Many of us are finally starting to plan our long-awaited holiday trips and vacations—perhaps the first chance for a real getaway since the pandemic started. You may plan on redeeming those long-untapped air miles or hotel points that have sat gathering dust in your loyalty programs. Imagine your surprise if you find the loyalty points have been siphoned away by cybercriminals who have defrauded or compromised your loyalty accounts.
Loyalty point programs have been around a while and are a great tool for you to attract and retain customers, but at the moment we’re seeing an surge in criminals targeting these programs to compromise accounts. The reason? There are a LOT of unused loyalty points out there: According to the Loyalty Security Association, in the U.S. alone 45% of accounts are considered inactive, meaning there are about $48 trillion worth of unspent points sitting in member accounts, mostly unmonitored and perhaps forgotten. That’s catnip to cybercriminals, who find these neglected points easy to compromise and monetize for personal gain.
Why criminals target loyalty programs
For cybercriminals, compromising loyalty point accounts is low-hanging fruit. Even though these accounts may hold thousands of dollars of value, most consumers don’t monitor them as closely as financial accounts from a bank or financial institution. Many accounts are protected with a simple username/password pair, and since many consumers reuse passwords, criminals using stolen credentials find it relatively simple to use automated bot attacks to conduct credential stuffing on loyalty accounts. Once they control the points, criminals can cash them out, exchange them for untraceable items such as gift cards, or sell the points for monetary value on dark web, all with low risk for fraudsters. In addition, criminals know that compromising loyalty accounts can bring not just short-term financial gains but also access to data and intelligence for further fraudulent activities, including identity theft using personal identifiable information, trip and stay data, shopping patterns, and more.
In fact, it’s not just cybercriminals you should watch out for. Here are three types of loyalty fraud you should keep your eyes on:
- The Double Dip: This is when legitimate members defraud the program by “double-dipping,” that is, by simultaneously redeeming points over the phone and online. Or members can attach their loyalty account number to a purchase they don’t make and fraudulently accrue the points. Members can also make purchases to generate large amounts of reward points and then cancel the transaction—but not before redeeming the points for cash awards. Also, legitimate consumers and loyalty members can also abuse policy or business logic by manipulating loopholes in programs. Examples include sharing coupons or promotional codes, violating merchant policies, or signing up for numerous credit cards linked to same rewards program to illegitimately gain rewards.
- The Insider Job: This is when fraud involves insiders or employees of your organization. They can manipulate the loyalty program by doing things like assigning unused or unclaimed points to a different member account, or by transferring points fraudulently between accounts.
- The Cybercriminal: By far, the greatest source of loyalty program fraud is cybercrime, and the most common exploit involves account takeover (ATO) via automated tools such as credential stuffing, formjacking, or simple phishing to gain access to accumulated points and stored credit card information. Credential stuffing involves a bad actor testing large numbers of compromised credentials (such as usernames and passwords breached from another site) against another site’s login. And because people reuse passwords across multiple accounts, these tactics can be remarkably successful at unlocking loyalty accounts, allowing attackers to take over the account by changing usernames and passwords. Formjacking opens other avenues for hackers to take over accounts and involves hijacking loyalty program web forms to collect and transmit data as consumers fill in personal information. This hands the attacker the keys to the account, who can plunder the points at leisure or use the account for other nefarious purposes.
Defending and protecting loyalty point programs
Protecting your customers and your loyalty program from fraudulent activity is critical, as if not properly addressed, it can severely damage consumer trust and brand reputation.
However, traditional cyber defenses are no longer powerful enough to deter sophisticated attacks on loyalty programs. Outmoded protections and needlessly restrictive policies tied to short session timeouts, geo-blocking, multi-factor authentication, and forcing members to solve CAPTCHAs can frustrate users and are easily bypassed.
By spending just a few dollars, attackers can incorporate low-cost CAPTCHA-solving services to bypass basic bot defenses and can purchase higher fidelity lists of credentials for specific geographic targets. Criminal organizations can rapidly change tactics and methodologies when defenders try to prevent their activities, and keeping ahead of attackers becomes an almost insurmountable problem without specialized tools and dedicated security teams.
5 best practices to protect your loyalty program against fraud
Loyalty programs reward your business’ most valuable customers and help you build stronger relationships with your customers. In the face of increasing attacks, protecting these programs and the customer rewards they maintain is more important than ever. The following five best practices can help you focus on addressing the most common attack scenarios, without unduly burdening legitimate members from monitoring or redeeming points.
- Prevent new account fraud. New account fraud involves a fraudster creating loyalty accounts, often at scale, using stolen, synthetic, or otherwise false identities. Leveraging these fraudulent accounts, criminals can accumulate and resell points and abuse redemption programs. Make sure your cyber-defense solution can detect if attackers try to create multiple fake accounts using automated tools or sophisticated manual techniques.
- Mitigate account takeover efforts. Ensure your defenses can detect account takeover attempts by criminals intent on stealing points or exploiting saved customer personal data. Your defenses must be able to adapt to changes in attack patterns and retool in real time. Monitor loyalty program traffic to understand input patterns using telemetry signals to detect anomalous behavior so you can determine whether traffic is from malicious bots or humans.
- Protect awards cash-out transactions. Ensure that loyalty rewards redemptions and payments from credit cards linked to the account are legitimate by accurately determining the trustworthiness of each transaction and the customer identity associated with it. Defend your program with tools that use artificial intelligence and machine learning to monitor transaction behaviors, and employ adaptive authentication, which selects the appropriate authentication process based on the risk presented by the login attempt. For instance, enhanced security challenges may be required for high-risk activities, such as changing passwords or cashing out large amounts of points.
- Monitor for policy abuse. Make sure to have preventions in place to limit financial losses due to exploitation or manipulation of coupons and promotions, discounts, or referral bonuses by assessing trust at every point of interaction.
- Understand internal threats. Loyalty programs are also susceptible to threats from insiders. Be sure to track and measure site staff activities to monitor anomalies, and limit employee access to loyalty program data.
Help your customers avoid loyalty point fraud
In addition to protecting your loyalty program and its assets, help your program members defend their points and rewards from fraud by sharing the following tips:
- Members should monitor their loyalty programs just like other financial accounts. Loyalty programs can contain thousands of dollars of value, so your customers should check in on their accounts on a regular basis to make sure they haven’t been tampered with.
- Take advantage of enhanced security options. If available, encourage members to use additional security features like multi-factor authentication. Every additional layer of security makes it more difficult for fraudsters to compromise an account.
- Be careful of travel promotion emails and social media posts. Educate your customers on how and where you communicate promotions. Ensure they understand travel offers that seem too good to be true probably are. Unsolicited email offers and deals that pop up in their feed are likely phishing attempts designed to steal personal data, including login credentials and credit card numbers. Before responding and providing any information, members should confirm that the sender’s email address is legitimate or contact the loyalty program directly (not via the email or social media post they received) to make sure the offer or request is authentic.
F5 is proud to help organizations defend against loyalty programs fraud
Learn how F5 continues to protect many organizations from automated attacks and fraudulent activity that can damage brands by targeting member accounts to harvest valuable reward points and miles. Read this customer story to learn how Distributed Cloud Bot Defense helped a major global airline stop automated website attacks that had compromised its frequent flyer accounts.
Explore ways we can help you ensure that loyalty points, gift card values, and other stored values remain in your customers' hands—and not criminals'—by visiting: https://www.f5.com/solutions/ecommerce