Loyalty programme fraud soared last year predominantly driven by the amount of personally identifiable information available from increasing numbers of data breaches. As Douglas Blakey reports, direct and indirect losses from loyalty and reward points fraud is now estimated at a staggering $1bn billion every year

Introduction: Enterprises are struggling to limit damage as fraud attacks shift from the point of transaction to different elements of the buyer’s journey. This includes new account signup, login, and promotion and coupon use.

Loyalty programmes have grown steadily in the last decade, with memberships increasing nearly 10% year on year. Consumers have accumulated $48trn of unspent loyalty points globally.

Cyber criminals are increasingly taking advantage of loyalty programmes in several ways. They offer a currency as valuable and untraceable as cash. The result: damage to brand reputation and monetary losses to merchants and consumers alike

According to e-commerce fraud prevention tech specialists Forter, the most significant attacks include:

  • Account takeover:Fraudsters hack into member accounts, exploiting accumulated points and payment instruments saved in the account;
  • New account fraud:Fraudsters create fake accounts, often using stolen identities, and use them to accumulate, store, sell, and redeem stolen points, and
  • Policy abuse:Consumers overshare coupons or promotional codes, violating merchant policies and illegitimately gaining programme rewards.

Attacks on loyalty programmes come from several sources:

  • Fraudsters:Sophisticated professionals — whether lone attackers or those operating in fraud rings — monetize points associated with loyalty programmes;
  • Insiders:Merchants’ employees take advantage of their access to customer accounts for any of the three attack vectors referenced above.
  • Customers:Considering themselves savvy shoppers, customers misuse loyalty programmes’ policies to gain rewards unfairly.

Merchants are unprepared

One of the best reports of the year to hit the editorial desk here is Forter’s seventh Fraud Attack Index. It reveals that attacks on loyalty programmes increased 89% in the first quarter of 2019 compared to 2018. It is available for download via this link.


Forter’s research finds that too many merchants are simply unprepared to protect their loyalty programmes. Forter notes that 42% of merchants state that they do not have the skills required to prevent fraud and abuse. Meantime, almost 50% report insufficient resources, and that loyalty programme account fraud prevention is considered a low organisational priority.

One can then add into the mix consumer ignorance. Perhaps a lack of engagement with rewards programme membership would be a kinder explanation.

Rewards points accounts: often go unchecked

Even simple chores such as checking rewards programme balances is not something a lot of us do regularly.

When was the last time you checked the balance of any of your loyalty cards?

For this writer, the Amex BA card with its Avios points is the only one I am really engaged with. The excellent loyalty scheme means that Avios points soon accrue and combines with one other crucial feature of any worthwhile loyalty programme. That is the rewards are meaningful and easily monetised. So I would claim to be something of an anorak as regards BA Avios.

But other than Avios, at least for me, I could not guestimate how many Nectar points or Tesco points I might have. Hotel loyalty programmes, ditto.  I know that I have been enrolled into programmes run by Accor and Hilton but cannot recall the last time I studied a points statement. As for my primary bank?  Forget it. UK banks do not really get loyalty programmes in the manner of banks in say Canada or the US.

On asking around one’s work colleagues, friends and family, as I suspected, I am not alone in disengagement from loyalty programmes. The Boots scheme gets a few favourable mentions. On the other hand, on a very rudimentary straw poll, few people I quizzed had a clue about their approximate Nectar balance.

45% of loyalty programmes inactive: Forter

So it comes as little surprise to learn from Forter that as many as 45% of loyalty programme accounts are inactive. Loyalty programmes have grown tremendously in the last decade. Membership is up from 2.6 billion to 3.8 billion from 2012 to 2016 alone. Moreover, Forter forecast that this figure will continue to grow to hit over 5 or 6 billion in the next few years.

The rise in customer expectations and frequent price promotions are encouraging consumers to switch to the best offer. And according to the Colloquy Loyalty Census a whopping 22% of consumers shop exclusively with brands whose loyalty they have joined.

The increase in loyalty programme fraud has been driven by the enormous amount of personally identifiable information that has become available via massive data breaches. In the first six months of 2019 alone, 3,800 data breaches exposed 4.1 billion records.

According to Forter, the average impact of a data breach is a 5% drop in share price and a 7% loss of customer base.

Damage to enterprises:

This takes many forms with examples including:

  • Tarnished reputation:Loyalty programme executives report that the biggest impacts of loyalty programme fraud are on brand reputation and customer experience.
  • Lost revenue:When fraudsters redeem points, merchants replace the stolen points, doubling the loss to the business.
  • Stifled business growth:Those same executives further report that loyalty sign-up abuse leaves them unable to provide new offerings, such as aggressive promotions or gift cards, due to the risk of abuse or loss.

The Forter report is a timely wake-up call for loyalty programmes to act now to ensure they have the appropriate levels of e-commerce fraud prevention.