Within the loyalty and marketing industry, there is a growing concern regarding customer loyalty fraud and program gaming. Loyalty programs have become an attractive target of digital fraudsters.
Loyalty Program Fraud is, of course, not a new issue. It’s been around since the inception of loyalty programs and is unfortunately somewhat inevitable. There will always be people who try to ‘hack’ or ‘game’ a program when benefits and rewards of value are at play.
The value of loyalty programs
While many don’t realize the true value of loyalty programs, they have increasingly proved to be a huge asset for many companies. Airline loyalty programs, for example, are massive businesses in their own right – in some cases, such as with American Airlines, the programs themselves can be valued at $18-30 billion. To deal with setbacks, airlines can use their loyalty programs as collateral for bondholders.
From a fraudster’s point of view, loyalty points have real cash value. They can be exchanged via the dark web with minimal communication between the seller and the buyer, which lowers the risk of getting caught. They are often exchanged for untraceable items such as gift cards, which also increases their appeal.
Another reason loyalty programs are often overlooked when it comes to fraud is that the accounts aren’t perceived as high risk by their holders. Often, consumers use the same simple passwords for their loyalty program accounts, while they may be more careful when choosing passwords and security preferences with accounts that they think contain more sensitive data. The truth, however, is that loyalty profiles contain quite a bit of personal information, and in some cases financial information as well. All of this data can be collected and sold or traded on the dark web.
While we’ve all been focusing our attention elsewhere, cybercriminals have ramped up their nefarious activities, committing more fraud than they were in 2019 and early 2020. This is especially true as consumers limit their discretionary spending and neglect their loyalty program accounts. As consumers leave their accounts unattended for long periods of time (who may otherwise notice missing funds or rewards), theft may easily go unnoticed and fraudsters can reap the benefits and win big.
Fraud has also increased as consumer behavior has changed. Many consumers have turned to e-commerce and online shopping as their main channels of shopping. Thus, the flow of money online has increased, which provides more opportunities for fraudsters and cybercriminals. The advent of mobile payments through mobile wallets has also presented more opportunities for fraudulent activity.
A few of the most common ways fraudsters take advantage of loyalty programs include:
- Account Takeover – a form of identity theft in which the fraudster gets access to account information – through a data breach, malware, or phishing – and uses them to make unauthorized transactions.
- Internal Fraud – fraud committed by internal actors, such as site staff, program administrators, Contact Center agents, partners and integrators; exploiting their “insider” privileges against the program’s IT Systems or Terms & Conditions.
- Enrollment Fraud – fraud related to accounts are often opened solely to commit fraud
How should brands prepare to deal with fraud & gaming?
Many brands are looking at fraud from an ad-hoc perspective (they do not have Standard Operating Procedures). Often, companies running loyalty programs only realize loyalty fraud is indeed an issue they should be paying attention to once they suffer from some type of loyalty fraud incident. Standard Operating Procedures related to loyalty fraud are very rare even in large and mature organizations. Maciej Tyczyński, the Head of Comarch’s Data Science Team, recommends establishing a formal SOP around loyalty fraud prevention and incident handling.
“The best way is to adapt already existing procedures in related areas, such as payments, chargebacks, internal fraud, and compliance,” he noted. “Companies that do have formalized procedures in place are much better equipped to handle everyday incidents as well as occasional bigger fraud cases.”
When discussing possibilities of either automating some of the loyalty fraud processes or introducing a new tool that supports these operational tasks, it is much easier for companies who have standardized procedures in place to assess potential ROI on those activities and make more informed decisions around investments in this field.
What is employee fraud, and how should brands address it?
Employee or internal fraud is, from what we see, the second biggest concern for loyalty program operators, just after account takeovers. The average impact of employee fraud tends to be severe. Industries that we see most affected are oil & gas chains, hotels, and large retailers. Companies in these industries tend to hire large numbers of frontline staff that often end up being the biggest source of fraud.
In order to mitigate the risks of employee fraud, we recommend brands create a set of rigid rules and limits that prevent most straightforward fraudulent actions. Another important aspect is to make sure a set of targeted reports and KPIs are created to track and measure site staff activities and pick up any deviations from the norm. Lastly, we recommend that brands look into solutions using AI & Machine Learning. They tend to excel in spotting the most nuanced instances of fraud committed by internal actors.
A few tips for dealing with loyalty fraud:
- Examine your current loyalty program for any potential loopholes. This should not be a one-time check; you should be monitoring your program consistently.
- Limit employee access to all loyalty program data on a strictly need-to-know basis.
- Always alert users when a data breach occurs. In the aftermath of a breach, notify your customers and instruct them to carefully check their loyalty points and rewards.
- Consider adding multi-factor authentication for sensitive operations, such as personal data (passwords, email addresses) and redemption operations. Multi-factor authentication is a secondary one-time password that is required to access a specific account. It’s easy for hackers to get their hands on one piece of information like a password, but it’s much harder for them to gain access to mobile devices or guess security questions correctly.
Loyalty Fraud Prevention starts with planning. Plan ahead by implementing preventative measures so you catch issues before it’s too late. The costs associated with a security breach are estimated to be in the millions per incident. And it’s not just monetary losses at stake – it’s also the brand’s reputation as a whole. Security breaches are now more publicized than ever before, and reputational damage is accelerated by social media and viral videos, which can result in an even bigger loss to the company. So – it’s important to be well prepared.
That’s why our award-winning Loyalty Fraud Detection system incorporates the latest Artificial Intelligence and Machine Learning models to keep you ahead of the curve. Detect fraudulent activities with a solution that guarantees that every transactional anomaly in customers’ behavior will be detected, reported, and prevented from causing any damage.
Comarch is a proud member of the Loyalty Security Association, an organization that aims to provide companies and organizations with a platform where they can find resources, Best Practices, tools, training, and peers with whom they can discuss Security Issues.
Learn about all of the most pressing Loyalty Fraud challenges companies are confronted with today in our newly updated white paper, including a new section on Enrollment Fraud.