Loyalty Fraud: Over 3 Billion Accounts and $48 Billion at Stake
Whether making fraudulent purchases to accrue loyalty points and rewards, or taking over legitimate customer accounts to steal and spend the loyalty balances they’ve built up, loyalty fraud is damaging with both financial and brand risks. Despite the growth of loyalty-based fraud in recent years, this is still a vulnerability point for many organizations that offer such reward programs. Recent statistics and case studies involving loyalty fraud are discussed in this FraudBlog post.
Many organizations and risk management teams focus fraud prevention measures on the transaction or purchase event, but fraudsters are crafty and attack across multiple vectors. Often as merchants plug one hole, fraud flows through different channels and forms of attack. According to a 2015 survey conducted by Ipsos Public Affairs for Connexions Loyalty, 72 percent of loyalty program managers had experienced fraud related to their programs, while one-in-three said it is a fast growing concern. There is plenty of meat on the bone for fraudsters to go after, as the 2015 COLLOQUY Loyalty Census tallied 3.3 billion loyalty memberships in the United States with points, rewards cash and miles worth an estimated $48 billion.
Fraud and security blogger Brian Krebs detailed a case involving Kohl’s Cash rewards earlier this year. According to the victim Krebs spoke with, the Kohl’s customer service representative said her case was a “very common occurrence.” The victim first received notification from Kohl’s that the email address associated with her online account had been changed. Knowing she did not make this change she contacted the company right away, but by that time her account was already used to make two large purchases for nearly $1,500. Interestingly, the fraudsters let the goods ship to the victims own address, because it wasn’t the products they were after. This was all in effort to gain loyalty rewards, or in this case Kohl’s Cash, which the fraudsters were hoping to receive and redeem before the fraud was caught and the rewards were reneged.
Another interesting aspect of this case study was the type of goods the fraudsters were targeting: large, bulky items that typically take longer to ship and return. This was an intentional tactic driven by the fact that Kohl’s Cash was awarded once the order was confirmed, which was sent to the new email address the fraudsters provided after taking over the victim’s account. While the company revokes Kohl’s Cash once orders are returned, the fraudsters targeted bulky items that tend to buy them more time to use up the rewards. Kohl’s fully rectified the issue for this customer, but the story illustrates the type of attacks and tactics that many online retailers and other organizations may not be looking to prevent.
Loyalty programs and rewards are at risk not only because there is large amount of nominal and redeemable value associated with these programs and accounts, but also because so many of these reward program accounts are left dormant. While the most recent COLLOQUY Loyalty Census found the average U.S. household to have 29 loyalty accounts, just 12 of them are considered active. The IPSOS Public Affairs/ Connexions Loyalty survey found that 34 percent of loyalty program members log-in to their account only once every three months, while 10 percent stated they have never checked their reward balances. These represent prime targets for fraudsters, who may be able to take over their accounts and drain loyalty rewards before the true account holder has any idea.
The IPSOS Public Affairs/ Connexions Loyalty survey also quantified meaningful brand risks associated with loyalty program fraud. Surveys found that more than one-in-four loyalty program members would cancel membership if they experience fraud, while 17 percent said they would stop doing business with that organization altogether.
In short, there is a lot of value tied to loyalty and reward programs, many consumers don’t keep up with them, and they pose both financial risks (theft, using rewards before they can be revoked or using a victim’s rewards which may be replenished) and brand risks for organizations that offer them. While the most emphasis is placed on payment transactions, organizations need to consider less conventional schemes and forms of attack.
For more information: