DataDome

How to Detect, Prevent, and Protect Against Loyalty Fraud in 2025

Table of contents
Account Takeover Cyberfraud Payment fraud
Christine Falokun, Product Marketing Manager
18 Dec, 2024
|
min

Airline miles, hotel points, and coffee shop punch cards. Loyalty programs are everywhere and only becoming more popular. The loyalty management market was worth $11.31 billion in 2023 and is expected to quadruple by the end of 2032.(1) It’s easy to understand why: A well-designed loyalty program makes customers feel appreciated and understood. It leads to more engagement and more sales.

But there’s a downside. Loyalty programs attract unwanted attention from cybercriminals. Statista’s research shows that loyalty fraud now accounts for 31% of all fraud attempts against online merchants.(2) Millions of dollars worth of loyalty points sit vulnerable in inactive accounts. These points present an attractive target for fraudsters, who come up with increasingly sophisticated fraud schemes to steal them. Any business with a loyalty program should know how to detect, prevent, and protect against loyalty fraud.

Loyalty fraud is expected to quadruple over the next decade

Loyalty fraud is expected to quadruple over the next decade

What industries are vulnerable to loyalty fraud?

Travel and hospitality companies were traditionally prime targets for loyalty fraud, because they were the first companies to experiment with loyalty programs. But fraudsters now attack loyalty programs across virtually every sector. Travel and hospitality is still particularly vulnerable, losing up to $1 billion a year(3), but retail and e-commerce loyalty programs face threats too. Financial services, with their direct cash-value rewards, are another lucrative target.

No industry with a loyalty program is immune. The key factor isn’t the industry itself, but the value of the rewards and how easy they are to redeem. Programs that offer flexible redemption options or easily transferable points face the highest risks.

Why do fraudsters target loyalty point programs?

First, loyalty points are often as good as cash. They are easily exchanged into merchandise, travel, or gift cards through dark web markets. This is made even easier when a loyalty program allows its customers to transfer points to other accounts.

Second, unlike payment fraud that triggers an immediate alert, loyalty fraud often goes unnoticed for weeks or months. Customers rarely check their point balances with the same frequency as their bank accounts. This gives criminals plenty of time to redeem stolen points.

Third, loyalty programs typically have weaker security measures than financial accounts. Businesses do not monitor their loyalty programs and often have fewer verification requirements for loyalty point transactions. This makes them easier targets for cybercriminals.

How do fraudsters commit loyalty point fraud?

  • Account takeover (ATO) is the most common way to commit loyalty fraud. This happens when a criminal gains unauthorized access to a legitimate customer account through credential stuffing using stolen username/password combinations, sophisticated phishing emails that impersonate loyalty programs, or brute force attacks against weak passwords.
  • Promo abuse means a criminal exploits sign-up bonuses and promotional offers through multiple fake accounts, often using stolen identities.
  • Social engineering attacks customer service representatives by manipulating them into resetting passwords or transferring loyalty points between accounts. Criminals often use automated bots to fake qualifying activities and convince a customer service rep.
  • Gift card fraud is a bridge between payment fraud and loyalty fraud. Criminals buy a gift card with a stolen credit card, convert that gift card into loyalty points, and then transfer those points to clean accounts where they can redeem them.

Examples of loyalty fraud

Type “miles stolen reddit” into your favorite search engine and you’ll find no shortage of people who have lost their loyalty points at some point in their life. But the highest-profile loyalty fraud example is that of Marriott International, which suffered from three large data breaches between 2014 and 2020 that impacted 344 million customers worldwide.(4)

In a 2024 settlement order, Marriott agreed to provide its US customers with a way to remove the personal data that’s tied to their email or loyalty rewards account number. They would also restore stolen loyalty points if a customer requested it, as many of their customers had lost their loyalty points after the hackers had gained access to their accounts.

Marriott’s poor security practices led to multiple breaches affecting hundreds of millions of customers.
Samuel Levine
Director of the FTC’s Bureau of Consumer Protection

But loyalty fraud doesn’t just impact big businesses: In 2024, the manager of a small UK restaurant was convicted of defrauding his restaurant for £21,000.(5) The restaurant had an introductory offer that gave customers £20 off their next visit, which the manager exploited by creating fake email addresses and loyalty profiles.

Even small restaurants in Chester are at risk of loyalty fraud

How loyalty fraud hurts businesses

Loyalty programs exist to retain customers. You reward them with points, miles, stars so they return and buy more of your goods and services. In exchange, customers expect you to protect those loyalty rewards (as well as their personal and financial data). If you then don’t, they will feel duped and may abandon your loyalty program altogether, taking their business elsewhere. You will need to replace those lost customers with new customers, which is expensive because customer acquisition costs more than customer retention.

A loyalty program that’s not well-protected can lead to loyalty fraud, but it can also lead to other types of fraud. If a loyalty program results in a data breach, it can expose customers’ personal information, payment card details, and login credentials. In turn, this can lead to substantial fines from regulatory frameworks such as the CCPA in California or GDPR in the European Union. From the example given above, Marriott agreed to pay $52 million to several US states in 2024, only one of several fines it has had to pay over the years.

Then there’s the cost that comes from fraudulent redemptions, replacing stolen points, and operational expenses for fraud investigation and legal compliance. Payment disputes add another layer of complexity. When fraudulent activity occurs, businesses often face chargebacks on related transactions. This can lead to increased payment processing fees and even risks merchant account termination. The administrative burden of managing these disputes will strain your resources and operational efficiency.

How to detect and prevent loyalty fraud

Educate your customers: Loyalty fraud prevention starts with robust customer education. Help your customers understand that their loyalty accounts carry real monetary value and deserve the same protection as financial accounts. Provide your customers with clear security guidelines, such as enabling multi-factor authentication (MFA), using strong password, and checking their points balance regularly.

Secure the login endpoint: It’s much harder to commit loyalty fraud without having access to customer accounts. That’s why the login endpoint is your first line of defence. Biometric verification, MFA, and intelligent CAPTCHA can each significantly reduce unauthorized access attempts. Advanced behavioral analytics and bot protection solutions can flag and block potential threats before they result in an account takeover.

Monitor customer behavior: If you want to detect fraud early, you should monitor customer behavior. Track redemption patterns, point transfers, and geographic activity to quickly identify and respond to suspicious behavior. It’s this proactive approach that will prevent the large-scale losses that can bankrupt your loyalty program.

Use real-time notifications: Real-time notification systems alert customers to account changes, transactions, and suspicious activity. This immediate communication allows their quick response to potential threats. They will also trust you more, as it shows you’re taking their security seriously. Some loyalty programs require explicit approval for sensitive account changes, which adds an extra layer of protection against unauthorized modifications.

Lock inactive accounts: It’s not because someone is enrolled in a loyalty program that they’re active in it. According to a loyalty data study, less than one-third of customers are active in their favorite brand’s loyalty program.(6) No matter how good your program is, many of its members will be inactive. These are particularly juicy targets for cybercriminals, because a customer will never receive loyalty fraud for an account they never use.

Lock these inactive accounts by asking customers for an extra layer of verification if they ever want to log in again. Alternatively, design your program so loyalty points expire after a set period. This way, even if a hacker manages to find their way into an inactive account, there won’t be any points they’d be able to steal.

Reach out to inactive users: It’s also a good practice to occasionally reach out to your inactive users to remind them their account exists. Or even to tell them their account will be deleted if they do not use it within a certain amount of time. This would keep your database clean while also making it harder for fraudsters to break into inactive accounts.

Use fraud monitoring tools: Modern fraud prevention management tools that include machine learning and artificial intelligence can greatly improve fraud detection accuracy. These tools can continuously monitor multiple endpoints to detect and prevent all kinds of fraud, while also minimizing false positives that might otherwise frustrate genuine customers.

How DataDome protects against loyalty fraud

DataDome’s comprehensive fraud solution protects your business against the automated threats that cybercriminals use to commit all kinds of fraud, from account takeovers to ad fraud to loyalty fraud. It protects your websites, mobile apps, and APIs, and can be set up in minutes without having to change anything about your existing tech architecture.

Protect your loyalty program with DataDome’s industry-leading fraud prevention platform. Contact us today for a free demo and see how we can secure your rewards program against sophisticated fraud attacks.

Loyalty Fraud FAQ

What is loyalty fraud?

Loyalty fraud happens when criminals or opportunistic customers exploit reward programs for unauthorized gain. They do so typically by stealing points from legitimate accounts or manipulating program rules. This includes activities like hacking into customer accounts to steal points, creating fake accounts to abuse promotional offers, or reselling stolen rewards on dark web markets.

What is an example of loyalty program fraud?

A common example of loyalty program fraud is account takeover, where a criminal gains access to a legitimate customer’s loyalty account through stolen passwords or phishing attacks. They then quickly drain the account by transferring points to other accounts or redeeming them for gift cards, which are easily resold for cash.

What is reward fraud?

Reward fraud happens when someone manipulates or abuses a rewards program to gain benefits they’re not entitled to. This could involve using stolen credit cards to make purchases that earn points, creating multiple fake accounts to claim sign-up bonuses, or exploiting technical glitches in the reward system to generate points artificially.

What are the disadvantages of a loyalty program?

The main disadvantages of loyalty programs include their vulnerability to fraud and abuse, the operational costs of maintaining the program, and the financial liability of unredeemed points sitting on company balance sheets. Programs also risk customer frustration if points are stolen or if the redemption process is too complex, which could damage brand reputation instead of improving it.

Is loyalty fraud a crime?

Yes, loyalty fraud is a crime that falls under theft and fraud statutes in most jurisdictions. When criminals hack accounts or steal points, they’re committing criminal acts just as if they were stealing cash or goods. The unauthorized access of customer accounts also often violates computer crime laws, while reselling stolen points can constitute trafficking in stolen property.

What is loyalty abuse?

Loyalty abuse means customers or fraudsters who exploit program rules or loopholes in ways that violate terms of service. Actions that are not technically illegal, but not how the program was meant to be used. This can include sharing membership benefits with unauthorized users, manipulating purchase patterns to maximize points unfairly, or creating multiple accounts to get multiple promotional offers.

Sources

  1. https://www.statista.com/statistics/1295852/loyalty-management-market-size-world
  2. https://www.statista.com/statistics/1297428/leading-fraud-attacks-online-merchants-worldwide/
  3. https://www.infosecurity-magazine.com/news/airlines-battle-loyalty-program/
  4. https://www.ftc.gov/news-events/news/press-releases/2024/10/ftc-takes-action-against-marriott-starwood-over-multiple-data-breaches
  5. https://www.bbc.co.uk/news/articles/crgegv4j7ddo
  6. https://www.ebbo.com/insights/data-study/2022-customer-loyalty-data-study/
DataDome
Christine Falokun
Product Marketing Manager
Christine D. Falokun is an accomplished Product Marketer at DataDome, with experience bringing new products to market, spanning from the initial planning and development phases to execution and successful delivery. With a passion for crafting compelling narratives and a knack for translating complex technical concepts into clear and engaging messaging, she plays a vital role in driving the success of DataDome's products.

Related posts

DataDome
dd product home overview

Still exploring?

Start with an on-demand demo.

Watch a demo