Loyalty programs are marketing strategies businesses use to incentivize their customers to be loyal to their company by offering rewards, often in the form of redeemable points. It's a thriving system, with loyalty members in the United States holding a staggering $140 billion in unused benefits. However, despite how beneficial these programs can be, they have become targets of Loyalty Point Program Fraud. Bad actors use various methods to acquire, and exploit points they haven't rightfully earned. The scope of this potential fraud is very high, with the Loyalty Security Association revealing that about $3.1 billion in points are fraudulently redeemed, costing businesses approximately $1 billion every year. According to Statistica, 27% of all online fraud cases were related to Loyalty Programs, and from 2020 to 2021 loyalty fraud increased by 80%. In this issue, we’ll explore the red flags that signal potential fraud, as well as recommendations to prevent Loyalty Point Program Fraud.
External Fraud: Bad actors use a variety of methods to gain access to customer data and their associated accounts. Through social engineering, phishing, or hacking into company data through a breach, these perpetrators seize the personal information of customers. With this data, they can create fake accounts, take over existing ones, and make unauthorized transactions. This allows them to redeem or sell points, and even sell customer data on the dark web.
Legitimate Member Fraud: This category involves legitimate members intentionally violating loyalty program policies. These individuals may engage in fraudulent behaviors such as making large point-earning purchases only to cancel them, selling their points, fraudulently reporting product issues, and returning items for points. Some may even share their accounts with friends and family, accumulating points, and giving non-members access to their accounts.
Fraudulent Programs: Fake loyalty programs are a type of phishing scheme, they lure customers through emails, social media messages, phone calls, or texts, promoting a rewards program from familiar companies. Following these links leads customers to a convincing website where they disclose sensitive information, providing bad actors with everything they need to create fake accounts or take over existing ones.
Internal Fraud: In cases of internal fraud, employees within the company commit the crime. This may involve crediting points to their personal accounts or those of their friends and family, redeeming points from non-member customers, or adding points to customer accounts that don’t exist.
These recommendations are intended for both customers and businesses hosting rewards programs:
➢ Encourage regular password updates every 6 months and mandate the use of strong, complex passwords.
➢ Automate account deletion for inactive accounts.
➢ Enhance security with multi-authentication services for logins (verifying email or phone numbers).
➢ Use Payment Protection and Breach Detection Services for transaction security.
➢ Set up workflows to alert the company of customer information changes.
➢ Introduce a minimum purchase requirement for rewards membership initiation.
➢ Limit loyalty program staff access to minimize abuse risks.
➢ Remind customers not to share sensitive information via email or text.
➢ Establish a legitimate customer service line and a phishing reporting channel.
➢ Reinforce that breaking policy constitutes fraud and consider banning individuals who have continuously committed fraud. Some customers do not understand their actions constitute fraud.
The estimated value of unused loyalty rewards in the United States is $140 billion, with roughly half considered inactive and thereby vulnerable to theft- Around 57% of members don’t know their point balances nor do they check them. Given this astonishing number and the rise of loyalty reward fraud, watching out for red flags is crucial. It is now more important than ever to protect yourself, your customers, and your businesses from this growing threat. Here are some red flags to watch out for:
- Data Breaches can mean that bad actors have gained access to customer’s personal information and might try to use it for various kinds of fraudulent purposes.
- Unusual Website Traffic: The site might be suddenly overloaded or barren.
- Login Difficulty: Administrators struggling to log into the back end of programs.
- Multiple accounts associated with the same individual.
- Unusual Account Activity: Frequent changes in account details, login locations, or device types.
- Rapid Point Accumulation: Abnormally high point balances, especially for employees.
- Unrecognized Transactions: Customers reporting unauthorized transactions or point redemption.
- Frequent Cancellations: Regular and immediate cancellations of point-earning purchases.
- Abnormal Point Transfers: Unexplained transfers or sharing of points among accounts, or even frequent requests for point transfers.
- Unsolicited Messages: Receipt of unwarranted emails, messages, or calls promoting loyalty programs.
- Mismatched Branding: Discrepancies in the appearance of the loyalty program compared to the legitimate company's branding.
- Request for Sensitive Information: Any request for personal or financial information through email, text, or social media.
- Unexplained Point Adjustments: Points being credited or redeemed without corresponding customer transactions.
HSI encourages the public to report suspected suspicious activity through its toll-free Tip Line at 1-866-347-2423 or by completing an online Tip Form available at https://www.ice.gov/webform/ice-tip-form.
For areas outside the United States and Canada, callers should dial 802-872-6199. Hearing-impaired users may call TTY 802-872-6196.
|
