This combines neatly with Kwab’s “insider” theory, above.

      Reply
      • Kwab says:
        30 Aug30 August 08:15

        I think you could be spot on there Ross….one thing I can almost guarantee though is that BA will never spill the beans!

        Reply
    • John says:
      30 Aug30 August 07:51

      Interesting theory. But is the orchestrator of your database injection theory not exposing themselves when they try to exfiltrate/spend the Avios they have created through injection?

      Reply
      • Ross says:
        30 Aug30 August 13:25

        Having been the “victim” of a hack, moving Avios out to Nectar would be 100% understandable.

        Reply
    • Mr. AC says:
      30 Aug30 August 08:12

      Interesting theory, although I don’t think it’s actually happening here.

      I’ve heard a similar thing about YouTube channels – once they started getting valuable, hijackers started taking over to run scams (mostly crypto livestreams). YouTube suspends the channels, actual owners get through to support and get their channels back.

      Pretty soon there was an explosion of this because some smart channel owners (especially if they were no longer growing) were getting “hijacked” by giving the “keys to the front door” so to speak to scammers and getting a cut from the proceeds, while simultaneously shilling their own Patreon on other socials to “support them while they were getting YouTube to investigate”.

      And now YouTube is forced to try and figure out if hijackings are “genuine” or not, so probably a lot of honest people have trouble getting their channels back.

      Reply
    • masaccio says:
      30 Aug30 August 10:20

      Nah, my guess is an API vulnerability between Iberia and BA, or BA got screwed by one of the OAuth token thefts that have been happening.

      Reply
    • SBIre says:
      30 Aug30 August 13:59

      Hilariously wrong -first of all, if you had that level of access, you’d do the quickest and cleanest extraction. Why introduce all those extra ridiculous steps that would add risk of being caught, especially and BA and IB are under the IAG umbrella and will be able to check in one minute if a transfer happened. Secondly – did you read the article? We know the transfers are happening, they are being used for same day hotels in China for example

      Reply
  • Adam says:
    30 Aug30 August 07:07

    I’ve been trying to transfer Avios to a friend for a week now and it never works. You get to the part on the Avios.com page with the slider to select how many miles it is and click next but it signs you out and you start again but it goes in a loop like that. Tried it on phone, iPad and PC browsers and it’s all the same

    Reply
    • memesweeper says:
      30 Aug30 August 10:20

      Assuming you both have a Finnair account, use that route instead.

      If you don’t both have a Finnair account, open them!

      Reply
  • Jenny says:
    30 Aug30 August 07:10

    I find it worrying that every time I change my BA password to something new and unique, within days it is reported as being stolen. It appears to me that either BA has a significant undisclosed IT vulnerability that they still haven’t fixed or there is inside fraud going on.

    Reply
    • memesweeper says:
      30 Aug30 August 10:22

      Very interesting. What intelligence service is reporting the password as compromised? Have you reported this to BA?

      BA password management has another dismal flaw, you can set a password so long/complex that it then refuses to allow you to use it. There is an undisclosed limit on password length/complexity which is not enforced at the reset stage. As a result my BA password is weaker than pretty much anything else I’ve set in the last decade.

      Reply
      • RussellH says:
        30 Aug30 August 12:34

        I have come across that password flaw too, elsewhere. Not sure, but it may have been ASR. Wherever it was, it was a shorter limit what BA has allowed me.
        I have two unique bank passwords that were restricted to fewer chars than my BA one when I set them up – maybe it it time to check to see if the limit has been extended.

        Reply
  • Paul says:
    30 Aug30 August 07:54

    This highlights an inherent weakness in FF programmes in that the miles are not yours and the airline has total control on their value, their accessibility and their use. That’s not a loyalty programme it’s cruel and unusual punishment.

    At the heart of this issue is BA lousy IT. It would be interesting to know the prevalence of such fraud at Finnair and Qatar both of who have 2FA that works rather than a box that pops up offering 3 choices but logs you in anyway.

    Stopping transfers stops BA having to worry about it for a while but conveniently also stops customers booking on Iberia with lower costs. Win win for BA !

    Reply
    • David says:
      30 Aug30 August 09:34

      I’ve only heard of 1x case when it involves Qatar Avios. But the Iberia is rampant. I have an IB Account opened from years back and always wondered if it is indeed this that has stopped it happening to me, touch wood.

      Reply

Leave a Reply to memesweeper Cancel reply

Your email address will not be published. Required fields are marked *

Please click here to read our data protection policy before submitting your comment

New to Head for Points?

Welcome!  We’re the UK’s most-read source of business travel, Avios, frequent flyer and hotel loyalty news. Let us improve how you travel. Got any questions? Ask them in our forums.

Get 25,000 Avios with the Barclaycard Avios Plus Mastercard

GET A SIGN-UP BONUS OF 18,000 VIRGIN POINTS!

Latest Forum Posts

SPECIAL OFFER: Get 80,000 bonus points (worth 80,000 Avios) and £400 of dining credit with The Platinum Card!

Check reward flight availability instantly for free!

See a whole year of reward seat availability on one page at SeatSpy.com

Get 10,000 bonus Hilton Honors points and instant Gold status!

Booking a luxury hotel?

Our luxury hotel booking service offers you GUARANTEED extra benefits over booking direct. Works with Four Seasons, Mandarin Oriental, The Ritz Carlton, St Regis and more. We've booked £1.7 million of rooms to date. Click for details.

SME? Get the only free credit card with points which convert to Avios

SPECIAL OFFER: Get points worth 40,000 Avios with 'first year free' American Express Gold!

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.

Got it!