Skip to main content

What you need to know about loyalty fraud

If something has value then it should be kept secure. Companies invest heavily in keeping their databases, financial details, and other confidential information under lock and key. As well as this, merchants are fighting against fraud, especially the ever present and ever growing threat of card-not-present fraud. Yet there is another form of fraud that is on the rise and one which should be treated with the same concern as CNP fraud and data breaches: loyalty fraud.

Loyalty schemes are big business

92 per cent of the UK’s adult population are members of loyalty schemes and they have a combined value of £5.7bn. It is big business and it is little wonder that criminals might want a piece of it. Not only this, the very nature of loyalty schemes means that they hold huge amounts of information about customers. Names, dates of birth, emails, postal addresses, just about everything a fraudster needs to carry out identity theft. Nectar, alone, has over 19 million members. That database would be worth its weight in gold to criminals.

Loyalty fraud in practice

There are two ways that loyalty schemes can be hit by fraudsters. The first works along the same lines as CNP fraud but, instead of getting access to someone’s payment details, fraudsters gain access to loyalty schemes through a mixture of phishing scams, identity theft, and hacking weak and vulnerable passwords. Loyalty points can be used for huge numbers of things; travel, groceries, meals, event tickets, online gaming. Virtually anything.

With loyalty schemes using smart cards and being managed online, the parallels with card-not-present fraud are all too clear. Loyalty points can be spent like cash and, so, are as vulnerable and attractive as any payment account.

The second way is in the database breach. As we have discussed, scheme members share large amounts of information with the loyalty scheme. In essence, this is the deal they make with the scheme owners: 'I will give you all the information you want about me and my shopping habits and, in return, you will give me rewards'. Yet this information is enough, in the wrong hands, to commit identity fraud.

It is a scenario already happening. In December last year, JD Wetherspoon admitted a breach of their 650,000-strong loyalty scheme. Hackers obtained card details, names, addresses, and other personal information. This is proof of just how valuable the data in loyalty schemes is to fraudsters and the need for stringent security measures.

A growing threat

Already in the US, 72 per cent of loyalty scheme managers have reported problems with fraud . And in the UK, Nectar has been a victim of fraud. In February 2015, the scheme reported that points had been stolen from members and were being spent on eBay and in Argos . Nectar has pledged to increase security, but this fraud shows the scale of the ambition of the fraudsters and shows that not even the biggest schemes are safe.

How to fight this threat

There are two main elements to this threat: stopping loyalty schemes being breached and knowing when transactions made using points are genuine or fake.

1) Keep the data safe

Customer information is as valuable to criminals as it is to retailers. So it should be kept under the highest security. While multifactor authentication methods might make it slightly more inconvenient for customers to log-in to their loyalty accounts, it is nothing compared to the inconvenience of having to rebuild your credit history after suffering identity fraud. For retailers, data breaches can be exceptionally harmful to their reputation. A loyalty scheme prone to data breaches is not a loyalty scheme that consumers will want to join.

2) Keep watch for fraudulent loyalty point transactions

The indicators of card-not-present fraud, such as different addresses, different ISP address, different spending patterns, and testing on small items before going for the big ticket items are all present for loyalty fraud too. So loyalty point transactions should be subject to the same checks as all other transactions. Retailers should already have rigorous anti-fraud protocols and technology in place.

Fighting loyalty fraud, then, is simply a question of applying these same methods to loyalty schemes and loyalty transactions. It shouldn’t’ require a complete rethink of security protocols. What it should require, though, is an understanding that your loyalty schemes are valuable to you, your customers and criminals. So keep them safe.

Donald Bush, Vice President of Marketing at Kount