Customer scanning phone

Loyalty programs are big business for retailers and fraudsters alike. From airline miles to hotel stays to free coffee, consumers are extremely willing to share personal information with their favorite stores for rewards. Fraudsters are increasingly targeting these loyalty programs because consumers often don’t treat it like real money. The end result — $1 billion a year ends up in the pocket of these scammers.

Fraudsters Love Loyalty Points

Currently, in the U.S. consumers average 10 loyalty accounts per person, while racking up $48 billion stored in points and travel miles – demonstrating the massive popularity and available resources for fraudsters to pounce on. Loyalty programs are an easy target for cyberthieves to score consumer data and cash-like rewards. Typically, these programs store sensitive Personally Identifiable Information (PII), including your birth date, email or home address, and a phone number.

As we engage in these loyalty programs, we should all be thinking about the security of our information. It’s pretty straightforward for a hacker to access our information within these reward programs. They can leverage previously compromised credentials from prior data breaches to log in to an account, known as “credential stuffing”. From there, they can place orders using the victim’s points and credit card information. They can also sell the rewards and information for a profit in the Dark Web, or to gain access to even more PII.

Mobile Vulnerabilities Fuel the Fire

Consumers crave convenience and are willing to accept certain risks to make life more convenient. The adoption of mobile rewards cards — where the cashier can scan a phone to capture the user’s profile and apply it to the transaction instantly — creates additional risk through mobile vulnerabilities for rewards.

Loyalty apps are often unsecure and easy to access, especially if we use the same passwords for multiple accounts. Make sure your phone is protected from rogue apps by downloading only from the approved app stores. Be sure to use a different password for each reward program you join and change them regularly just as you would with financial or credit account logins.

Start Using Your Points Before the Hackers Do

Stay current with the number of points you have in your rewards accounts. Be suspicious of emails that ask you to log in to your account to change your information. Phishing emails like this are often a gateway for cybercriminals to record your information and perform account takeovers. Do not click any links within the email. Instead, go directly to the retailer’s website and log into your account directly to see if something is wrong.

Check your loyalty points often. Treat your rewards like the cash in your wallet. Make sure fraudsters are not using your hard-earned loyalty bucks or worse — your personal information.

Tips to Protect Your Personal Information

  1. Report your missing rewards. If you think your loyalty account may have been hacked, report it to the appropriate company and compile any documentation they may need to restore your balance.
  2. Update all passwords. Use difficult-to-crack passwords, unique to each of your accounts and that have not been used in the past. Use a secure Password Manager if you have a hard time keeping track.
  3. Add two-factor authentication. Adding another layer of protection to the accessibility of your accounts helps protect against hackers infiltrating your accounts with your credentials.
  4. Update your privacy settings. Privacy settings on web browsers, mobile devices, and social networks can be changed to share the minimum amount of information. Learn more about where to update your settings here.