A report by Bond reveals that 77% of customers are more likely to continue doing business with a brand when offered an incentive through a loyalty program. That’s great news for companies looking to grow and increase their bottom line.
But what happens when someone else benefits from that program? It’s called loyalty fraud, and here’s how you can avoid it.
What Is Loyalty Fraud?
Loyalty fraud, also known as rewards fraud or points fraud, happens when customers or fraudsters exploit loyalty programs for personal gain. If it’s a single customer, it’s more likely due to a loophole in your terms and conditions which they’ve discovered accidentally.
If it’s organized fraudsters, they will leverage technical skills and tools to access existing customer accounts and drain them of loyalty rewards.
According to Statista, loyalty fraud accounted for 27% of all fraud attempts experienced by online merchants in 2021.
Source: Statista
Note that loyalty fraud is often a result of account takeover fraud, also known as an ATO attack.
While they appear in different categories in the graphic above, they are not mutually exclusive but closely linked: Fraudsters first access your customers’ accounts, then steal their loyalty points.
SEON’s granular, robust fraud prevention platform works equally well out of the box and fully customized, stopping professional and amateur fraudsters in their tracks.
Ask an Expert
What Industries Are Vulnerable to Loyalty Fraud?
A growing number of industries have begun offering loyalty programs, which creates an incentive for fraudsters to attack. The travel industry was historically a prime target. Travel agents, flight and hotel booking sites and any other company offering travel rewards are all vulnerable to loyalty fraud.
However, in recent years, digital retail has almost certainly taken over as the most targeted industry by loyalty fraudsters. The ecommerce world is highly competitive, and loyalty programs are a key marketing tactic to encourage customers to return to your eshop.
Today, frequently targeted industries include:
- online retail
- airlines and travel agencies
- SaaS companies
- ride-sharing platforms
- iGaming brands
- fintech and other financial services
In short, anyone can become a target if they offer loyalty points that can be redeemable for cash value, bonuses, products, or services.
The key point to remember is that in a fraudster’s eyes, your loyalty points are as good as cash. That means your user accounts essentially become wallets to be stolen.
Why Is Loyalty Fraud on the Rise?
Aside from the fact that more companies rely on loyalty programs, consumer behavior may also have played a part in the rise in loyalty fraud.
Firstly, customers are increasingly tech-savvy and knowledgable about what constitutes a grey area when it comes to exploiting loopholes in your user agreements and T&Cs. There is a whole cottage industry of online forums dedicated to maximizing loyalty points, some of which may offer advice that borders on fraud.
As consumers limit their discretionary spending, they may also neglect old accounts which hold their loyalty points. This makes it much easier for fraudsters to swoop in and access these accounts undetected.
We would be remiss not to discuss the effects of the pandemic on loyalty fraud, which was multifold. Some of the most obvious repercussions were highlighted in a report by Akamai Security, which notes how fraud related to unspent airline miles in frequent flyer accounts went unnoticed for months, due to lockdowns and travel restrictions.
Last but not least, loyalty fraud tends to be noticed much later than, say, chargeback fraud, so fraudsters can get away with it for longer. In fact, customers are less likely to be as protective of their loyalty points as their cash overall – which is very unfortunate for the companies involved.
Examples of Loyalty Fraud
Loyalty fraud may look different depending on whether it’s committed by a legitimate customer or a fraudster who accessed someone else’s account. Let’s look at two concrete examples for both scenarios.
Loyalty Program Exploits
Opportunistic customers may stumble upon a way to exploit your loyalty program for personal gain. A famous example includes the most expensive Starbucks drink possible – which should have cost $54.75 but was received free thanks to a loyalty points hack.
The My Starbucks Rewards program, which used to offer customers a free drink of their choice on their birthday, had no restriction on the type or size of the drink. This saw an enterprising 27-year-old design his own concoction, made, among other ingredients, of 60 espresso shots.
While Starbucks has since closed the loophole by updating its T&Cs, these exploits are also known colloquially as “hacks”, and a quick Google search will point you in the direction of thousands of websites dedicated to finding them.
While not all of these often amusic cases constitute loyalty fraud, they certainly open the door for more creative (and more legally ambiguous) exploits.
Loyalty Fraud Resulting from an Account Takeover
A far more worrying trend when it comes to loyalty fraud stems from account takeovers. An account takeover, or ATO, is what happens when a fraudster accesses one of your customers’ accounts.
This can be done, among other tactics, by:
- finding their login details in a data breach
- stumbling upon the login details via brute force
- phishing for login details by targeting individuals online (also known as spear phishing)
The issue here isn’t just that your customer may lose their loyalty points. Account takeovers are particularly damaging to businesses’ relationships with customers, who tend to blame the company even when it was their own fault, in reality. On top of that, they fuel more fraud attacks in the future, as fraudsters may mine the account for personal data.
If the loyalty account fraudster stumbles upon your customer’s payment information, you may also be liable to deal with chargeback disputes, which are costly and time-consuming.
How to Detect and Prevent Loyalty Fraud
The first step to preventing opportunistic loyalty fraud is to follow Starbucks’ example and update your Terms and Conditions. Identify any potential loopholes that would leave you at the mercy of more creative customers, and ensure the exploits are covered.
When it comes to preventing loyalty fraud due to account takeovers, however, no half-measures will do. You must have an account protection strategy in place, which may include the following processes:
Educate Customers About the Value of Their Accounts and Loyalty Points
Customer accounts are like online wallets. The loyalty points are equivalent to cash, and personal data is like IDs. This message needs to be drilled into your customers’ heads.
- Communicate regularly about the value of customer accounts
- Get them to update their passwords regularly
- Ensure the passwords haven’t appeared on data breaches.
Secure the Login Stage
Since ATO attacks for loyalty fraud target customer logins, this is the stage you must protect.
There are different approaches to this. You could, for instance, secure the accounts with MFA or biometrics verification or enable CAPTCHAs. However, while this type of authentication may be effective, it also introduces a tremendous amount of friction to the customer journey – which can impact your business goals negatively, causing churn.
Alternatively, you can focus on blocking accounts from specific countries or regions, or implementing the sort of simple rule that can flag a shopper whose credit or debit card country doesn’t match their current IP address, for example.
On the SEON platform, this is one of the default rules that are automatically on for those companies who prefer a less hands-on approach, providing a +1 to a customer’s fraud score.
However, as you can see in the screenshot above, it is very easy to toggle the rule off or on if, for example, you expect most of your customers to be away on vacation when they shop with you. At the same time, you can increase or decrease the score at will, increasing or decreasing it.
SEON’s platform comes with industry-related presets and default rules out of the box, but it is equally easy to create new custom rules from scratch as well as take advantage of the whitebox AI rule suggestions that activate after the module has seen a certain number of transactions and continue to improve with time.
Monitor Customer Behavior at Various Touchpoints
But by far the most sophisticated way to protect accounts is to understand who is using them. This is done specifically via velocity checks, which look at your users’ activity in time.
Here are examples of the kind of rules you could deploy:
- Check if more than one shopper has provided the same billing address hash within the past hour.
- Flag shoppers who have switched more than three different ISPs within an hour.
- Add a few points to the risk score of users who keep switching browsers regularly.
Below, you can see even more examples, as well as the place in the Admin Panel where you can set up your own custom velocity (and other) rules from scratch.
The clear advantage of choosing SEON’s under-the-hood approach compared to the aforementioned biometrics, for example, is that it’s completely frictionless, meaning you can block loyalty fraud in real-time without asking anything of your legitimate customers.
How SEON Can Help With Loyalty Fraud
The above is a very small sample of SEON’s functionality. As a full end-to-end fraud detection solution, SEON lets you access an incredible amount of data about every connection on your site.
That data may come from:
- the user’s phone or email address
- their IP address
- the kind of device they use to connect
Combining IP and device data, for instance, is a fantastic way to guess if you’re dealing with a new user or a loyal returning customer.
Importantly, you can tell from this list that there is no need to directly ask your customer to provide any additional information, which would add friction and could cause them to turn to one of your competitors for a smoother, hassle-free experience.
The key to reducing loyalty fraud?
Have a clear picture of who is logging onto your platform. This way, you can secure customer accounts and ensure legitimate loyal shoppers are rewarded for their custom with both loyalty points as well as a pleasant shopping experience.
FAQ
Reward fraud happens when a customer finds a loophole to exploit your reward program. It also happens when a fraudster steals a customer’s account to spend their reward points.
Common types of customer loyalty programs include:
– point-based loyalty programs
– tiered loyalty programs
– paid-loyalty programs
– game-based loyalty programs
– longevity-based loyalty programs
An example of loyalty marketing would include a coupon code sent to customers who spent over a certain amount at an online store. You could also give customers points for each purchase, and have the points be exchangeable for goods or services.
Sources
- Bond: The Loyalty Report
- Statista: Most common types of fraud attacks experienced by online merchants worldwide in 2021
- ABC News: Starbucks Customer Hacks Loyalty Program With Record-Setting Free $54.75 Drink
- Akamai Security: Loyalty Programs Continue to be Targeted by Criminals as Account Data is Easily Sold or Traded