Fighting loyalty fraud: Essential strategies for the travel industry

A growing pool of points and airline miles currency combined with a perceived lack of strong security and controls make loyalty programs an attractive target for hackers and cyber criminals.

For many airlines, loyalty fraud is a multi-million-dollar challenge that’s on the rise. According to the Global Fraud Trends 2024 report from London-based fraud prevention and payments optimization company Ravelin, fraud increased for 75.7% of travel-sector merchants in the past year.

But lost revenue is just the beginning — whether it’s a hotel or airline loyalty program, dissatisfied customers, reputational damage and regulatory scrutiny are other unwanted repercussions.

What is loyalty fraud and why should it be a priority?

Loyalty fraud occurs when a loyalty program is exploited and value is extracted fraudulently. It could be a bad actor wiping points from an account or someone within the loyalty ecosystem taking advantage of loopholes to acquire welcome bonus offers, then pooling them with other accounts’ points for a richer redemption. Whatever the form, loyalty fraud has long been a problem for the travel industry.

The financial implications of this complex issue are real, and so is the risk of reputational damage when customers fall victim to fraud. Beyond the significant financial losses, loyalty fraud can damage trust and harm a brand’s valuable relationship with its most loyal customers.

How can the travel industry grow loyalty while preventing fraud? Let’s start by surveying the current landscape of loyalty fraud.

What are the most common types of loyalty fraud?

Loyalty fraud can take various forms, exploiting several common areas of vulnerability.

Account takeover – Account takeover happens when a fraudster gains access to an account that isn’t theirs, often by using stolen or leaked data from genuine consumer accounts.

Fake accounts – Fraudsters create fake accounts to accumulate points. Fraudsters might exploit promotional offers, manipulate referral programs or set up multiple accounts and then combine them.

Retro claim or impersonation- A third party makes multiple claims on the same account for points or individuals with the same name (e.g., father and son) attempt to combine accrual.

Alliance partners - A fraudster redeems a benefit through another organization that is part of an alliance or exploits weaknesses in integrated systems.

Agency pooling/mileage resale - Travel agencies/individuals harvest member accounts with or without the travelers' knowledge and then resell mileage redemption tickets.

First-party fraud – Similar to the “fake accounts” type of fraud, in this case, real customers are ‘gaming’ points redemption by using points and then falsely claiming fraud after benefitting from them to get their points reinstated.

Program and status gaming – In some cases, fraudsters generate unearned status for club lounge access and other benefits and sell it. Those who purchase the unearned status can later merge the new account with their existing one.

Why is the travel industry a target for loyalty fraud?

From pooling to new partners, travel programs have developed many features that enhance the program experience for members. Unfortunately, some of those features also increase the risk for fraud.

In particular, the airline industry is targeted because loyalty points have a higher perceived value than points in other industries like grocery, for example. Airline loyalty points can represent a flight that costs $1,000, $2,000, $5,000 or even more -- an attractive target for fraudsters.

A real and immediate challenge

While loyalty fraud isn’t new, it’s becoming a pressing issue for airlines and hotels for these reasons:

1. Loyalty programs have expanded to include more partnerships. When large groups of airlines or hotels share loyalty information, fraudsters can take advantage of non-integrated systems to fraudulently accrue and redeem points. Especially in the airline industry, the accrual and redemption rules vary for various programs you can earn and redeem with for a given airline, so fraudsters can optimize who they attack for each purpose.

2. As brands offer more attractive rewards and flexibility in program rules to retain customers, the incentive for fraudsters to target these programs grows. Features that appeal to customers – such as allowing a third-party friend or family member to redeem points – can make the program more vulnerable to fraud and adds complexity to monitoring efforts.

3. The digital nature of loyalty transactions creates greater risk. Because of the digital nature of loyalty, transactions move at a higher speed than in-person transactions. While it may not be possible to stop fraud in every case, the key is to identify the potentially fraudulent scenarios and slow down the process.

4. Moving from batch systems to real-time transactions allows people to quickly commit fraud. This is especially true on the accrual side, where having a batch process can slow down the activity, allow a program to view and investigate the transactions before processing them and prevent multiple fast actions that lead to fraud. In real time, a user can do multiple fraudulent accrual and/or redemption transactions very quickly.

5. People don’t check their loyalty accounts as often as they check bank accounts. As a result, they may not notice fraud right away. What's more, security around some loyalty programs may not be as comprehensive as security around bank accounts (even though points function similarly to currency), making them a lucrative target for fraud.

Building a comprehensive approach to loyalty fraud

Loyalty fraud prevention is not a one-time technology fix. It’s a continuous effort that requires three elements:

• Program design  
• People and process
• Technology

Program design

One of the first steps to approaching loyalty fraud is to conduct a vulnerability assessment of the loyalty program design and structure.

The assessment’s purpose is to:

• Identify the potential risks and use cases of fraud 
• Understand the exploitable rules in each program  
• Analyze the data to examine transaction patterns 
• Estimate the size and scope of the problem

A secure and reliable platform is required to manage the loyalty program and its features. But beyond the platform, the rules and operations in place that govern the program are essential, such as terms and conditions, the process of how you choose to issue points, the methods by which you allow people to redeem and when you allow a redemption to go through.

An overly stringent approach to security can also lead to poor customer experience, so security measures need to be balanced with an acceptable level of risk. The goal of a successful fraud mitigation strategy is to detect and prevent fraud at the account level and balance that with an excellent customer experience. This includes how to do investigations and resolve issues with the member, such as through issuing goodwill points.

People and process

Fraud is an issue that touches multiple teams across an organization. A holistic and dedicated approach to preventing fraud requires a cross-functional risk team that includes representatives from legal, customer service, loyalty marketing, loyalty operations and more.

That team should meet regularly to:

• Categorize fraud based on current cases
• Determine the size of these fraud incidents
• Identify common patterns, markets, or parties
• Propose the mitigation strategy
• Set a precedent for future instances

For organizations to manage loyalty fraud, they need well-defined processes for how to deal with fraudulent situations, both internally but also externally with partners. This includes how to do investigations and issue resolution processes.

Technology

To prevent loyalty fraud, airlines and hotels need to implement technology solutions that can:

• Verify the identity of customers
• Monitor the activity of loyalty accounts
• Detect and prevent fraudulent behavior

Brands can build trust by creating an identity graph and network for each customer, done carefully in accordance with consumer consent and all applicable Privacy and Data Protection laws. For example, a brand may take into consideration the digital footprints of consumers, how their data elements interact with other platforms and companies, how their data elements are combined and the speed at which they’re being used. Once created, an identity graph and network can help a brand validate a consumer’s – or bad actor’s -- data elements used and create risk signals and insights.

Solutions can focus on detecting fraud at the account level by analyzing individual transactions and behaviors. This helps flag suspicious activities while maintaining a balance between security and user experience. Fraud detection solutions can provide real-time alerts and responses that allow the airline to block certain redemptions of loyalty points, request additional verification or notify customers to prevent fraud from occurring or escalating.