Published: May 20, 2024
Reading time: 4 minute read
Written by: Forter Team

By Doriel Abrahams, Principal Technologist

For many consumers, the loyalty programs attached to travel and hospitality brands are the gold standard for what the benefits of brand loyalty can represent. Points redemption and program collaboration across hospitality, travel, and commerce brands mean the sky’s the limit (sorry, I couldn’t help myself) regarding what loyalty programs can offer. 

At the same time, the more creative and valuable the loyalty program, the more likely it is to see fraud. Forter’s data suggests that brands with loyalty programs connected to other companies and brands are attacked 2.5x more than brands with loyalty points that only work in their own brand. 

What can travel and hospitality companies do to provide appealing loyalty programs without losing out more than it’s worth to fraud?

Flexibility for Customers Means Fraudsters Can Flex Fraud Muscles

The challenge is inherent to the nature of loyalty programs. The best programs encourage customer loyalty and engagement with the brand by offering diverse ways to earn and spend points, as well as numerous benefits for frequent interactions with the brand. For example:

  • The ability to use points to upgrade experiences.
  • The ability to use points to buy items online or in-store with premium brands or using stores that sell a wide range of products, such as Amazon. 
  • The ability to share points with other loyalty program members or effectively “pool” points to make a purchase. 
  • The ability to turn points into cash. 

All of these — and every other benefit I can think of — represent an opportunity for a fraudster. The more flexible your program is, the more options it offers for fraud. Once a fraudster has access to an account with loyalty points, they have many options. For instance:

  • An “upgraded experience” can be sold on at a “discount” to a legitimate customer. 
  • Points can be used to buy expensive items, which the fraudster resells for cash.
  • Points can be moved to an account owned by the fraudster. In fact, a fraudster can do this by using points from many accounts to make very expensive purchases.
  • Anytime something can be considered “free cash,” a fraudster moves in to take it (gift cards are another popular example).

Protect Accounts as if They’re Cash

Accounts with loyalty programs attached are 4-5 times more likely to be targeted by fraudsters than accounts without a connection to a loyalty program. Fraudsters love loyalty points. You can even see it demonstrated on online criminal marketplaces and forums, where fraudsters will actively advertise accounts for sale as having loyalty points and expect to be able to charge more for the access credentials as a result. 

For fraud fighters, this means that you have to think of loyalty programs as being under your protection. The point of a loyalty program isn’t just customer benefits; it’s increasing customer loyalty to a brand. If a customer finds out a fraudster has been inside their account and exploited its contents, that won’t make them more loyal to your brand. 

Login protection is the most important aspect of account protection, but it’s not the only part. Sometimes, a fraudster will be sneaky enough to get past your guard. If that happens, you don’t want to effectively give them the key to the castle. 

Ensure you have safeguards in place at every point of user interaction with an account, whether adding information, changing information, moving loyalty points around, using loyalty points, making bookings, etc. 

You Know Your Customer, So You Know When It’s Not Your Customer

The advantage a fraud prevention team has when it comes to protecting loyalty programs is that the users whose accounts you’re protecting are, by definition, existing customers. They have a history with you. You know what they usually look like and how they typically behave. 

That’s an enormous help when it comes to identifying suspicious behavior. When you know what a customer usually does, you can detect anomalies. 

If there’s a new device coming from a new IP, taking an interest in an aspect of the program the user has always previously ignored, looking to move points around at a time of day they aren’t usually online – your system ought to notice automatically that something is different, and flag it for investigation. 

You can also identify anomalies within the system more generally. If one account suddenly starts receiving points from multiple accounts and pooling them in preparation for using them for a major purchase – you’ll want to check that out. 

Personalization is the Upside of Identity Protection 

There’s an upside to this approach that not only protects the business but helps company growth. Anomaly detection of this type is really about personalization. To be effective, it has to be based on knowledge of what’s normal. 

Suppose you know what individual customers normally do, how they normally behave, and what they value from your programs. In that case, you can tailor future offers and notifications to match those preferences. It’s just the positive upside of the protection you’re investing in any way. 

Fraud teams aware of this two-sided benefit to personalization can leverage it to raise their profile and value in the organization by being proactive about possible growth-oriented campaigns and benefits. 

I’m thinking of getting a t-shirt made that says “Fighting fraud enables user personalization. Ask me about it.” If you want one, let me know 🙂


Doriel Abrahams is the Principal Technologist at Forter, where he monitors emerging trends in the fight against fraudsters, including new fraud rings, attacker MOs, rising technologies, etc. His mission is to provide digital commerce leaders with the latest risk intel so they can adapt and get ahead of what’s to come.

4 minute read