Make Sure Your Loyalty Programs Aren’t Abuse Liabilities

By Doriel Abrahams, Principal Technologist

I love loyalty programs. For brands and stores I frequent, they just make sense. If I buy from you often, of course I want to know when deals are available. From the retailer perspective, it’s just as good because I can often be persuaded to spend a bit more when there’s a good offer (yes, I’m a bit of a soft touch sometimes.) 

As a fraud analyst, though, I’m always aware that there’s a dark side to consider. I try extra hard not to cheat or take advantage of loopholes in loyalty programs — but I can see where the temptation comes from. You’re never going to change human nature. It’s up to merchants to protect their programs from abuse without letting that limit what they’re willing to offer as part of the program.

Loyalty Account Tricks Can Come With Any Offer 

The most common mechanism consumers leverage when trying to game a loyalty program is creating multiple accounts when the retailer only allows one per user. 

First, I want to point out that this can be used against virtually any perk, incentive or deal your business thinks of offering. Protecting just the holidays or your referral program is not enough — even if those are the areas you’ve found most vulnerable in the past. Anything can be a target for abuse. That said, here are some of the most common targets:

  • Referral programs
  • Birthday perks (HMU to hear the whole story of the “365 accounts” fraudster) 
  • New account incentives
  • Anniversary celebrations (meaning, anniversary of milestones with the company)
  • Seasonal deals
  • Gifts
  • Limited items access

Loyal Accounts Get Limited Items. Abuse, Anybody?

One trend I’ve seen increasing recently is the abuse of limited items access. Brands and stores are increasingly aware of the power of certain goods or items to deepen consumer attachment to a brand, and adding a touch of FOMO is always a force multiplier there. 

Access to certain special items makes someone a club member, bolstering their identity as part of that relationship. It also increases the perceived value of the loyalty program itself. Moreover, sometimes access depends on the tier of engagement, usually over the past year or as reflected in the type of status the account has. 

The unintended consequence is that some people want more of the limited access items than they’re entitled to. They may well want more for themselves, as gifts for friends, or to resell, which can be an attractive option given that rarity typically increases an item’s value. 

The thing that’s striking about the accounts set up for this kind of abuse is that they are often in it for the long game. Unlike some other types of abuse, like referral abuse or new user abuse, in which the user sets up throwaway accounts to get the promotion, where a user is much more likely to invest in the account and to keep using it and maintaining it at whatever level is necessary to be able to use it next time there’s a limited item. 

Multiple User Accounts Confuse Accounting

On a small scale, the dollar value cost of a user setting up just one or perhaps two extra accounts can be relatively limited in impact; most businesses don’t mind if customers get one more bite at the apple for deals or additional items. Financially, it’s usually reasonably minor until you hit the users who try this at scale. 

That said, there are ways that it impacts a retailer that aren’t purely financial, and this is important to understand — and be able to analyze and quantify — when you’re thinking about risk. For example:

  • You need an accurate assessment of how many accounts you have to understand the state of your business
  • You need an accurate understanding of the kinds of customers you have to understand your audience
  • You need an accurate understanding of how a campaign went to analyze its success and work out which aspects of it to replicate and which to avoid in future
  • You need an accurate understanding of which promotions or deals encourage the right kind of legitimate long-term engagement from customers — and which are prone to abuse and encourage bad behavior.

Abuse Fears Should Never Limit the Loyalty Program

In confidential conversations, more than 60% of merchants express concern about abuse present in their loyalty programs. Let that sink in for a moment. More than that, a substantial proportion of these say they’re actively limiting their loyalty program out of fear of abuse. 

I see this sometimes from the flipside of the coin; merchants that use Forter for their loyalty programs protection often see a ~20%-30% increase in the value available to loyal customers over the 12 months after they start working with Forter. That means that without focused protection, there’s a lot of room for growth, innovation and expansion that isn’t being explored due to fear. 

Merchants should never limit their loyalty programs out of fear of abuse. Loyalty programs can be a tremendous asset to a business and should be maximized. To do that safely, ensure that fraud and risk teams are involved actively in creating and shaping them as they grow. Most challenges can have solutions built in, leveraging policies or restrictions or analysis, as long as you come with a mindset of detection, protection and growth.

Crucially, the concept of being identity-focused and tailoring the experience to the customer should also play a role in preventing abuse. When you’re confident about users’ identities and how they interact with your business, you’ll be able to make confident decisions about how to treat them in a way that respects both their needs and your business’ requirements and goals. 


Doriel Abrahams is the Principal Technologist at Forter, where he monitors emerging trends in the fight against fraudsters, including new fraud rings, attacker MOs, rising technologies, etc. His mission is to provide digital commerce leaders with the latest risk intel so they can adapt and get ahead of what’s to come.