Loyalty Program Fraud

Customer loyalty programs date back to the late 18th century, when American merchants gave copper coins to customers after purchases that could be redeemed for future purchases. Modern loyalty programs can be traced to the introduction of American Airlines’ Frequent Flyer program in 1981. In the decades since, loyalty programs have blossomed into a ubiquitous and near irreplaceable strategy for building brand loyalty by recognizing and rewarding profitable customer behaviors. Loyalty programs have also become vulnerable to fraud and customer abuse which can be harmful to the brand and jeopardize program integrity.

What Is a Loyalty Program?

A loyalty program is essentially a marketing strategy that encourages consumers to become loyal customers and possibly advocates of a particular business or brand. They are usually structured  to allow customers to accumulate points in an account for desired behaviors like the frequency and amount of purchases. These point can later be redeemed for rewards, discounts, or special recognition and perks. Sometimes these loyalty accounts involve customers being issued a physical rewards or account card similar to a payment card, however in an era of increasing digital and mobile purchases, a physical loyalty program account card is less of a necessity. A wide range of businesses in various industries make use of this model, including airlines, supermarket chains, casinos, drugstores, and hotels.

What is Loyalty Program Fraud?

Loyalty program fraud is any sort of attempt to use a loyalty program account fraudulently. Often this involves criminal fraud using techniques such as account takeovers or identity theft to effectively steal the rewards from the account holder. But it is also possible for loyalty programs to be abused in first-party fraud schemes, as well. This article will examine some of the most common types of loyalty fraud.

Account Takeover Fraud

The most common and straightforward form of loyalty program fraud is when a criminal fraudster hijacks an account and effectively steals the rewards for themselves. This could involve simply transferring or cashing in the existing rewards points and diverting the proceeds to themselves rather than the account holder. It could also involve the criminal making additional, unauthorized purchases to increase the rewards points before cashing them in. This latter strategy in particular seems likely to increase the risk of chargebacks, as they are the sorts of fraudulent purchases that chargebacks are designed to prevent.

How Account Takeover Fraud Works

Account takeover fraud attacks can occur through different means but the most frequent tactic is phishing. In a phishing attack, the fraudster tricks the account holder into revealing their login information by impersonating the entity in charge of the account.

Other forms of account takeover fraud can occur through the use of techniques such as credential stuffing, which involves using a bot to attempt to guess a user’s login information using common passwords or algorithmically generated possible passwords. Criminals can also attempt to gain users’ credentials through other means such as malware, stolen cookies, or various techniques in which they hack into the business’s systems and steal passwords from them rather than from the users. Account takeover fraud can also occur when criminals purchase stolen credentials from someone else over the dark web rather than directly stealing them.

Once criminals obtain stolen credentials, they take control of the account and, in the case of loyalty program fraud, use that control to steal the loyalty rewards.

Prevention Strategies to Combat Takeover Fraud

Merchants can employ a number of tactics to reduce susceptibility to account takeover fraud for their users. These include implementing policies requiring complex passwords, making use of two-factor authentication (2FA), utilizing phishing protections, and using website security solutions for login pages and APIs. Prioritizing consumer data security, protecting login credentials, and preventing unauthorized access customer accounts is an essential endeavor for preventing account takeover fraud.

Fake Accounts

Another potential technique that criminals may use to commit loyalty program fraud involves the creation of fake accounts using stolen or synthetic identity and payment information. These work in a similar manner to account takeover attacks with the same goal of falsely redeeming loyalty rewards. But rather than attacking an existing customer loyalty account, a new one is created for the express purpose of fraudulently obtaining rewards. And while account takeover fraud schemes may include fraudulent purchases in addition to stolen rewards, fake account schemes almost necessarily include both.

How Fake Account Schemes Work

A fraudster uses either stolen or synthetically created payment and identification credentials to create a customer loyalty account. The fraudster then makes purchases and accrues rewards points, which they cash in and then disappear before the fraud can be detected.

Prevention Strategies to Combat Fake Accounts

The point at which a fake account scheme can best be prevented is at the account creation stage. Employing policies and tools to verify that the person creating the account is indeed the person associated with the payment and ID credentials makes it harder for criminals to perpetrate these schemes. And verifying that the person creating the customer account is in fact a real person will reduce susceptibility to the synthetic variant of fake account fraud schemes.

First-Party Loyalty Program Fraud

Not all loyalty program fraud comes from criminals. Sometimes it is the result of fraudulent activity on the part of the actual holder of the loyalty program account. This can be intentional chargeback fraud or unintentional friendly fraud.

How First-Party Loyalty Fraud Works

The mechanics of this form of loyalty program fraud are fairly straightforward. Essentially, the account holder makes purchases to accrue loyalty points, cashes those points in for rewards, and then files chargebacks to recoup the original purchase amounts while keeping the loyalty rewards. Some customers may do this intentionally as a form of chargeback fraud while others may do so unintentionally due to issues such as not recognizing a charge on a transaction statement or a family member making a purchase without the cardholders approval.

Prevention Strategies to Combat First-Party Rewards Program Abuse

The tactics used to reduce first-party fraud in general are valuable for preventing this sort of loyalty program fraud. This includes practicing good billing descriptor hygiene and emphasizing customer service to reduce instances of confusion.

Preventing intentional first-party fraud can be a bit more difficult to prevent but there are still tactics that merchants can use to mitigate the losses of this sort of fraud. Namely, any sort of efforts that allow merchants to successfully fight these illegitimate chargebacks should reduce the costs associated with this fraud. Even if these first-party fraudsters are still able to collect the loyalty rewards, successful chargeback representment would eliminate the losses from chargebacks.

Conclusion

Broadly speaking, preventing loyalty program fraud is similar to general efforts to prevent fraudulent activity  using debit and credit cards. This includes using data security policies and identity verification tools to protect customers from having their credentials stolen and prevent merchants from allowing stolen or synthetic credentials to be used to create new accounts. First-party fraud reduction techniques are similarly applicable to loyalty program fraud that is perpetrated by the actual account holders. Fraudsters will always try to find cracks in any system and merchants need to make sure they are prepared.