Maximise your Avios, air miles and hotel points

Rise in Avios theft causes ‘Combine My Avios’ to Iberia to be pulled

Links on Head for Points may support the site by paying a commission.  See here for all partner links.

Recent months have seen a substantial rise in Avios fraud on British Airways Club accounts. What is odd is that I haven’t been able to work out how it is being done, and seemingly neither does British Airways.

The entire ‘Combine My Avios’ system between BA and Iberia / Aer Lingus has now been taken down.

BA is saying on social media that this is in advance of a new platform coming soon, but it seems too much of a coincidence for it to be anything other than a fraud prevention measure.

'Combine My Avios' to Iberia pulled

How have British Airways Club accounts been secretly drained?

Here’s the weird thing. I can’t work it out.

Looking at reports, this has been going on for at least 10 months. It is only in the last couple of months that it seems to have reached critical mass, perhaps as hackers share their techniques or manage to automate the process.

To explain what is happening, we need to take a step back.

When you move Avios between British Airways and Qatar Airways, British Airways and Finnair or British Airways and Loganair (or indeed British Airways and Nectar), you create a permanent link between your two accounts.

It means, for example, that you can view your Nectar balance on ba.com or your BA balance at qatarairways.com, and that transfers can be done quickly.

Creating a permanent link reduces fraud, to the extent that a hacker can’t link their own Qatar, Finnair or Loganair account to your BA account if you have already done it yourself.

Avios transfers with Iberia and Aer Lingus are different

The Qatar Airways, Finnair and Loganair partnerships were all set up in the last couple of years and are built on modern technology.

Transfers between BA and Iberia / Aer Lingus have been possible for a decade and work differently.

Each time you want to move Avios, you need to use ‘Combine My Avios’ to create a one-off link between your accounts. After you’ve done the transfer, the link is broken. You start from scratch next time you want to move Avios.

Because there is no permanent link, hackers can attempt to link an Iberia or Aer Lingus account to any BA account at any time.

However ….

Long-term HfP readers will know that the security checks required to transfer Avios between BA and Iberia have always been bizarrely high. EVERYTHING between your accounts had to match – full name, email, date of birth.

It was tricky. What made it worse is that Iberia accounts have three name fields – first name, first surname, second surname – and if you put your surname in the wrong box when setting up your Iberia account you were in trouble.

There are also restrictions on when Iberia Club accounts can be used to make transfers. Transfers are banned until your Iberia account is 90 days old and had some third party activity, eg a flight credit or an American Express Membership Rewards transfer.

'Combine My Avios' to Iberia pulled

As you can see above, there is no longer a link to Iberia or Aer Lingus transfers on the avios.com website. The functionality has also been pulled from the Iberia website.

The hack

Bearing all the above in mind, the Avios thefts that have been going on over the last 10 months make no sense.

This is what seems to have been happening:

  • hackers open an Iberia Club account
  • hackers link the Iberia Club account to a British Airways Club account
  • hackers drain the British Airways Club account into the Iberia Club account (your BA account will show ‘Avios Transfer | Combine My Avios Debit IBPL’ against the withdrawal)

This is despite the fact that:

  • Iberia Club accounts shouldn’t be able to accept transfers until they have some activity on them and are 90 days old
  • Iberia Club accounts shouldn’t be linkable to BA accounts unless every personal detail matches, including date of birth and email address
  • Avios held in Iberia Club are not (as far as I know) easily redeemable for ‘cash-like’ products such as Amazon gift cards – it’s a bit dumb to steal Avios and then use them to book a flight for yourself – so what are they being used for? Same day hotel bookings in China appear to be one answer.

Irrespective of the above, hackers have been able to open Iberia Club accounts, link them to British Airways Club accounts and drain them. Confirmation emails are either not being sent or are being sent but are drowned out by a chunk of spam spent at the same time.

What can you do to protect your Avios?

Given all of the above, it seems that there is no way to protect yourself from this fraud. Even people with 2FA (from the BA trial last year, not currently offered) or highly complex Apple / Google-generated passwords are being hit looking at reports.

British Airways has probably done you a favour by removing the ability to move Avios between BA and Iberia / Aer Lingus accounts.

The good news is that British Airways will always replace your stolen Avios, although it may take a few weeks.

Hopefully we will soon see a new ‘Combine My Avios’ system where you can permanently link your BA and Iberia accounts, which will have the additional benefit of making genuine transfers easier.

Category

British Airways and Avios, Iberia and Iberia Club

Comments (117)

  • flyforfun says:
    30 Aug30 August 15:03

    I’ve had a few whispers that a major payroll company may have been compromised a few months back, or at least a major hacking attempt. This would have given access to name, address date of birth and NI number. Nothing confirmed, but I heard just as we couldn’t log in for a couple of days to their website and everyone subsequently logging in had to change passwords. Sounds like it happened too late to be tied with this, if it’s been going for several months – but you never know.

    Reply
  • Garethgerry says:
    30 Aug30 August 15:33

    @Rob . Is there anything we can do.

    It seems passwords are not involved so changing strengthening password is not the solution.

    Opening an Iberia account doesn’t seem to be solution.

    I have 2FA set up theu asked for it I’d say a year or so ago, never been asked to use it , but never tried to move avios.

    Is it a matter of just praying, I’m not sure if I’d notice being bombarded by spam unless a fair % got past filter.

    I for one hope BA stop online transfers, until they solve it.

    Reply
    • Panda Mick says:
      30 Aug30 August 18:24

      On Apple, create a VIP for communications from BA. there’s probably a number of emails that they come from.

      Turn off notifications for emails.

      You’ll then be notified when you DO get an email from BA.

      Reply
    • memesweeper says:
      30 Aug30 August 22:54

      Opening a finnair account and doing a transfer to/from seems to trigger the setup of 2FA on BA’s end (even if the transfer fails). That was my experience, YMMV.

      Reply
  • Nun says:
    30 Aug30 August 15:44

    If you’ve linked and transferred before, why don’t they preserve that link? That would at least block one path of fraud.

    Reply
    • Rob says:
      30 Aug30 August 18:09

      Because it is 2015 tech. Qatar / Finnair / Nectar transfer systems are based on 2021+ tech.

      Reply
  • meta says:
    30 Aug30 August 16:08

    Nobody mentioned the use of AI as a hacking model. It takes two seconds with right genAI model (and some money). One needs bare minimum information.

    Reply
  • VR says:
    30 Aug30 August 17:15

    The message on Iberia under the Combine my Avios section currently reads:
    “Sorry, Avios combination is temporarily unavailable on our website. If you need to use this service urgently, please contact our Customer Service Centre.”

    I called the contact centre and they advised me to to log a ticket using “https://contacto.iberia.com/” (there’s a dropdown for Transfers). I just logged the ticket – let’s see. Hopefully there’s a way for genuine transfers to still take place.

    Reply
  • numpty says:
    30 Aug30 August 17:42

    Based on the situation, is it safer to move all Avios to Qatar?

    Reply
  • Jerome says:
    30 Aug30 August 17:57

    Can you move Avios from Qatar or Finnair to IB?

    Reply
  • Neuromancer says:
    30 Aug30 August 17:58

    Looks like it.
    Mine are at Iberia and as IB cannot be transferred to Qatar or Finnair, it looks like my only option until they fix the things

    Reply

Leave a Reply to Nige Cancel reply

Your email address will not be published. Required fields are marked *

Please click here to read our data protection policy before submitting your comment

New to Head for Points?

Welcome!  We’re the UK’s most-read source of business travel, Avios, frequent flyer and hotel loyalty news. Let us improve how you travel. Got any questions? Ask them in our forums.

Get 25,000 Avios with the Barclaycard Avios Plus Mastercard

GET A SIGN-UP BONUS OF 18,000 VIRGIN POINTS!

Latest Forum Posts

SPECIAL OFFER: Get 80,000 bonus points (worth 80,000 Avios) and £400 of dining credit with The Platinum Card!

Check reward flight availability instantly for free!

See a whole year of reward seat availability on one page at SeatSpy.com

Get 10,000 bonus Hilton Honors points and instant Gold status!

Booking a luxury hotel?

Our luxury hotel booking service offers you GUARANTEED extra benefits over booking direct. Works with Four Seasons, Mandarin Oriental, The Ritz Carlton, St Regis and more. We've booked £1.7 million of rooms to date. Click for details.

SME? Get the only free credit card with points which convert to Avios

SPECIAL OFFER: Get points worth 40,000 Avios with 'first year free' American Express Gold!

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.

Got it!