Loyalty program fraud: What it is and how to protect yourself

Loyalty programs are easy to overlook as a fraud risk because reward points and miles don’t feel like real money. But scammers do target customer incentive programs: they steal accumulated rewards and exploit system weaknesses to inflate loyalty balances.

This guide explores loyalty fraud in depth, explaining what it is, why it occurs, and the most common scams and cyberattacks involved. It also outlines practical security measures that both consumers and businesses can take to reduce the risk of loyalty fraud.

What is loyalty program fraud?

Loyalty program fraud is a cyber threat that affects both consumers and businesses. For customers, it typically happens when cybercriminals compromise loyalty accounts and use accumulated points or rewards without permission. For merchants, loyalty fraud can involve attackers exploiting loopholes to rapidly earn rewards or using compromised customer accounts to redeem free products or services.

Understanding how loyalty programs work

Loyalty programs are retention strategies businesses use to encourage repeat purchases, offering incentives such as discounts, free items, or early access to products and services. While the exact structure depends on how a business operates, the most common types of loyalty programs include:

• Points systems: Customers earn points for specific actions, such as making purchases or leaving feedback. These points can later be redeemed for rewards like discounts or free items.
• Tier-based programs: Customers move through different tiers based on their spending level, with each tier offering its own set of rewards.
• Referral strategies: Customers receive perks for referring friends or family.
• Subscription programs: Customers pay an upfront or recurring fee for a product or service and receive rewards or benefits in return.
• Spend-based systems: Rewards are unlocked directly based on a customer’s spending behavior.
• Mission-based programs: Purchases are tied to specific causes, such as donating a portion of each transaction to a charity chosen by the customer.

Why fraudsters target loyalty accounts

Loyalty fraud has grown significantly recently, with one report ranking it as the third fastest-growing type of fraud affecting merchants. Cybercriminals often target loyalty accounts because rewards can function like currency. Stolen points can be exchanged for valuable services such as hotel stays or discounted flights, converted into gift cards, or redeemed for items that are later resold. In some cases, compromised loyalty accounts and their accumulated rewards are sold on the dark web.

Attackers also take advantage of the fact that loyalty fraud can go unnoticed for days or even weeks, as many customers don’t regularly check their points balances. Cybercriminals can use this delay to redeem their stolen rewards before detection.

Additionally, some loyalty programs may have weaker security protections compared to financial accounts. This often happens because merchants prioritize ease of use and want to avoid adding friction to the rewards experience. As a result, loyalty transactions may require fewer verification steps, making these accounts more attractive targets for fraudsters.

Common signs of account compromise

A compromised loyalty account could show any of the following signs:

• Unauthorized account activity: You notice point deductions or redemption transactions you don’t recognize.
• Login issues: You’re suddenly locked out of your loyalty account and can’t sign back in.
• Unexpected account changes: Your account details are modified without your knowledge, such as your email address being changed.

Merchants may also suspect an account has been compromised if they detect unusual login or redemption patterns. For example, this could include logins from multiple countries within a short period of time or a sudden spike in redemptions for high-value rewards.

Types of loyalty fraud

Loyalty fraud can take many forms and affects both consumers and merchants. Here are the most common types of loyalty-related scams:

Account takeover (ATO) and points theft

ATO occurs when a malicious actor gains unauthorized access to a loyalty account. Once in, they typically redeem points for discounts, free items, or bonus services. Cybercriminals may use several methods to achieve this, including:

• Brute-force attacks: Attackers attempt to guess login credentials, often using automated tools. This approach is more likely to succeed if you use weak or reused passwords.
• Dark web marketplaces: If your login details were exposed in a previous data breach and you didn’t update them, attackers may purchase them from digital black markets.
• Phishing attacks: Fraudsters use deceptive messages to trick users into revealing passwords or granting access to their loyalty accounts. For example, they may pose as loyalty program representatives and claim that points or linked payment details are at risk.
• Session hijacking: Attackers may steal session data that authenticates a user’s active login, allowing them to take control of the account without needing credentials.

Learn more: To better understand how login credentials are compromised, see our guide on how attackers obtain passwords.

New account fraud

This often involves scammers creating fake accounts using stolen personal information or synthetic identities, which combine real and fabricated details to form a new identity. Fraudsters then use these accounts to accumulate loyalty points, transfer rewards between accounts, manipulate referral programs, or exploit promotional offers and sign-up bonuses.

Fake loyalty programs

Scammers may create fake websites that mimic legitimate services and their loyalty programs or promote fabricated offers that promise cash rewards, discounts, exclusive perks, or other incentives. They then use phishing emails to lure victims into clicking malicious links or attachments, sharing login details, or signing in through fake authentication pages. Any of these actions can give fraudsters unauthorized access to loyalty accounts and, in some cases, linked payment information.

Policy abuse and exploitation

Not all reward program abuse involves stolen credentials or identities. In some cases, customers with malicious or opportunistic intent exploit program loopholes, operating in a gray area between deliberate fraud and policy abuse.

For example, individuals may create multiple accounts to generate referral bonuses for themselves, use automated tools to accumulate points, exploit weaknesses in program rules to earn more rewards than intended, or accept free items and later attempt to refund them.

Real-world examples of loyalty fraud

Common examples of loyalty fraud include the theft of airline miles, phishing campaigns that claim loyalty points are about to expire, and insider threats involving employee misuse.

Airline miles theft

Airline mileage theft occurs when cybercriminals gain unauthorized access to victims’ frequent flyer accounts to steal accumulated miles or points. These rewards can then be redeemed for different perks, such as discounted flights, lounge access, class upgrades, or priority boarding.

In one reported case, a retiree who spent years accumulating large amounts of airline points saw them drained by attackers in minutes, who used them to book international hotels. In another incident, an airline customer reported that a fraudster compromised their account, canceled their flights, and then used their accumulated miles.

Expiring points scams

These phishing campaigns target loyalty program users with text messages or emails claiming their points are about to expire. Victims are urged to click a malicious link that leads to a fake login page designed to impersonate the legitimate service. They’re then prompted to sign in to redeem points, gift cards, or cashback rewards. In some cases, attackers may also request payment details. Once scammers obtain this information, they can take over accounts, steal loyalty points, or use the data to carry out fraudulent activities or commit identity theft.

Internal employee misuse

Rogue employees at companies with rewards programs may abuse their access by fraudulently adding points to accounts they control, for example by using discarded customer receipts, and then redeeming or reselling those rewards. They may also misuse promotional codes to obtain unauthorized discounts. In one reported incident, an employee caused well over 1 million in damages by enrolling in the company’s rewards program and submitting fraudulent invoices.

How to prevent loyalty fraud (for consumers)

Protecting loyalty accounts requires following strong security practices, such as using secure logins, enabling advanced authentication methods, and monitoring for suspicious activity. The sections below provide a detailed overview of each measure.

Use strong, unique passwords

Strong passwords are harder for cybercriminals to brute-force. When creating a password, make sure it’s long, avoid common words or phrases, and use a mix of numbers, special characters, and both uppercase and lowercase letters. A password generator can help simplify the process, and you can also use a password manager to securely store your logins.

Enable multi-factor authentication (MFA)

MFA adds extra identity verification steps to the login process, such as a time-based code or biometric check like a fingerprint scan. This additional layer of security makes it much harder for cybercriminals to access your loyalty account, even if your password is compromised.

Some rewards programs only support two-factor authentication (2FA), which adds a single extra verification step, typically a one-time code. While not as secure as MFA, 2FA still offers meaningful protection and is far better than having no additional security in place.

Monitor loyalty account activity

Try to check your points balance and rewards activity regularly, as this can help you spot unauthorized access early. There’s no single rule for how often you should review your account, but setting a weekly or monthly reminder is a good starting point.

If your rewards program offers real-time alerts, enable them as well. Depending on the provider, you may be able to receive notifications for balance changes, redemptions or other loyalty transactions, and updates to your account details or settings.

Avoid public Wi-Fi when logging in

The real risk in using public Wi-Fi comes from fake or compromised Wi-Fi networks. Attackers can set up hotspots that look legitimate or interfere with network traffic to redirect you to fake login pages that mimic real loyalty sites. If you enter your credentials on one of these pages, attackers can capture them. If you need to access your loyalty account in a public place, using a trusted virtual private network (VPN) can help protect your data. A VPN encrypts your internet traffic end to end and prevents attackers on the same network from seeing or intercepting your data, even if the Wi-Fi network itself is malicious.

Watch for suspicious emails or SMS (phishing)

Scammers generally use social engineering tactics, which often involve fake emails and text messages, to compromise loyalty accounts. Always be wary of messages claiming to represent the rewards program provider and asking you to perform actions that may compromise your account, especially if they use high-pressure tactics.

For example, an attacker may pose as a loyalty program representative and claim you have incorrect account information, a compromised password or payment details, or points that are about to expire. They may then pressure you to click a suspicious link, open a file, or share account access to “resolve” the issue. If you receive a message you’re unsure about, look up the company’s official contact information and reach out directly to verify whether the message is legitimate.

Note: Fraudsters often use public sources, such as social media, to gather personal details and tailor phishing messages to make them more convincing. To reduce this risk, avoid sharing overly revealing information online and make sure to enable your platform’s privacy settings.

Fraud prevention strategies for businesses

In addition to enforcing strong security settings for loyalty accounts, such as complex passwords and MFA, organizations should implement additional measures to further reduce loyalty fraud and related security risks.

Implement behavioral analytics and AI monitoring

Monitoring customer behavior is a proactive way to detect loyalty fraud early. Tracking point transfers, redemption patterns, and login locations can help identify suspicious activity, such as duplicate accounts, sudden spikes in earned points, or multiple reward redemptions occurring within seconds. Security teams can also use AI to simplify behavioral analysis and automatically flag potential issues.

Set redemption limits and delays

Merchants can reduce fraud opportunities by limiting point redemptions to specific timeframes, tightening return and refund windows, and restricting referral rewards to verified users. Requiring users to re-authenticate when redeeming high-value rewards, similar to how banks handle large transactions, can also help prevent compromised accounts from being drained in a single action

Employee training on fraud awareness

Organizations should regularly run employee training programs that cover the fundamentals of loyalty fraud, including early warning signs, common attack methods, and potential policy or system abuse. Clear frameworks and guidelines should also be established so employees know exactly how to respond if they detect suspicious activity.

Additionally, large retailers and businesses may benefit from forming a cross-departmental risk team that meets regularly to review recent or potential fraud cases, identify recurring patterns, and develop effective mitigation strategies.

Work with cybersecurity partners

Merchants that run rewards programs should rely on comprehensive cybersecurity platforms to mitigate both external and internal threats. For example, adopting a robust identity and access management (IAM) solution helps securely authenticate customers and employees alike.

These tools also make it possible to enforce strict access controls, ensuring that only privileged accounts can access sensitive data. In addition, they support separation of duties, such as preventing a single account from handling customer support, managing loyalty balances, and approving rewards at the same time.

Organizations should also consider zero-trust platforms, which limit the reach of compromised accounts, protect internal systems from phishing and malware, and reduce the potential impact of insider threats.

Educate users about loyalty value

Customers should be informed about the real monetary value of their loyalty balances and why attackers may target these accounts. Merchants should also explain how loyalty account breaches can cause broader harm by exposing linked payment information and personal data.

Businesses should provide loyalty program members with clear, easy-to-follow security guidelines and make them readily accessible. This can include running awareness campaigns, sending regular emails with tips and infographics, and simplifying account security options, such as offering biometric authentication.

Check up on or lock inactive loyalty accounts

Inactive accounts are attractive targets for cybercriminals because customers rarely monitor them or keep track of their loyalty balances. To reduce this risk, businesses should take steps to prevent inactive accounts from becoming security liabilities.

Possible measures include requiring customers to enable additional verification methods to keep their accounts active, setting loyalty points to expire after a defined period, or locking or removing inactive accounts after providing proper notice to customers.

Recovery after loyalty account fraud

If you suspect you've fallen victim to loyalty fraud or could be the target of an attack, follow these steps:

• Contact the loyalty provider: Reach out to the company running the rewards program as soon as possible to report the issue. They may refer you to their fraud team and provide additional assistance. Depending on the circumstances, the provider may also restore stolen points or rewards.
• Change your login details: Update your password immediately to prevent further unauthorized access. Follow best practices to create a strong, secure login.
• Document everything: Keep records that support your claim, such as emails, text messages, transaction histories, and account statements.
• Contact relevant financial institutions: If you suspect linked payment methods were compromised, notify your bank or card provider right away and request assistance.
• Report the scam: Inform the appropriate authorities or organizations in your region that handle fraud and cybercrime.