How Loyalty Program Fraud Happens

How Loyalty Program Fraud Happens

Loyalty programs have grown tremendously in the last decade. Memberships rose from 2.6 billion to 3.8 billion from 2012 to 2016, and are projected to increase to 5.5 billion by the end of the year. The total value of all loyalty program points was estimated at USD$48 billion in 2017 (Wise Marketer, 2017). This rapid growth has made loyalty programs an attractive target for a new criminal underground, specializing in loyalty program fraud. We explain below how malicious actors use phishing attacks and leaked credentials to target loyalty programs, and explain how domain monitoring and leak detection mitigate many of the risks associated with loyalty programs fraud.

Phishing Attacks

Any attempt at loyalty program fraud begins with the hijacking of members’ accounts. To obtain these credentials, malicious actors often send spam emails that invite members to login to their accounts with a link provided in the message. Instead of going to the real loyalty program website, however, victims are directed to phishing sites that steal their usernames, passwords and security question answers. Members are even asked to submit personal information, such as date of birth, social security number (S.I.N) and driver’s license number.

Darknet markets sell both spam services and phishing site templates to lure members to phishing sites. Seen in the figure below is a listing for a scam page kit. 

These methods are constantly evolving, as malicious actors learn to navigate your security systems. It is important to stay vigilant and to understand new threats as they develop.

Database Thefts

Malicious actors also target loyalty programs directly to steal their members’ personal and financial information. They take advantage of unpatched software or social engineer their way into loyalty program databases to extract data about their members. This technique requires more advanced technical skills and is not as common as phishing attacks. 

A large hotel chained announced in March 2020 that it had once again been hit, with up to 5.2 million guests at risk. Someone used the credentials of two franchise property employees to access […] contact details like names, email and home addresses, and phone numbers, as well as gender, birthday, frequent flier numbers, loyalty account info, and hotel preferences. [The company] indicated that [the intrusion] persisted for several weeks before getting flagged.

Wired (2020)

Leaked Credentials

Finally, malicious actors download from the internet and the darkweb databases that contain usernames and passwords. Since over half of people reuse the same passwords on different websites, the passwords leaked from one service can be tested on another service to see if they are valid. This type of attack is known as credential stuffing.

In March 2020, a U.K. supermarket giant issued a warning of account takeover attacks. Using credentials leaked in data breaches, a potential 600,000 members of its loyalty program were affected. Swift action prevented the attacks from successfully taking over all 12 million of its loyalty program accounts but still left many potential cases of stolen personal information and fraud.

Automate Your Threat Exposure Management

Integrate the world’s easiest to use and most comprehensive cybercrime database into your security program in 30 minutes.

Credential stuffing can be automated through account checker software that can also be purchased on illicit markets. The software uses a list of usernames and passwords and outputs a list of the credentials that have allowed valid logins. Since each login portal is different, customized modules are needed to test the validity of credentials for each specific website. Some software even comes with the ability to route traffic through proxies to make detection even more difficult.

Accounts checker programs are becoming more advanced. In the example below, a malicious actor is selling software that is preconfigured to target 22 different web portals and is able to hide behind proxies.

Impacts of Loyalty Program Fraud

The consequences of these account takeovers are numerous. Beyond simply stealing points, loyalty program fraud can impact you financially and damage your brand and reputation.

An organized and scaled loyalty program fraud can generate substantial financial losses. For example, malicious actors use the loyalty points to obtain free services from a company who must, in turn, refund the points to their customers. Replacing the fraudulently redeemed points effectively doubles the financial losses of companies by forcing them to provide twice the number of free goods and services. If the objective of loyalty programs is to retain customers and maintain brand loyalty, breaking that trust has a direct impact on the success of the program and the business. 

Preventing Loyalty Program Fraud

To reduce the costs of loyalty programs fraud, companies can target the source of stolen credentials. Firms can monitor for phishing-related services and proactively detect logins that use leaked credentials. 

Malicious actors register websites with names that closely resemble those of legitimate loyalty program websites. They may for example register the website company-x.com to phish the customers who believe they are visiting the official companyx.com website. Many products compile this registration data into feeds that your company can subscribe to and find phishing sites. Most website registrars have processes in place for companies to report phishing sites and are willing to take down phishing websites rapidly. With real time detection in place, it is possible to take down phishing sites well before a phishing campaign reaches your customers.

Many products also offer the ability to query if a particular combination of usernames and passwords has been leaked online in real-time. This allows your company to check every login attempt and require additional identification for the accounts that are at risk of compromise. This vastly limits the ability of malicious actors to take advantage of leaked credentials. Flare Systems for example carries an extensive database of 2.5 billion leaked credentials publicly available that companies can use to secure their employees and customer accounts.

When implemented together, these solutions greatly limit the ability of malicious actors to gain access to your customers accounts and ensure that your company is perceived as a difficult target. 

Conclusion

Fraudsters are constantly finding new ways to steal the financial and personal data of customers. By applying these steps, a loyalty program can significantly reduce fraud committed through account takeovers and prevent fraud before it occurs. If you would like to hear more about how Flare Systems’ solutions can help you prevent account takeover and loyalty program fraud, request a demo at [email protected].

Share This Article

Research Team

Flare’s research team conducts investigations and experiments in order to gather data, create new knowledge, and develop new ideas. This helps our team stay ahead of emerging threats and also add insight to our product roadmap.

Related Content