Are your credit card rewards safe from fraud?


In a Nutshell

You’ve been saving credit card points and miles for a big vacation, but what’s to stop a thief from stealing them from right under your nose? Protect your hard-earned rewards by monitoring your ID and using different passwords for your accounts.
Editorial Note: Intuit Credit Karma receives compensation from third-party advertisers, but that doesn’t affect our editors’ opinions. Our third-party advertisers don’t review, approve or endorse our editorial content. Information about financial products not offered on Credit Karma is collected independently. Our content is accurate to the best of our knowledge when posted.

You might know how much money you have in the bank, but how well do you keep track of your credit card rewards?

An estimated $100 billion in loyalty points go unredeemed, according to a 2017 Bond Brand Loyalty report sponsored by Visa. Those points could be used to buy airline tickets, book hotels, or even pay for entertainment and dining, but instead they’re left to expire or languish in neglected accounts.

The problem appears to be rooted in a simple lack of knowledge. According to the Bond report, 57% of loyalty program members don’t know their points balance. So if you’re scratching your head and wondering how many points and miles are in your account … well, at least you’re not alone.

Unfortunately, that’s why loyalty programs may be ripe for the same type of theft normally associated with credit card fraud. You won’t miss points you didn’t know you had in the first place, right?

“There are billions of dollars in points sitting in loyalty programs,” says Barry Kirk, vice president of loyalty at Maritz Motivation Solutions, which helps companies like Southwest and Marriott design their rewards programs. “But the average person wouldn’t know if $100 worth of points went missing from their account.”

As Kirk sees it, consumers need to start taking loyalty theft as seriously as they take credit card fraud and other forms of ID theft, suggesting that criminals may think it’s easier to steal points than to steal from, say, your bank account.

How might criminals steal points and miles?

A 2017 Maritz Motivation Solutions study unearthed a shocking statistic that seems to back up Kirk’s claim: 7% of consumers claim their loyalty points have been stolen.

While most loyalty programs aren’t quick to admit their consumers’ accounts have been compromised, you don’t have to look far to find reports of successful hacks. Accounts with popular airline rewards programs, such as British Airways, Lufthansa and Air India, have allegedly fallen victim to hackers in recent years, as have accounts with hotel brands such as IHG and Hilton Honors.

Beware of credit card fraud

Because many loyalty programs are tied to credit cards, credit card fraud represents one way criminals might try to steal your hard-earned points and miles. They could hack into your account through a data breach, guess your password, or simply grab your purse and run.

Once they have access to your credit card and loyalty program information, they could try to rack up points and miles with fraudulent purchases. Before you notice what’s happening and report the theft, they could transfer those rewards (plus any other points you earned on your own) to untraceable gifts cards and make off with their loot.

“It’s a double whammy, because they steal your card and get what they buy on it,” Kirk says. “Plus they take all of the rewards they earn with the fraudulent purchases.”

Certain protections, such as the Fair Credit Billing Act, limit your liability for unauthorized charges on your credit card. But these same protections may not cover credit card rewards points or miles.

Kirk also warns that thieves continue to invent new ways to hack into reward accounts, so there’s no foolproof way to protect against them all.

“Fraudsters will be creative about it,” he says.

What steps can loyalty programs take to prevent fraud?

The good news is that loyalty programs are beginning to take note.

For years, according to Kirk, credit card companies treated the theft of points and miles as a “hush-hush” situation. But the industry has gradually come to realize that it can’t ignore the problem.

Here are a few ways they may be tackling loyalty theft and credit card fraud in general. 

Point-transaction history

Certain loyalty programs may monitor your point-transaction history to determine if you’re earning or redeeming points more rapidly than usual.

“This will be your best clue as to whether a transaction is out of the ordinary,” according to Chargebacks911, which advises online merchants on how to deal with fraudulent charges.

Social media

Though it takes a bit more legwork, monitoring a customer’s social media accounts is another way loyalty programs may be able to confirm a customer’s purchases.

If you post Instagram photos during your trip to France, for example, then redeeming points for a ticket to Paris is not so suspicious. But a ticket to China during the same time you’re in France might raise red flags. 

Hire hackers

Who better to catch a hacker than another hacker?

Through United Airline’s “bug bounty” program, the airline rewards hackers with free airline miles if they notify United about any vulnerabilities they unearth within the MileagePlus® loyalty program.

Hacker Ryan Pickren, to use one remarkable example, claims he has earned about 20 million miles by helping United find more than 100 bugs in their system.

What steps can you take to reduce your risk?

It’s important to think of your loyalty points as if they’re actual money — and protect them as such.

Here are some common-sense ways to help protect your points and miles.

  1. Keep track: If you track your points and miles as closely as you monitor your bank accounts, you’re more likely to notice if they go missing.
  2. Create a strong password: You should also set up a strong password. For added security, think about using a different password for each account you have. And consider including letters, numbers and special characters. Avoid using passwords that contain personal information or easy-to-guess phrases like “12345” or “Password.”
  3. Stay off public Wi-Fi: Think twice before you access your loyalty account from an unsecured public Wi-Fi network. Consider investing in a VPN, or virtual private network, to create a secure, encrypted connection to help throw off would-be hackers.
  4. Fight fraud with free ID monitoring from Credit Karma: Credit Karma’s free monitoring and alerts can help you spot signs of identity theft.

“It’s less about what to do if you’re a victim, and more about making sure you aren’t a victim,” Kirk adds. “You don’t want to deal with recovering all your points after the fact. You just want to make sure it doesn’t happen in the first place.”

Bottom line

Don’t forget about your points.

It’s easy to lose track of your credit card rewards, but paying closer attention could make all the difference.

“You should know how many points and miles you have at any given time,” Kirk says. “Once you begin to view your loyalty currency as part of your overall financial picture, you’ll be focused on protecting those points as seriously as you would protect your savings account.”

About the author: Tim Devaney is a personal finance writer and credit card expert at Credit Karma. He’s a longtime journalist who prides himself on being a good storyteller who can explain complex information in an easily digestible wa… Read more.