Our loyalty fraud team partnered with Dark Web expert and Director of Security Research Jason B. Lancaster at SpyCloud to take a deeper dive into the Dark Web. As part of our loyalty fraud prevention series, this blog post will discuss the going rate for rewards accounts bought and sold on the Dark Web and specific steps loyalty program managers should take to protect members against loyalty fraud.
Rewards fraud: The going rate for loyalty accounts on the Dark Web
An analysis of the Dark Web Marketplace, the series of thousands of sites hosted within the Dark Web to buy and sell goods, reveals that fraudsters are buying and selling everything from stolen gift cards and merchandise to loyalty account information.
As you’d expect, the price of loyalty account login credentials varies based on the amount of points and miles the account owner has accrued. What might be surprising, however, is that credit card loyalty accounts, which carry the highest price tag, are listed for purchase for as much as $65,000. Here is a sampling of actual Dark Web listings that indicate the typical price range for various types of loyalty accounts.
- Airline loyalty accounts: $3.20-$208
- Hotel loyalty accounts: $1.50-$45
- Credit card loyalty accounts: $51.52-$62,000
- Retail loyalty accounts: $2.17-$51.52
The high price tag for credit card loyalty accounts insinuates that stealing these login credentials may be giving fraudsters access to credit card, bank accounts and other banking data. This means that fraudsters can commit both loyalty and credit card fraud with access from one set of credentials. Further, credit card loyalty program redemption catalogs typically have a wider breadth of offerings, making this a very appealing target for fraudsters.
In terms of the company impacted by fraud, they incur costs to identify and replace stolen points and miles as well as the even more costly possibility of losing customers. (check out our loyalty fraud calculator to estimate this dollar amount for your organization).
Loyalty fraud on the Dark Web: What loyalty program managers need to know
The No. 1 thing program managers can do to reduce the impact of fraudulent rewards activity on the Dark Web is do their best to monitor customers’ accounts and actively protect their own organization’s user base by ensuring their account environment is secure. Beyond that, accounts are most secure when organizations and their members work in concert to prevent and identify fraudulent activity. Below are three steps loyalty program managers should take to help prevent members from falling victim to loyalty rewards fraud.
- Educate members. While you don’t want to unduly alarm your loyalty members into thinking their accounts are unsafe, it’s important to ensure they understand the risks and are educated about the importance of loyalty account security. Share best practices for preventing loyalty account takeovers such as not reusing passwords, employing strong passwords (consider using a password-generator tool), and being cautious about where and with whom they share personal information. Encourage your members to keep track of the points and miles in their loyalty accounts as they would the currency in their bank accounts, as both currencies are valuable on the Dark Web. Brands can make this easier for customers by providing rewards account balances to them on a regular basis through communications channels such as monthly emails or texts.
- Familiarize yourself with loyalty fraud red flags. Loyalty program managers should monitor customers’ accounts for suspicious activity that may be indicative of a breach or attempted breach. A major red flag is any type of strange activity within a customer’s loyalty account, including account logins from IP addresses that are miles apart within a short time frame, anomalies between a valid customer and a fraudster such as multiple, concurrent redemptions with different names, email addresses or shipping locations for merchandise and gift cards.
- Keep security up to date. While it may seem like a routine practice, all too often, organizations forget about the importance of keeping security measures up to date. Make database software and web application security a primary focus and regularly check that everything is updated and working properly.
Monitor loyalty member accounts vigilantly
Because loyalty fraud carries such a high price tag, it’s imperative that loyalty program managers understand the ins and outs of loyalty fraud and best practices to protect their most valuable asset – loyal customers.
Loyalty account takeovers typically do not occur in bulk, but rather on an individual basis. That can make it especially difficult for program managers to effectively track logins and monitor for fraudulent activity. On top of that, without the proper fraud detection measures in place, a single account takeover may not raise as many red flags as a breach of an entire organization (which can also occur).
It’s nearly impossible for a program manager and his or her team to keep an eye on all individual member accounts, especially for organizations with tens to hundreds of thousands of active rewards members. Because most loyalty fraud occurs at the individual account level, it’s hard to say how common an instance of loyalty program fraud truly is. What we do know, however, is that 72 percent of loyalty program managers say they have experienced an instance of loyalty program fraud firsthand.
Be proactive and protect your customers to be sure your loyalty program doesn’t become the next victim of loyalty fraud.
Watching individual loyalty accounts isn’t always feasible from a time or resource standpoint, so many organizations choose to outsource this type of fraud-monitoring service. For loyalty program managers looking to better understand the loyalty fraud landscape and tools to protect members, download our latest whitepaper: Loyalty Fraud: A case for protecting your most loyal customers.
This post is the third in our in-depth Dark Web series. If you missed our previous posts, start by learning what the Dark Web is and how fraudsters access it, then read up on the Dark Web Marketplace, how fraudsters are selling points and miles and what happens to member data after a breach has occurred.