As banks and credit card issuers invest more resources in making card fraud tougher, criminals are following the money and setting their sights on loyalty points programmes. Loyalty card fraud is a growing problem for retailers; these accounts are regarded as ‘easy pickings’ by the fraudsters, typically only protected by a username and password combination and often left to languish. In Canada alone, there is $16bn in points sitting unredeemed. Once acquired, these points are easily spent on merchandise, hotel rooms, flights and gift cards, or may even find their way onto the dark web for sale to the highest bidder.
Unlike bank accounts and credit cards, many people don’t check their loyalty points balances regularly. Whilst consumers think they’re building up their points towards a weekend away or a family treat, hackers could gain access to these accounts and steal these points without anyone noticing. For hackers, there are potentially hundreds of millions of pounds available and, because they’re easier to target than a bank, retailers are taking the hit.
In the same way that any fraudulent activity begins, someone will find a way to exploit the vulnerabilities of any system. With loyalty points they could target the vendor, the reward programme provider or perhaps an associated third party. Once they have these points, it’s possible to create a fake membership or loyalty card before spending the points either in store or online. For example, a hacker might use points to buy the latest game console, then sell it on to receive the cash; this particular activity is a favourite of crime gangs. It’s a whole new level of sophistication the industry is starting to see.
More than the money
Loyalty card fraud is not a victimless crime, it’s a big business that needs to be brought to consumer’s attention. Unfortunately, it’s very rare to see the perpetrators of loyalty fraud prosecuted and, as a result, it’s difficult to work out how well-organised the gangs really are.
Many consumers don’t believe this type of fraud to be a real thing because the points aren’t tangible and therefore don’t equate to a direct cost. However, the retail industry loses out by investing millions of pounds per in year in delivering value to their customers only to see it used by someone other than the intended recipient.
In addition to the financial impact, retailers can suffer a heavy blow to their reputation as a result of loyalty card fraud. With data breaches dominating the headlines on an almost-daily basis, there is a heightened awareness amongst consumers of the value of the personal data being held by businesses. Whilst delivering value to shareholders and customers is a top priority, retailers are often more concerned about the customer’s perception of data loss. One such example is when a list of customer emails reported to be from a well-known loyalty programme surfaced online. Upon inspection, these emails were not in fact related to the named company, but the headlines had already been written and fingers pointed.
Fighting the fraudsters; every little helps
There is clearly a problem when it comes to loyalty fraud, but the those running the programmes are now beginning to sit up and take notice. Retailers are taking to their networks and wider fraud prevention forums – such as ITC Secure’s Fraud Prevention Forum – to share their knowledge and experiences in tracking and identifying fraud, helping to make the industry better at defender themselves.
It’s also about educating the consumers, and many retailers are now working with initiatives such as Get Safe Online to help customers understand the true value of their loyalty cards and how they can protect them. For example, practising password hygiene by not reusing credentials, and employing the use of two-/multi-factor authentication are just two simple things a consumer can do alongside regular monitoring of their loyalty accounts.
Kevin Whelan from ITC Secure