Authored by Phil Muncaster, guest writer at ESET
Loyalty accounts are big business, and hackers and fraudsters are increasingly zeroing in on a potential goldmine. According to one study, the global market for loyalty management is set to grow at an annual growth rate of 12.3% over the coming seven years to reach nearly US$18 billion by 2028. And where there’s money and users, cybercrime inevitably follows.
From British beauty and health retailer Boots, Australia’s supermarket chain Woolworths, to multinational brands like Tesco and Dunkin Donuts, attacks on loyalty card programs are increasingly common. Social media is awash with stories from angry victims who have had their accounts drained.
In fact, there’s an estimated US$48 trillion of unspent loyalty points globally, so it’s no surprise these programs have become an increasingly popular target for cybercriminals over the years, with the COVID-19 pandemic further exacerbating the threat. If you’re a loyal spender, you should take extra precautions to protect your rewards accounts. It’s not just the points you’ll be guarding – the same applies to any sensitive personal information stored with them.
Oracle claims that around three-quarters (72%) of US millennials are either members of their favorite brand’s loyalty program or would join one. Such programs are a popular way to build closer ties with customers online at a time when loyalty is hard won but easily lost. They typically offer discounts and special deals, or even free goods, services and experiences for members who accrue enough points.
These could include:
In return, the companies in question get highly valuable data to track customer purchasing and browsing behavior – with which they then improve their marketing and promotional efforts.
There are essentially three potential vectors for loyalty card cyberthreats. On the one hand, brands could be defrauded by legitimate customers who try to game the system by, for example, opening multiple accounts. Another possible risk is of malicious employees at the firm who steal customer personally identifiable information (PII) and points. However, the biggest threat is from external attackers hijacking accounts to steal points, make purchases, transfer points and/or steal customer PII to sell on the cybercrime underground.
There’s surprisingly little recent data detailing the scale of such attacks. However, loyalty card fraud increased 89% year-on-year in early 2020, according to one study. The same research estimates that direct and indirect losses from associated fraud reach around US$1 billion per year.
Separately, there were 100 billion credential stuffing attacks detected between July 2018 and July 2020, 63 billion of which were aimed at the retail, travel, and hospitality sectors. Hotel loyalty accounts can be sold on cybercrime forums for as much as US$850. Some entrepreneurial cybercriminals even operate shady ‘travel agencies’ which combine stolen credit cards and airline and hotel loyalty programs.
What can you do to protect your most important online accounts? It boils down to best practices around password management and awareness of phishing threats.
Here are our top seven tips:
Loyalty and reward card schemes are a mainstay of modern marketing and customer engagement strategies. They’re also a well-established money-maker for cybercriminals and fraudsters. Taking a few best-practice steps can help to secure your account against this activity. Also, with trillions of dollars of unspent reward points languishing in these accounts, another good way to keep points out of the bad guys’ hands is to make sure you actually redeem your rewards.
