In recent years, cyber-criminals have realized that the payoff from leveraging compromised accounts to commit fraud is much greater than attacks at the point of transaction. As a result, online transaction fraud losses, which are increasingly driven by account-focused attacks, are expected to reach $25.6 billion in 2020. This worrisome trend indicates that attacks against various touch points in the customer journey have morphed into a market-wide challenge that is causing concern among merchants and other digital enterprises. At the same time, loyalty programs, which rely heavily on loyal customer accounts, have evolved considerably in the last decade and provide valuable rewards. While the value and liquidity of loyalty program rewards has heightened, protecting these assets has lagged behind other digital services such as online banking, credit cards, or media-service providers.
Fraud, Like Water, Always Finds Its Way
Fraudsters have found their way through the labyrinth of protected services to more vulnerable ones, in which cybersecurity has often been overlooked. As a result, loyalty program fraud is skyrocketing and loyalty points have become a new currency for fraudsters. According to Forter’s 2019 Fraud Attack Index, this type of fraud has increased by 89% during the last year and 12% in dollar value. Behind this alarming surge, a variety of attacks have become prevalent, including:
- Account Takeover (ATO): Attacks by which fraudsters leverage a variety of methods such as brute force attacks/stolen credentials, or automated cyber-attacks to hack into existing accounts and steal user credentials, funds, or benefits.
- New Account Fraud: Attacks where fraudsters create multiple fake loyalty accounts, occasionally leveraging stolen identities, then use them for a variety of fraudulent schemes, including loyalty points laundering.
- Transactional Fraud: After hacking into accounts, fraudsters use credit cards or other payment methods linked to loyalty accounts to perform fraudulent transactions.
- Policy Abuse: This occurs when users violate various business policies to receive benefits or rewards by exploiting loopholes in the system. Notable examples include signup, referral, and coupon rewards being overshared or gained dishonestly.
Follow the (Digital) Money
Loyalty program fraud is an elusive threat because it involves attacks at various touch points throughout the customer journey, including: registration, login, account settings (changing financial/personal information), and at the point of transaction. The main effort in this type of fraud is the monetization process. After gaining access to accounts or user data, fraudsters exploit the program’s sharing options to transfer points to “safe accounts” that were set up in advance. In order to conceal the origins of stolen points, fraudsters at times create a complex sequence of legitimate and illegal transfers to execute point laundering schemes. At the end of the “laundering funnel,” fraudsters use multiple techniques to monetize the loyalty points and data. Such techniques include:
- Redeeming and Reselling: Fraudsters purchase goods or services with loyalty points and resell them in dark web marketplaces and/or hidden Telegram channels. A widespread technique is buying untraceable gift cards and reselling them for 25%-60% of their value.
- Accounts and Data for Sale: Fraudsters sell points, hacked accounts, or stolen data to third parties.
- Points-as-a-Currency (PaaS): At times, loyalty fraudsters pay other cyber-criminals or illegal service-providers with stolen points, exploiting their increasing value, liquidity and anonymity.
Left: A hacked British Airways frequent flyer account with 100,000 points for sale in a dark web market. Right: Hacked Expedia accounts with (+500 points each) for sale in a dark web market. Source: Daniel Shkedi/Forter.
Left: Delta Airlines Gift Cards sold for 25% of value in a dark web market. Right: Pizza Hut: 1200 hacked accounts with 100-1000 points in a dark web market. Source: Daniel Shkedi/Forter.
What Keeps C-Level Executives Up at Night
Overall losses from loyalty and reward points fraud are estimated at $1 billion every year. Furthermore, the Loyalty Security Association (LSA) estimates that $3.1 billion in redeemed points are fraudulent. These are trends that continue to keep CEOs, CFOs, Chief Information Security Officers (CISOs) and loyalty program executives up at night. Loyalty program fraud can affect a wide variety of organizations across industries, from airlines to hotels, apparel merchants as well as quick-service restaurants (QSRs). C-level executives from these enterprises are burdened with the task of solving multiple pain points. These include:
Tarnished Brand Reputation. When loyalty programs are hacked, reputation and consumer confidence takes a hit. 69% of loyalty program executives report that loyalty program fraud has a negative impact on brand reputation. Negative public perception or reviews translate to lost revenue and diminished customer lifetime value.
Stifled Business Growth. Enterprises that experience fraud are reluctant to expand their loyalty programs or offer new services without adequate protection, stifling business growth.
Lost Revenue. Unprotected loyalty programs are losing twice. When redeemed services/goods are obtained fraudulently, the program absorbs the cost of loyalty point reimbursements along with the cost of fraud.
High Operational Costs. Manual review teams, fraud investigations, and the acquisition of supporting fraud tools or systems result in high operational costs for enterprises.
Current Systems Cannot Catch the Fraud. Nearly 50% of merchants indicated that low organizational priorities and a lack of adequate resources prevent them from stopping loyalty fraud.
To conclude, loyalty programs have become a new target for cyber-criminals due to the increasing value tied to them, but also because of extremely low threat awareness and preparedness by customers and enterprises.
Going forward, we can expect this surge in loyalty program fraud to increase even more. Albeit the emphasis on transactional protection, enterprises need to implement new fraud prevention solutions and approaches, to protect loyalty accounts throughout the entire user journey. It’s high time to ensure that customer loyalty is not met with betrayal by the program’s online security safeguards.