Fraud comes in many forms. When a criminal seizes control of another person’s legitimate account, that’s called account takeover (ATO) fraud. Then there’s synthetic identity fraud, which is when a criminal combines real and fake information to make an account. That’s in contrast to regular identity fraud, when a criminal steals a person’s real information to make a fraudulent account. While these types of fraud often get attention, there is one fraud vector that frequently flies under the radar: loyalty program fraud.
Loyalty program fraud—or reward points fraud—refers to when someone abuses or exploits a company’s rewards program for criminal purposes. Oftentimes, the criminal will utilize ATO or identity fraud to carry out loyalty program fraud. With over $140 billion in unspent loyalty points in the United States, according to data from Gartner, this fraud vector can be very lucrative for criminals. LSA estimates that $3.1 billion in redeemed points are fraudulent, a clear indication of the amount of money at stake.
To better understand loyalty program fraud and what solutions exist to address it, PaymentsJournal sat down with Daniel Shkedi, Senior Product Marketing Manager at Forter, and Tim Sloane, VP of Payments Innovation at Mercator Advisory Group. During the conversation, Shkedi and Sloane discussed the impact of this fraud vector, why companies struggle to catch it, and how Forter is working to stop loyalty program fraud.
“Loyalty program fraud is skyrocketing”
As the statistics in the introduction reveal, loyalty program fraud is a considerable problem. “I have to begin by saying that loyalty program fraud is skyrocketing,” said Shkedi. He added that direct and indirect losses from loyalty and reward points fraud are an estimated $1 billion, based off data from iApp. When you combine that with the estimated $3.1 in fraudulently redeemed points, the size of the problem comes further into focus.
There are four main reasons why this fraud vector is expanding. First, loyalty programs have evolved considerably in the last decade, with many now providing a variety of redemption options. As loyalty programs have become more complex, the value and liquidity of points has gone up. This makes loyalty programs an attractive target for fraudsters.
Second, while loyalty programs have become more complex, these programs’ fraud protections have often lagged behind other financial services, such as the security behind credit cards. As a result, “loyalty programs are an easy target for fraudsters,” explained Shkedi. Sloane agreed, likening loyalty programs to low-hanging fruit for fraudsters.
The third reason that loyalty program fraud is on the rise is that loyalty programs are simply harder to protect. “Loyalty fraud involves attacks at multiple touch points throughout the customer journey,” said Shkedi. Every step of the customer journey, from the sign-up process to the transaction and final redemption of points, is at risk of being compromised, making it extremely difficult to protect accounts. Finally, unlike the other types of fraud vectors, which have generated a lot of news and attention, loyalty fraud has largely gone unnoticed. “Customers are less aware of this type of fraud, making it easy for fraudsters to steal points under the radar,” noted Shkedi. All four of these reasons have combined to make loyalty points the new currency for fraudsters, he said.
The common types of loyalty program fraud
One common avenue for attack is account takeovers. Criminals will often leverage a variety of methods—including brute force attacks, stolen credentials, and automated cyber-attacks—to gain access to someone’s account. Once inside, the criminal can steal reward points, either redeeming them for money, or transferring them into another account for a later redemption. Some criminals will also hack into accounts to steal credit card information or make fraudulent transactions.
Another method relies on standard or synthetic identity fraud. Criminals will create fake accounts, sometimes many of them, and use these fraudulent accounts to accrue or transfer loyalty points within or between accounts.
A more recent type of attack is what Shkedi refers to as policy abuse. “This occurs when users, typically legitimate users, violate various business policies to receive benefits or rewards by exploiting loopholes in the system,” he explained. For example, think of when an airline’s frequent flyer program offers 200 free points upon sign-up. A devious customer might take advantage of the signup benefits by opening multiple accounts under different identities, and then transferring all the points to one account for redemption.
No matter which method the criminal employs, the end goal is the same: monetization. Points can be redeemed for money or products. When a hacker redeems the loyalty points for a product, they will typically then sell the product for a profit, thereby monetizing the points. “A common technique that we’re seeing quite a lot is them buying untraceable gift cards and reselling them for 25% or up to 60% of the real value,” Shkedi noted.
Rewards fraud costs companies a lot
The immediate harm caused by loyalty program fraud is the direct loss of revenue. If a hacker redeems points worth $100, for example, the company has theoretically just lost $100. But this type of fraud has a much wider and more detrimental impact than just the immediate losses.
Brands that endure endemic loyalty program fraud often suffer a reputational harm as well. “Negative public perception or reviews translate to lost revenue and diminished customer lifetime value,” said Shkedi. Additionally, these companies will likely have stifled business growth. When companies experience high levels of fraud, it makes them reluctant to expand their programs or offer new services without adequate protection.
Many companies are also spending considerable sums of money on operational costs to fight fraud. A common approach, said Shkedi, is to have manual review teams or fraud investigations, both of which prove costly. Alternatively, a company can invest in expensive fraud tools, which may prove effective, but are often unaffordable for many merchants. As Shkedi put it: “Nearly 50% of merchants in several surveys have indicated that low organizational priorities and the lack of adequate resources prevent them from stopping loyalty fraud.”
Securing the entire consumer journey
The key to stopping loyalty program fraud is to implement layers of protection across all customer touchpoints. “This is critical because loyalty program fraud involves attacks at every stage in the user journey,” explained Shkedi. The protection also needs to be automated and operate in real time, allowing businesses to swiftly identify suspicious behavior.
Another feature of an effective fraud-prevention platform is the ability to detect hidden links in the network, a capability Shkedi refers to as “specialization theory.” A lot of fraud rings are quite sophisticated, with individuals operating on different continents and specializing in specific aspects of the fraud. “It’s amazing and it’s kind of scary, just out efficient and effective these criminal organizations have become,” cautioned Sloane.
For example, a criminal in North America may steal credentials from a victim and send this information to a partner in Europe. The European criminal may be in charge of seizing the account and transferring its loyalty points to a different account, set up by another criminal based in Asia. The third criminal will redeem the points and share some of the value with the rest of the criminal network.
A successful fraud prevention platform needs to be able to identify a complicated network like this. However, many solutions on the market will only identify some of the individuals without tying the entire network together.
Forter’s Loyalty Solution
One effective solution companies could adopt is Forter’s Loyalty Solution. Crucially, Forter’s Loyalty Solution starts its protection at the very beginning of the customer journey. The solution assesses attempts to create an account, determining if it’s a fake account or not.
Once an account is created, it is monitored to ensure that if an ATO attempt is made, the fraudulent activity can be flagged. Then the platform determines the trustworthiness of each transaction or point redemption, and even the user behind it. The capabilities of the platform are summarized below:
- Transactional Protection: Protects loyalty rewards redemptions from fraud by accurately determining the trustworthiness of each transaction/redemption and the user behind it.
- Account Protection: Identifies and blocks attempts to create fake accounts, or take over existing accounts to steal points.
- Policy Abuse Prevention: Prevents financial losses due to exploitation of coupons and promotions.
- Adaptive Authentication: Returns a fully automated decision—approve, decline or a multi-factor authentication challenge (via SMS/email) —for each touchpoint.
With all these capabilities, Forter’s Loyalty Solution stands out from its competitors. “Forter is in a pretty unique situation,” observed Sloane, because “it’s one of the few payment fraud platforms that has its own edge identity capabilities and follows that customer journey all the way through to disputes.”