While a good friend of mine was recently traveling, his flight was cancelled and he was booked on a new flight the next day. He travels a lot and he decided to use some of his hotel loyalty points to stay over at the hotel adjacent to the airport. Checking in, he discovered that more than a million miles had been stolen from his account. It was obviously very distressing, so he asked me to write about it to warn others of this fraud and how it can be prevented.
This type of online fraud is called loyalty fraud. Loyalty fraud is when threat actors steal loyalty points from hotel or airline accounts that store frequent stay or flyer miles. In 2023, it was estimated that one in four online fraud attempts included loyalty fraud.
Typically, threat actors gain access to loyalty accounts through phishing tactics to steal login credentials of the legitimate user. This can be done through fake emails or redirecting users to fake websites that look legitimate, and then requesting their credentials to gain access to their account. Threat actors also use credential stuffing and use stolen usernames and passwords from other breaches to gain access to loyalty point accounts.
Once they gain access to the account with legitimate credentials, the threat actor can change the password and lock the user out of the account, can redeem the points, or quickly sell the points on the dark web or on social media platforms. It then becomes very difficult to get those points back, as the hotel chain or airline will say that there was no evidence that an unauthorized user obtained the points because the access was obtained through legitimate credentials.
So how do we protect those points that we have been gathering throughout our lifetime?
- Use strong, unique passwords for all loyalty accounts. Treat the accounts like bank accounts, because that is what they are.
- Change passwords frequently, like other critical accounts.
- Enable multi-factor authentication on all loyalty accounts to add an extra layer of security.
- Monitor loyalty accounts regularly so you can catch any unusual activity in your account.
- Be cautious when using public Wi-Fi to access loyalty accounts.
- Don’t provide your username and password unless you are sure you are on the correct site.
- Use a healthy dose of paranoia before opening an advertisement or when redirected to a hotel or airline website. It is unusual to have to insert a username and password to get access to a deal.
- Make sure you are logging on to the official website of the hotel or airline.
- If you receive notice from a hotel or airline that it suffered a data breach, immediately change your password.
Loyalty accounts should be treated no differently than bank accounts. Using similar security techniques used with other critical accounts will help prevent you from becoming a victim to fraud.