Solutions overview
Account take over (ATO)
Credit card data theft
SEO poisoning
Credential stuffing
For security teams
For fraud/risk teams
For digital business teams
Library
Blog
Partner Up
About
News
Events
Careers
Contacs
Loyalty programs are so ubiquitous today that most of us would be hard-pressed to count how many we’ve signed up for. Earning a complimentary service or item is always a friendly reminder that you are valued as a client. However, that warm feeling could quickly change when you find that not only was the freebie already redeemed by someone else, but all your account details have been compromised. At that point, you will likely not have any warm feelings left towards that brand.
72% of customer loyalty programs have been compromised through theft or fraud. If you’re asking yourself why anyone would bother to defraud a company for a free coffee, it’s worth noting that in the US, the monetary value of loyalty program rewards is $48 billion. That’s more than enough to tempt hordes of fraudsters to try and swipe a piece of the loyalty program pie.
To protect your brand’s loyalty program from fraudsters, it’s essential to understand loyalty fraud, how it works, and who it targets.
Loyalty Program Fraud: How Secure Are Your Customers’ Rewards?
Loyalty program fraud, often referred to as rewards or points fraud, occurs when individuals abuse brand loyalty programs for wrongful monetary gain.
Suppose this individual is a legitimate customer (or even an employee). In that case, they might use a ‘hack’ to exploit a loophole in the reward terms and conditions to get a better deal for themselves.
A far more dangerous type of loyalty program fraud is perpetrated by organized, tech-savvy fraudsters who might be phishing for customer data and points or loyalty rewards that can be resold or otherwise exploited.
For brands across many industries, loyalty programs are an effective way to boost brand recognition, customer loyalty, and customer spending; such programs are table-stakes to remain competitive in the market. The airline industry is one excellent example of an industry that extensively leverages loyalty programs to boost customer trust and spending. Airlines are heavily targeted with frequent flyer miles and related scams.
Prices of hacked frequent flyer accounts on the black market (Source)
How it Works: Common Tactics Used in Loyalty Program Fraud
Thieves are always looking to improve and perfect their techniques to get the maximum value for minimal investment. The tactics chosen usually depend on the scammers’ goal—whether it’s simply abusing the loyalty program or, worse, taking over the accounts of legitimate customers and to steal hard-earned loyalty rewards.
1. Fake Websites
Fraudsters can spoof legitimate login pages or create fake websites that look identical to legitimate brands’ sites. They aim to trick customers into divulging login credentials or other sensitive information, with victims naively believing that they are on a genuine site. Once obtained, fraudsters use stolen credentials to access loyalty accounts ( via account takeover) then redeem points, vouchers, trip credits and rewards. Account takeovers particularly damage businesses’ relationships with customers and brand perception.
2. Phishing and Social Engineering
Phishing, smishing, and other social engineering scams may be used to get customers to another page, like a fake website or login page. But they can also be used to steal customer details directly by simply… asking for them.
By pretending to be somebody else (often either a loved one or even the company whose loyalty program they are planning to exploit) and using deceptive messaging, fraudsters will trick customers into sending them their account details. Login information can be revealed directly via emails, phone calls, messages, or DMs on social media. Similar to the first example, this tactic leads to account takeover.
3. Synthetic Identity Fraud
An individual or group can easily register for a loyalty program multiple times using email aliases (additional names for an email account). Fraudsters often employ alias addresses to sign up for loyalty or referral programs to exploit discounts or freebies offered to new customers or those who refer them.
Another common technique for exploiting loyalty programs through multiple accounts is to create synthetic identities. These identities combine real and fake customer information and can be used to register for programs numerous times and rack up rewards without being detected. For example, some fraudsters use PO boxes as addresses to receive free giveaways sent to new subscribers.
5 Ways To Prevent Loyalty Program Fraud
1. Use Real-time Behavior Analytics
One of the best ways to check if your loyalty program is being hacked is to look at the behavior of the accounts in the system. Depending on your website security stack, some of the things you can be looking for are:
- Multiple users submitting the same billing address hash in a short period;
- Customers who changed more than three ISPs in a short period;
- Users frequently switching browsers or access pages in a way that doesn’t follow typical user journeys.
Real-time user behavior analytics can help you identify these anomalies and flag suspicious activities as they happen. This is particularly useful in catching fraudsters exploiting vulnerabilities in your system—like manipulating API endpoints or leveraging stolen credentials.
2. Harden Login Protocols
Although such solutions may increase the clients’ friction in accessing the loyalty program, ease of use should never come at the expense of lax cybersecurity. Some of the tools you may choose to implement are:
- Use multi-factor authentication (MFA) for customer logins;
- Leverage risk-based authentication to tailor security measures based on user behavior and risk levels;
- Introduce biometric verification (voice, fingerprints, or face identification) for added convenience and security;
- Add CAPTCHAs and limit incorrect password attempts to block automated brute-force attacks.
3. Define Clear Terms And Conditions And Redemption Policies
Examine your loyalty program’s terms and conditions to find any possible gaps (such as referral bonuses or special offers for new clients). The sooner you detect these weaknesses, the sooner you can implement extra safeguards to fix them. You can also habitually visit ‘hack’ forums (like this one for car loyalty hacks) to check if you missed any loopholes.
Clarify the scope of any insurance protection related to loyalty rewards in your Terms and Conditions. Some customers may assume their airmiles or other loyalty program benefits are automatically protected, so it’s essential to make that clear to manage expectations and avoid confusion.
Equally important is setting up an upper discount value and limiting the number of redemptions allowed per user. Try to find the right balance between rewarding your clients and making it unprofitable to hack your loyalty program.
4. Detect Website Impersonation Attempts
Credential theft and account takeover attacks often involve spoofed websites and web apps. These websites and apps are frequently employed to trick users into submitting their login information.
Once attackers gain access to these credentials, they can log in to user accounts, steal loyalty points, redeem rewards, or even use them for fraudulent activities. Tracking and mitigating the damage caused by spoofed loyalty program login pages is key to protecting customer accounts and your brand reputation.
With Memcyco, you can embed a nano defender into your site to thwart attacks and discourage fraudsters from targeting your website pages to clone. Anyone copying the site would inadvertently copy this hidden component, which would immediately flag the mirroring site as a fake and alert you.
In addition, you will get notified whenever a customer enters their login information into the spoofed website, while the malefactors receive spoofed and incorrect passwords from the Memcyco tool.
5. Execute Penetration Testing And Fraud Simulation Exercises
To verify the robustness of your loyalty program systems, step into the shoes of a fraudster and try to “break” them. Add your loyalty program software and systems to your application testing protocols to check how easy it is to access them, stream a single user’s data or the entire database, and escalate permissions.
Remember that the loyalty program is not a standalone, disconnected system. The client’s information in that system should be just as well defended as the payment and transaction information you hold.
Threading the Needle of Rewarding Loyalty While Mitigating Fraud
Loyalty programs drive organic growth. 8 in 10 consumers are likely to keep doing business with a brand based on its loyalty program. It’s simply a matter of successfully rewarding desired customer behaviors while staying within your promotion budget without being abused or misappropriated. Taking the time to think things through and plan accordingly will go a long way to help reduce the inherent risks in such a program. Using the proper detection and fraud prevention tools will make a huge difference.
Memcyco’s digital impersonation suite addresses every stage of potential loyalty program scams—from the moment fraudsters scan your website for purposes of digitally impersonating your brand to the time when they victimize your loyal customers into surrendering login credentials.
Leveraging Memcyco’s patented technology and AI-powered user behavioral analytics, you will dramatically lower the risk of loyalty fraud and its potential damage. Learn more here.
Charlie Madere is the Vice President of Sales at Memcyco.
