For businesses, customer loyalty programs provide extra value and show customer appreciation (while encouraging customers to spend more money). Customers can use VISA cards to rack up airline miles, hotel stays to amass points leading to perks and free hotel rooms, and now even MyMcDonalds rewards cards with which customers earn 100 points for every dollar spent: 1,500 points gets you a free cheeseburger.
Loyalty cards used to be simple plastic cards with magnetic strips. Swipe the card. Earn points. Many brands have substituted these cards for apps that allow the program members to tally up their rewards. According to Deepak Nautiyal of Annex Cloud, a marketing firm, “Customer loyalty cards often serve as a sort of souvenir in some way, as these remind the customers of being acknowledged due to their loyal association with your brand”.
But behind these loyalty cards and apps lurks opportunity for loyalty fraud. With more than $48 trillion of unspent loyalty points globally, fraudsters around the world are targeting rewards programs. According to a 2019 report by Forter Fraud Index, loyalty program fraud has seen an 89% increase year-over-year. The COVID-19 pandemic hasn’t stemmed the tide of loyalty fraud. In some cases, it’s exacerbated the problem by leaving untouched rewards. For example, unused frequent flyer balances have become lucrative targets for fraudsters.
According to the Morder Intelligence report, the cost of loyalty fraud is estimated to be more than $1 billion every year. There are several reasons why fraudsters are targeting loyalty programs and their beneficiaries:
- Fraud is Unanticipated — Many businesses view loyalty programs as a low risk for fraud. Fraudsters can “fly under the radar” to scoop up points.
- Easy Targets — Loyalty programs often have few protections.
- Increasing Value — Points have increased in value as businesses offer competitive loyalty programs to attract customers.
- Increased Liquidity — There are several ways to redeem points, which is an attractive feature to hackers who can sell them on the darknet.
- Personal Data Theft — Loyalty programs contain a treasure trove of personal information: dates of birth, addresses, and credit card information, which can be exploited for more than a McDonalds Happy Meal.
- Unclaimed Rewards — The significant number of points unused globally attracts both small- and large-scale scammers.
Hackers aren’t the only ones committing loyalty fraud. Businesses are at risk from multiple angles:
- Hackers: Hackers pose the most significant risks because they can create thousands of fake accounts, steal customer’s personal data, and accumulate enormous point balances in unauthorized ways. Akamai, a global web and internet security service, recently reported more than 100 billion credential stuffing attacks between 2018 and 2020.
- Employees: Employees with access to the loyalty program’s internal systems or the ability to assign points can pose a threat. They may add extra points to their points balances, steal unclaimed points, or pass on loopholes to customers to encourage them to sign up for the program.
- Customers: Customers can work the system by creating multiple accounts to earn more points. They also may sell or transfer points or return items after earning points.
It’s Not Just the Money
There are several costs associated with loyalty fraud. Businesses may find themselves reimbursing stolen customer points. Customer data breaches often lead to fines and lawsuits. There are also “soft costs”. Customers, members, and partners may lose faith in the business. Reputations can be damaged. The loss of the loyalty program may turn customers away.
Steps to Take
SDC CPAs, a global forensic accounting firm, has seen multiple claims involving the theft of loyalty points. They note that there are methods businesses can use to shore up their defenses against loyalty fraud from hackers, customers, and employees.
- Be aware of the latest methods used to attack loyalty programs.
- Educate customers and staff about loyalty fraud schemes and the necessity of using strong passwords.
- Review internal controls.
- Improve program security with encryption and authentication.
- Create a fraud team to randomly audit customer and employee accounts and monitor loyalty program metrics.
Most businesses offering loyalty programs learn about breaches and fraud long after customers have been exploited. By that time, the damage has been done. Being aware, being vigilant, and implementing strong controls can help to prevent or mitigate the havoc caused by loyalty fraud.