Economists report there is currently $238 billion dollars’ worth of loyalty currency in accounts that is vulnerable to hackers. This high value, relatively lower security and less protection (especially compared to bank accounts) makes loyalty and rewards accounts a prime target for hackers and thieves.
Loyalty fraud: The problem
Loyalty fraud can bring on a variety of negative repercussions: increased costs to replace points or miles, loss of loyal members, even lowered Net Promoter Scores after a bad customer experience. Despite a rise in fraudulent loyalty program activity, many program managers still aren’t aware that it is a growing threat. That is, until they’re hit with multiple instances of program fraud.
To help loyalty program managers learn more about loyalty and rewards fraud, we’ve compiled a list of need-to-know terms related to fraud detection and prevention. It’s a great starting point for getting to know the lay of the loyalty fraud landscape.
What is loyalty fraud?
Loyalty Program Fraud – When someone commits fraud within a loyalty program or games the system to receive points.
Loyalty Rewards Account Fraud – When someone who is not the loyalty account holder redeems for points or miles for the benefit of themselves.
Friendly Fraud – Friendly fraud, also known as friendly fraud chargeback, refers to consumers who make internet purchases with their own credit card and then issue chargebacks through their card providers after receiving the goods or services.
Familiar Fraud – When someone close to you, like a relative or spouse, impersonates you to gain access to sensitive information. An example of this would be an ex-spouse gaining access to your medical and personal information. That information could then be used to fraudulently create a loyalty account using the other person’s stolen identity.
Account Take Over – When a fraudster obtains a members log in creditable (typically via a data breach) and uses them to fraudulently access a loyalty rewards account
Fraud-related key terms
Biometrics – Metrics related to a person's characteristics like fingerprints, facial recognition, etc. Use of these can aid in customer fraud protection.
Bot attack – A "bot" is a type of malware that allows an attacker to take control over an affected computer. A bot attack is when spam, viruses or spyware is set to a person’s computer typically via an unsecure website to obtain credit card numbers, bank credentials and other personal information.
Dark Web – The portion of the internet that is intentionally hidden from search engines, using masked IP addresses and accessible only with a special web browser. People who access and utilize the Dark Web want to browse anonymously. There are a lot of legitimate people on it as well as those with criminal intentions. For example, law enforcement or journalists may use it to keep in contact with informants while others may use it to simply protect their identities from state and private surveillance. On the other hand, criminals also use the Dark Web for a variety of mischievous purposes: a fraudster searching for identities to purchase, or criminals looking to buy drugs, hacking tutorials, adult entertainment or other malicious services.
Deep Web – The portion of the internet that is hidden from conventional search engines, as by encryption. The Deep Web includes the Dark Web, but also includes all user databases, webmail pages, registration-required web forums and pages behind paywalls.
Device Fingerprinting – Information collected about a device (PC, mobile phone, tablet, etc.) to identify the device or user. This could include device type, software used, serial numbers, etc.
Device Cloning – When a fraudster makes a software image of a device in order to impersonate that device from a software perspective and fool device-fingerprinting solutions.
Device ID – A unique number assigned to a device (smartphones, tablets, wearables) used for identification. Device IDs are used to help create user profiles to aid in verifying a good user from a fraudster.
False Positive – The amount of good or true accounts flagged by a fraud prevention system as fraudulent.
Geo-location – The identification of the location of a device using coordinates (longitude, latitude, time zone) to identify where the device is located.
Malware – Any software or computer program that is designed to intentionally damage or disable computers or computer systems. Malware examples include computer viruses, trojan horses and spyware.
Man-in-the-Middle Attack – An attack where the fraudster secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.
SIM Cloning – A victim’s SIM card data, which contains all of their phone’s data, is copied to a fraudster’s SIM so the fraudster can impersonate a subscriber on the network and obtain all incoming communication.
SIM Swap – When a fraudster first collects a consumer’s personal information, such as banking account information, through phishing, vishing, smishing or any other means, and then employs tactics, such as social engineering, to call the mobile network operator. The fraudster is then able to deactivate the existing user’s SIM as well as activate a device in their possession in order to hijack all mobile communication.
Skimming – A method fraudsters use to illegally obtain credit card information. This is done using a small electronic device called a skimmer to swipe and store hundreds of victims’ credit card numbers. Skimming has become very popular at gas pumps. Fraudsters tamper with pumps, install skimmers and then use Bluetooth devices to read the card data.
SMS Intercept – When a fraudster intercepts inbound SMS communication. Fraudsters usually do this by phone cloning (which lets you intercept incoming messages and send outgoing ones as if your phone were the original). If both phones are near the same broadcast tower, fraudsters also can listen in on calls.
Types of solutions to combat fraud
Multifactor authentication – Using more than just a username and password to authenticate customer access to their account. This should include 3 pieces of data; something you have, what you know and what you are.
Static Fraud Rules – Rules created and implemented by an analyst prior to or after a fraud incident occurs, used to combat future fraud.
Dynamic Fraud Rules – Rules created to combat fraud. Dynamic fraud rules are more robust than static fraud rules and uses rule sets to identify patterns and common denominators that indicate fraudulent activity beyond a single incident.
AI/Artificial Intelligence – The use of a machine that has a sense of intelligence. A machine that is able to use its environment to reach a goal.
Predictive Modeling – Predictive modeling analyzes large amounts of data to draw conclusions and predict outcomes. Artificial intelligence (the use of a device, machine or computer learning) is often used to collect large amounts of data in order to draw conclusions and make predictions. For example, companies may use data about past fraudulent activity to predict future fraud trends or activities.
Loyalty fraud: What do consumers think?
While our goal is to help clients prevent instances of fraud, the fact is that without the proper tools and protections in place, rewards members are susceptible. Want to know what loyalty rewards program members think about their rewards programs and how they would react to instances of program fraud?