Is Your Program Ready for Gamers and Fraudsters?

Jul 7, 2020

As chip technology in credit cards has made the purchase experience more secure, the gamers and fraudsters of the world have increasingly turned their sights to loyalty program rewards. Are you ready for these newly energized bad actors? Will machine learning protect your program? While there are automated tools that help, fraudsters succeed by slip-streaming around new barriers, so you need to take a broader enterprise approach.

There are steps that anyone launching a loyalty program needs to be willing to operationalize:

  • Can you recognize your unique customers?
  • Can you coordinate across departments and systems?
  • Are you willing to say no to a customer?
  • Does everyone on your team know when to bend a rule and say yes to a customer?


Recognizing Unique Customers: Knowing your customers is absolutely critical to providing a relevant and differentiated service and protecting their privacy and your profit. To do that, you need to be able to enforce unique identifiers at all touchpoints where a customer can interact with you. Specifically, you should be able to enforce one unique email or phone number per individual member.

If you can’t, it is an open invitation for resellers or employees to game the system by opening multiple accounts with the same email or phone number. A reseller can consolidate the accounts later to pool points for a reward. Or another bad actor could take over multiple accounts and send the rewards from all of those to their own personal email. Or an employee could be earning points on all the transactions where the customer was not a member of the program. Even with safeguards that shut down accounts with too many transactions per day, all these gamers need are multiple accounts that can each earn the maximum allowed per day.

In companies working to coordinate multiple legacy systems, enforcing one unique email or one unique phone number can be ridiculously difficult and expensive. The potential losses due to program gaming and account takeover should be considered in the business case enforcing unique identifiers.


Coordinating Across Departments: Many fraud prevention efforts are built as if detecting suspicious activity was like detecting the motion of a bug on your floor. However, fraudsters often behave more like bugs behind the walls, moving unseen between rooms, creating an infestation by exploiting gaps between departments and technology platforms. Loyalty platforms are usually only one part of a larger technology ecosystem. In practical terms, this means that handoffs in the customer experience are primary points of risk. Delays in communications between systems also create opportunities for abuse. For example, one retailer had fully integrated their coupon system with the loyalty platform which ensured that rewards could be used only once. However, the link between the coupon system and the e-commerce engine updated only once every hour. A fraudster could (and did) complete 40 online purchases using the same reward before the system refreshed and marked the certificate as used.


Being Willing to Say No: The saying “The Customer Is Always Right” is a lovely sentiment, but it can create a button for fraudsters to push. They know that customer service representatives are hired and rewarded for being friendly and helpful. The trick is for the rep to know when their willingness to help can put them at risk. This is especially true when the fraudster exploits one rep’s willingness to help and then exploits gaps between departments.

There was one company that thought they would be protected because they required four identification elements for redeeming a reward. However, that broke down when a “customer” called the main service call center with three out of the four pieces, and the representative essentially volunteered the last piece since it involved knowing the amount and location of a previous transaction, which is something a legitimate customer could forget. No alarm bells went off because the customer was not redeeming a reward on that transaction. But this “customer” succeeded in reaching the loyalty call center to redeem the reward because they had all four pieces of information required – three acquired from the dark web and the last provided by a helpful call center agent in a different call center.


Knowing When to Say Yes: Oddly enough, knowing when to say yes and bend a rule is just as important as knowing when to say no and enforce a rule. Knowing when to say yes is often surprisingly difficult because the very employees who are the best at enforcing the rules may not fully understand what the rules were designed to protect. Not knowing the rationale behind the rules can create major disservice situations.

Our favorite example is the Cello Use Case. Concert-level cellists need to buy a separate full fare airline seat for their cello. One Delta Airlines SkyMiles auditor found that for over ten years, world-renowned cellist Lynn Harrell had been earning miles for the extra first-class seat he buys for his cello. The cello had its own account with the name Cello Harrell. This was a violation of Delta’s published rules, which state that only a person may be a member, so one auditor shut down both accounts. This hit social media and the national news cycle with a vengeance – suffice it to say that Delta did not come off in a good light. Other Delta employees over the prior decade made the judgment that Delta was making a fair profit when one person regularly paid for two first-class seats. They recognized the spirit of the rule which is to use the loyalty program to build the loyalty of profitable frequent flyers, especially ones willing to pay for full-fare first-class tickets on a regular basis. The last auditor saw only that the rule of personhood had been violated. Overall, the goal is to ensure that your team recognizes the difference between the spirit and the letter of your program rules.


In Conclusion: There are many examples where marketing objectives to reduce friction in the customer experience can open up new opportunities for fraudulent behaviors, especially when there are handoffs across channels, systems or associates. Companies need to take a strategic enterprise approach to be ready for gamers and fraudsters. The trick is to identify the right context for saying no to protect customer privacy, but also the right time to say yes to nurture your customer’s ongoing relationship with your brand.