LOYALTY FRAUD – POTENTIAL FOR ABUSE MAKES PROGRAMS VULNERABLE
The loyalty business is booming and with it the size of the prize for fraudsters. In 2012, the estimated value of unredeemed points in U.S. loyalty programs was $48 billion. More recent estimates of loyalty program liability have skyrocketed to $225 – $350 billion, making programs an ever more tempting target.
Loyalty fraud occurs when a reward program, run by a business to encourage brand loyalty, is abused or manipulated for unfair gain. The targets are the miles or points to apply toward free flights, upgrades, free hotel stays, digital gift cards and any high-value merchandise that can be easily used or re-sold for personal enrichment.
HIGH PROFILE LOYALTY FRAUD CASES
As loyalty fraud has grown in recent years, so have the number of high-profile fraud cases. The scale of the incidents ranges from an individual member gaming program rules, to hackers guilty of identity theft. The reward abuse can range from a free beverage to a free round-the-world airline trip in first class. Larger losses include those where an entire member database is hacked or an insider is involved. As you can guess, the cost of any fraud losses will vary based on the specifics of each incident, including factors such as fraud type, type of industry and the number of accounts impacted.
Below are a few of the public fraud and program gaming incidents that demonstrate the variety of potential threats:
- $54 Starbucks monster Frappuccino drink including 60 espresso shots plus all sorts of other drink additions (e.g., protein powder, syrups, drizzles, etc.). The Terms and Conditions at the time were not explicit on the type of drink that could be redeemed for a free reward. Savvy members exploited this vulnerability to game the system by ordering massive drinks with every addition imaginable; in fact, it became a social media competition to see who could redeem the most outrageous drink. Following several instances, Starbucks added language to clarify that “some restrictions apply – standard Starbucks menu sizes only.”
- $440 in Kohl’s Cash issued on gift cards was fraudulently earned and redeemed by hacking into customer accounts. As is the case these days, customers can store their credit cards with an online retailer for easy checkout. Once an account was hacked, the criminal would order expensive, large items to be sent to the address of the card on file. The items ordered were intentionally bulky to prevent quick returns. Following these steps, the hacker redeemed the accrued points for Kohl’s Cash rewards.
- $13K cash-equivalent rewards cashed in by an IT employee who had rigged an account with points amounting to $10 million in purchases made by authentic customers not claiming their points.
- Hyatt informed 200 of their 18 million members in the Gold Passport program that their accounts had been hacked.
- IHG customers report over 100K points stolen from their account. One member reported that the fraudster spent the points on a luxury stay in Beijing. IHG did reimburse points to the members and set up special procedures to require members to confirm reward bookings made in specific cities.
- 2 million Airline Miles (valued at $25K) earned by buying 12,000 pudding cups as part of a promotion. The frozen food company Healthy Choice offered consumers the chance to earn 1,000 airline miles for every 10 product barcodes submitted, but failed to restrict serving size. The consumer purchased $0.25 individual-sized pudding cups and attained $25K worth of airline miles. The promotion offered an extremely out of balance value exchange between product purchase and reward amount resulting in the merchant giving away greater value than they had intended.
- As a side note, the entrepreneurial civil engineer enlisted his wife and young children in collecting the product bar codes, as well as a good humored Salvation Army representative. He spent $2.5K and collected 1.2 million miles while collecting a tax-write off for the donation to the Salvation Army. Now famously known as the Pudding Guy, he has his own Wikipedia page and YouTube video proudly explaining his exploit.
- $60K first class suite for a round the world trip on Emirates issued to a travel blogger who knew how to convert his Alaska Airlines miles for one long trip with multiple layovers. As a travel insider, he knew the loopholes and played them. He paid $300 in taxes for the trip. The blogger’s trip spanned 11 cities, 7 countries, and 5 continents. The gamer flew from New York to Melbourne – via Milan, Dubai, Sydney, Auckland and Singapore.
- American Airlines and United Airlines reported that their loyalty programs were hacked in December 2014, wherein over 10K frequent flyer miles were stolen.
- Accounts Hacked: Circa 10,000 accounts hacked into at American Airlines and around 36 accounts hacked into at United Airlines
- $260K in frequent flyer miles stolen through hacked accounts of both United and American Airlines. These miles were used by an alleged criminal to book rental cars and international flights – some of which were ultimately flagged as fraudulent.
- Criminal case results: The perpetrator was charged with 25 felony counts involving multiple 1st, 2nd and 3rd degree felonies. He settled with a plea deal in which he was jailed for three years and on probation for four years. Plus he was order to pay restitution of $18.5K. It is also likely he will be deported to his home country of Iran after serving his sentence.
TYPES OF LOYALTY FRAUD
From the examples shared above, you can see that loyalty program fraud comes in all shapes and sizes. Loyalty fraud is categorized into one of three main groupings:
- Gaming of the loyalty program terms and conditions by a loyalty member, sometimes called “friendly fraud”. These loyalty members are opportunists who exploit loopholes in program terms and conditions for personal advantage (Starbucks, Healthy Choice and Emirates).
- External Fraud which includes account take-over through stolen identities, selling retailer and travel points online at a reduced rate and other means. This type of fraud is always seeking the weakest link to quick cash and does often involve organized crime (American Airlines, United Airlines, IHG, Kohl’s Cash).
- Internal Fraud where an employee is involved and may accrue unclaimed loyalty points or capture value through other means (IT employee).
Loyalty fraud loss can be a costly event for your business. With this in mind, it makes good business sense to put in place fraud prevention best practices. Following are a few of best practices to consider during program design and management that Kobie Marketing suggests.
LOYALTY FRAUD MANAGEMENT BEST PRACTICES
- Program Design: Careful design of the program mechanics and its terms and conditions.
- Program Rules that anticipate and block potentially fraudulent actions.
- On-going Program Analytics and KPI Dashboard to track and spot early signs of potential fraud.
- Associates: Train employees on spotting possible fraud, manage Associate account permissions carefully and track Associate account actions.
Kobie Marketing offers a multi-pronged loyalty fraud solution which encompasses the full loyalty program lifecycle – program design, program audit of terms and conditions, estimating your potential fraud exposure, and on-going fraud management best practices
Get in touch with your Client Services representative or email us at email@example.com to learn more about how we can help protect your loyalty program.
 2015 COLLOQUY Loyalty Census
 https://www.flyertalk.com/articles/united-american-frequent-flyer-accounts-hacked-miles-stolen-in-cyber-attack.html; https://www.dallasnews.com/business/airlines/2015/01/12/cyberthieves-steal-miles-from-american-united-customers