Avios fraudulently transferred from my BAC account to an Iberia account
Discuss today's stories:
-
Hi all, just gone through my emails having received hundreds of spam. One of them was from BA to acknowledge the transfer of my full balance of 91,000 Avios to an Iberia account. Obviously this wasn’t me. Could some kind person please point me in the direction of previous posts on this, so that I can try and resolve? Thanks
Sorry to hear this – here’s a recent HfP article, there are other posts in the forums on the same topic, if you use the google search method on the forum for ‘stolen’ they’ll pop up, see the first pinned post on the forum page for the search syntax
Hi @rickla
Here are some threads with similar circumstances to yours and how people resolved the situation:
https://www.headforpoints.com/forums/topic/account-hacked-avios-stolen/
https://www.headforpoints.com/forums/topic/account-hacked/
Hope your Avios are returned to you soon
Have you called BA yet?
That’s the first thing to do!
Thanks for help and advice all. Much appreciated
Exactly the same happened to me and others too based on the threads here. It is crazy that BA aren’t locking this down as the method is the same every time – i.e. using an Iberia account etc. I reported to BA, had my account locked and it was sent to their fraud team – they said 10 days to respond….its now been a month and not heard back yet. It seems there isn’t much you can do to hurry them along.
A longer term symptom is you will continue to get a lot of emails from the things you were signed up to.
Could this happen if you already had an Iberia account which you’ve made transfers to, or could the fraudsters just substitute a different one?
@NorthernLass – I don’t know, but I have never transferred Avios to an Iberia account before, though I do have an Iberia account.
I remember that my Iberia and BA email addresses had to match when I set up transfers, and I thought that was ‘safe’.
However, I think all bets are off if your BA account is compromised – (a) fraudulent email address changed there (hidden by spam flood), (b) fraudulent account previously set up at IB with that email address, (c) suck those Avios away…
This has just happened to me too, 350,000 avios (all of them) transferred from BAEC to an Iberia account. I don’t have an Iberia account.
The email was hidden in a sea of hundreds of spam emails that started flooding my Gmail late yesterday evening (they’re still coming through now), thankfully I was busy filtering and spotted the avios transfer email. Immediately got on the phone to the USA BAEC line (UK closed) and told the account would be suspended for audit and I’d hear back in ”7 working days”.
My father is having cancer treatment in the USA and was about to book flights over, so this is incredibly stressful.
I’m almost certain this is a dark web password leak so will be spending the next few days auditing everything and bolstering password security across the board. How this can happen on this scale without 2FA or secondary verification is shocking.
If anyone has any tips or guidance beyond what’s clearly out there on threads and the press already, massively appreciated.
I’m in the same boat. Don’t have an account with Iberia and they’ve taken 163,000 Avios. Only found out because I was trying to book a holiday. Complained to BA, heard nothing and their complaint tracking isn’t working!
I’m getting the impression that all of these fraudulent transfers involve people who have hitherto not had Iberia accounts. Might it be worth opening one just to protect oneself?
My account has been suspended for over a month now. Well over the 7-10 days indicated. It looks from other threads on this topics there is nothing you can do to speed up the fraud team process – but does anyone have any positive stories to share on this?
It’s simply crazy that the same scam is being repeated time and again and not being stopped.
I think everyone eventually gets their avios back – don’t recall ever hearing about anyone that didn’t.
I got mine back early last year when they were stolen via Qatar. It also took way longer than 7-10 days.Same story as above called BA on Whatsapp waited 2 weeks nothing so whatsapp again – nothing they could do other than confirm they passed it on to Fraud dept. After a month raised a complaint on the website – not even had an acknowledgement
Has anyone got any further ?Just over a year ago, all my Avios were transferred from my BAC account to an IB account, which was not mine. I posted my experience in one of the threads @Skywalker posted above. It took just under 3 weeks for all my Avios to be returned. I have had an IB account for many years, which was not touched. The email for my BA account had been changed from hotmail.com to outlook.com. I did not get bombarded by spam emails.
Unfortunately, I am facing the same fate at the moment. My BAC account has now been suspended pending fraud investigation as 181,000 Avios were stolen on 5 July 2025. The points were transferred to an unidentified/unrecognised Iberia Plus account (certainly not mine). No call or update from BA fraud team so far after lodging the report.
I was alerted to over 900+ spam emails jamming my inbox and spam folders at 4pm on 5 July 2025. Only realised my Avios pot was ’emptied’ out at 7pm on logging into my AMEX and BA accounts. Took under 15 minutes to call BA call centre to report it immediately.
Recalling an article by Rhys of his 500,000 Avios being stolen not long ago, I decided to go through those spam emails one by one later that evening. Amongst those (started to come in at 3:27pm) was an email notification from BA at 3:28pm that my 181,000 Avios were moved to the said unidentified/unrecognised Iberia Plus account.
BA has literally just unlocked my account and reinstated the stolen Avios after a ‘thorough investigation’.
I reported the fraudulent transfer on 5 July 2025 but the BA fraud team only contacted me (with case ID assigned) on 21 July 2025 by email to request the following before investigation could take place: –
1) Proof of ID;
2) Proof of address; and
3) Password reset.Very pleased that BA has reinstated the stolen Avios without much fuss but couldn’t help to question the effectiveness of BA investigation in stemming out such fraud given the scale (i.e. similar modus operandi being repeatedly used by fraudsters over a long period of time). More so, investigation by BA only took place 2 weeks after reporting the fraud. What happened to the stolen Avios remains a mystery.
It’s been suggested that you should set up an Iberia account and link it you your BA account.
Then, fraudsters can not set up a new Iberia account and steal your avios.To debunk the ‘myth’, I already have an Iberia account and it has been ‘linked’ to my BA account for many years. Had done multiple transfers between the two accounts in the past. And yet, it didn’t prevent my Avios pot from BA account being ‘stolen’ and transferred to an unidentified/unrecognised/unrelated Iberia account this time.
Just if it helps someone else, I hadn’t heard anything after reporting the fraud a month ago and having my account locked at that time. I chased up via the BA Club / Avios WhatsApp Chat function (the link is on the BA website). You need to type “agent” a few time to get in direct touch with a human. When i did get through, the agent could see that it hadn’t been properly escalated and they did so there any then. I got an email within 24 hours, provided the ID documents asked for (same as the person posting above) and the account was re-instated the next day with missing Avios restored.
it didn’t prevent my Avios pot from BA account being ‘stolen’ and transferred to an unidentified/unrecognised/unrelated Iberia account this time.
That’s extremely poor. Clearly there is an exploit at work here beyond simply hacking the BA account, I imagine BA/IB are working to resolve this. I keep the bulk of my Avios pot in Finnair as their 2FA seems strong (app based in my case), although if there is a deeper flaw in account linking then that might not actually be an adequate protection, as I think behind the scenes what happens when you transfer between Finnair and BA is a “pull” from BA/IAG.
*** Please use a unique password for every website that would matter to you if it got hacked. ***
I recommend the Bitwarden app — it can generate and save word-based passphrases that are easy to type and very hard to break. Unfortunately BA does not allow very long passwords so you may need to truncate the words (to be exact, BA allows you to set long passwords, but you cannot log in with them, which is stunningly poor IT design/implementation/testing on somebody’s part).
A few people I know still use a pen-and-paper book for passwords. Whilst, on the one hand, this is terrible security, it is still much, much better than repeatedly using the same password everywhere. Bonus points for using a secret code in the book which only you know for decoding the passwords, and never keeping the book with your phone or computer.
Another recommendation to BA is to make changing passwords easier.
At this time I’m logged in via a desktop to my BAEC account. “Your Profile” then “Login Details” only allows me to change my email address. Searching for “change password” seems to suggest logging out and following the “forgot my password” workflow to have it reset. And even that is a few options down, under household account, family/friends and third-party nominees.
Even social media sites have dedicated security centres for this kind of thing.
Hardly straight-forward unless I’ve missed something obvious?
This has just happened to me too, 350,000 avios (all of them) transferred from BAEC to an Iberia account. I don’t have an Iberia account.
The email was hidden in a sea of hundreds of spam emails that started flooding my Gmail late yesterday evening (they’re still coming through now), thankfully I was busy filtering and spotted the avios transfer email. Immediately got on the phone to the USA BAEC line (UK closed) and told the account would be suspended for audit and I’d hear back in ”7 working days”.
My father is having cancer treatment in the USA and was about to book flights over, so this is incredibly stressful.
I’m almost certain this is a dark web password leak so will be spending the next few days auditing everything and bolstering password security across the board. How this can happen on this scale without 2FA or secondary verification is shocking.
If anyone has any tips or guidance beyond what’s clearly out there on threads and the press already, massively appreciated.
If a useful data point, this has now been resolved and all Avios reinstated. Was provided with several rounds of contradictory instructions and requests, but persevered and once actually reviewed by someone from the audit team, resolved within 36 hours. Sadly meant I missed being able to take advantage of the separate ‘Great Avios IT error’…
BA has literally just unlocked my account and reinstated the stolen Avios after a ‘thorough investigation’.
I reported the fraudulent transfer on 5 July 2025 but the BA fraud team only contacted me (with case ID assigned) on 21 July 2025 by email to request the following before investigation could take place: –
1) Proof of ID;
2) Proof of address; and
3) Password reset.Very pleased that BA has reinstated the stolen Avios without much fuss but couldn’t help to question the effectiveness of BA investigation in stemming out such fraud given the scale (i.e. similar modus operandi being repeatedly used by fraudsters over a long period of time). More so, investigation by BA only took place 2 weeks after reporting the fraud. What happened to the stolen Avios remains a mystery.
Yeah, my partner lost 130k avios in this way on July 2nd. Hundreds of spam emails but i combed through each one and came across the transfer to an Iberian account neither of us have. Called BA immediately but as of today still just locked out of the account and heard nothing from them.
- You must be logged in to reply to this topic.
Popular articles this week:
