In modern commerce, fraud is everywhere. Cyber criminals have put anything of value at risk. Loyalty schemes join the list of valuables that can be turned into cash just like bank accounts or payment cards. Retailers need to start paying attention to this growing trend.
Loyalty programmes are almost as old as commerce itself. Today, though, as with the rest of the commercial world, they have moved to the digital environment. We now collect our loyalty points on smart cards and manage them online.
Yet while this drive to digital loyalty points has brought the same benefits as digital commerce in terms of convenience, rewards, and accessibility, it has also brought the risk of fraud.
Loyalty points have value. And when something has value, criminals will want to get their hands on it. Retailers and consumers have to work to keep these loyalty programmes safe.
The Australian loyalty landscape.
The sheer number of us that are members of loyalty schemes means that fraud attacks demand significant attention. With 84% of Australians currently enrolled in a loyalty program of some variety, and 82% claiming to buy more from brands that offer one, leading companies are taking note of the importance of an attractive loyalty scheme.
What’s more, a look at the top ten most recommended programmes by Australian consumers highlights the diversity of loyalty providers across a range of sectors:
- Coles flybuys
- Woolworths everyday rewards
- Qantas Frequent Flyer
- Virgin Velocity
- MYER one
- Priceline Sisterclub
- Westpac Altitude Rewards
- Commbank Awards
- Hoyts Rewards
To a fraudster, however, major brands equate to major targets with major value. Qantas’s Frequent Flyer scheme alone has been valued as high as $3 billion AUD, almost 50% of the airline’s total value, and cybercriminals have actively targeted this veritable goldmine of value in recent years.
Confusion and apathy
We all take part in loyalty schemes. But we don’t necessarily take an active part in them. Research from 2012 showed that there were 23.8 trillion unredeemed points/air miles worldwide with a value of $238 billion.
This is indicative of the fact that so many scheme members simply do not reap the benefits of their membership. What’s worrying, however, is that this complacency presents an open door to fraudsters, allowing them to operate undetected before it is far too late. Don’t just take my word for it: research suggests that 80% of frequent flyer fraud is detected accidentally.
How much money could be saved through increased vigilance to this new breed of fraudster? One of the key messages anti-fraud experts give to members of the public is that they should always check their financial accounts.
Why should loyalty programmes be any different? If scheme members don’t know how many points they have and don’t keep track of them, then they will be unaware of criminals stealing their points.
How loyalty frauds work
No industry suffers from loyalty fraud quite like the airline industry. There are 300 million members of more than 70 frequent flyer programs worldwide, of which 72% have suffered from fraud attacks.
Criminals can gain access to someone’s loyalty points in the same way they can gain access to other accounts such as hacking poor passwords and phishing scams.
Once they have access to these points, they can start to spend them; buying airline tickets and then either using them themselves or selling them on sites such as Craigslist. One frequent flyer in Australia came to his account one day only to see that it had been emptied, by fraudsters using malware, to purchase a flat screen TV.
Of course, with so many airlines offering joint incentives with supermarkets and hotels such as Woolworths, Hilton Hotels and more recently Coles, the opportunities for fraudsters are abundant as consumers can collect and redeem points/miles whilst completing their weekly shop, staying overnight at a hotel or purchasing snacks on a flight.
This pattern is one that is reflected across all loyalty schemes. Get access to passwords, get access to points and then use them for money generating purposes.
More than points at stake
It’s not just loyalty points at stake; identities are at stake too. Customer loyalty schemes are good for customers, but they are even better for retailers. Loyalty schemes encourage customers to stay loyal, to shop at the same shops and buy the same brands. Yet this isn’t the only way in which retailers and brands benefit.
For customer relationship management and customer analytics, loyalty schemes are perfect. When a consumer joins a loyalty scheme, they share their personal information with the retailer: name, date of birth, email address, home address and phone number. And every time they collect points on the scheme, they are telling retailers about their shopping habits.
The more times they do this, the better picture the retailer can bring together about their customer. This is, in essence, the deal the consumer makes with the retailer; I’ll tell you about my shopping habits, you give me discounts and special offers.
What, though, if this personal information falls into the wrong hands. All of the information retailers hold on their loyalty scheme members is, in the hands of criminals, enough to commit identity fraud.
Instead of customers being rewarded for their loyalty, they can be “rewarded” by having their identities stolen.
How much of a problem is it?
It is a new problem but it is a fast growing one. Research published by Airline Information in 2014 revealed that a mere 18% of loyalty program operators said that they didn’t have a fraud problem. Of the majority that admitted that they did, 50% believed that the threat was an escalating one.
In 2012, Australian hotel consumers were targeted via the loyalty channel when fraudsters phoned them to offer heavily discounted loyalty membership. Major hotel groups were involved and their customers defrauded by up to $11,500 AUD.
Unfortunately, incidents of loyalty fraud appear as a trend rather than isolated incidents as recent years have seen major businesses such as Qantas and Hilton plagued by attacks on their rewards schemes.
In 2014, The Australian Competition and Consumer Commission (ACCC) received over 300 complaints from April-June alone regarding automated calls to consumers ‘on behalf’ of Qantas and Virgin Australia offering $995 AUD as a ‘reward’ for being such a loyal customer.
After being redirected to a human operator however, those duped into providing their card details found that the money was only travelling in one direction: Out of their accounts and into the hands of the fraudsters. In this particular incident, only 4 victims suffered financial loss. Between them, however, a total value of $3,000 AUD was lost, emphasising the stakes involved in this latest threat.
These are not isolated incidences and are indicative of not only the scale of the growing problem but the two pronged attack by criminals of getting the points and getting the personal details.
The threat can be broken down into three main elements
1) Too many scheme members are failing to keep track of their points. Loyalty points have a cash value and should be treated with the same caution and security as bank accounts. Scheme members should be educated about the need to keep their points and details safe and secure.
2) Employ the same techniques to fight loyalty fraud as you do to fight other sorts of fraud. When fraudsters are using loyalty points to make purchases, there are often similar patterns to when CNP fraud happens. A different USP from usual, a different device than usual (coming from a mobile instead of a laptop, for example) and purchasing patterns that are different from expected ones.
There are new patterns to look out for too and the most common is a sudden increase of points on an account as fraudsters buy more points as a way to launder money.
Just as retailers use fraud prevention tools to guard against CNP and other types of fraud, they should use similar tools to guard against loyalty fraud.
Technology, such as the solutions offered by Kount, is critical in fighting against fraud.
3) Keep your customer data secure. When customers join a loyalty scheme, they expect rewards, discounts and offers. They don’t expect identity theft. Treat the information you have from loyalty schemes with the same care and diligence as you do their payment details.
Loyalty schemes are valuable to merchants. They give valuable metrics about consumer behaviour and they encourage consumers to stay loyal to brands. So, like anything of value, they should be protected by best in class security.
The good news for retailers is that while loyalty fraud might be a relatively new form of fraud, it is being carried out using, by and large, the same techniques as criminals use for other types of fraud.
So it doesn’t take a significant change in security protocols and systems to keep loyalty schemes safe, merely treating loyalty schemes with the same care and protection as the rest of the company.
To find out more on the latest fraud threats, join speakers from Kount, IMRG and Braintree at Kount’s Fraud 360 events in Sydney and Melbourne on May 3rd and 5th.