Smash-and-Grab: It’s Happening to You, But Not Where You’re Looking


Share on LinkedIn

Image: Canva

Reward Points Are Treasure, And Treasure Gets Stolen

Therefore, guess what? Loyalty program points are being plundered, at epidemic rates.

The spate of smash-and-grab thefts in Los Angeles may be grabbing headlines (with $25,000 in designer purses stolen from Nordstrom, how could it not?). However, loyalty reward theft represents a far more insidious theft, and it’s taking place right under your nose.

From 2018 to 2019, the most recent year for available data, loyalty program fraud rose 89%. This should surprise no one. Loyalty points have monetary value, and there are $48 trillion worth of unspent points out there – often unwatched and forgotten, as nearly half (45%) of reward program members are inactive. (In the U.S. alone, program members are sitting on more than $140 billion worth of unused rewards points, according to data from Gartner.)

Considering that only $3.1 billion of that $48 billion in unspent treasure is stolen, there’s a lot of untapped opportunity out there for scammers.

Oh, the Many Kinds of Rewards Fraud

Despite the rise of reward program fraud, 42% of merchants say they do not have the skills, and nearly 50% do not have the resources, to prevent it. Scammers, meanwhile, are honing their reward-robbing skills.

Loyalty program fraud takes a few forms. It occurs when a hacker tunnels into someone’s rewards program, when a scammer creates a shell program designed to steal consumer information, or it can be perpetrated by consumers using dishonest practices to gain points. Generally, these schemes fall into one of four categories:

Account pirating. These are hacks in which the perpetrator breaks into an account, usually by using a member’s stolen personal identification number (thanks, dark net) or via an automated cyber-attack (like a phishing email). Such “credential stuffing” – cyberattacks in which lists of user names, email addresses and passwords are the booty – reached a staggering 100 billion from 2018 to 2020, according to cloud-computing provider Akamai Technologies. Once inside, the thief can raid the reward points, redeeming them for money or transferring them to another account. Arrrrgh!

Knock-off accounts. You won’t find these fake accounts selling off of a curbside card table or out of the back of a van, but they are virtually the same as that faux Louis Vuitton handbag your aunt carries. The fraudster creates bogus accounts, often using stolen identities, and then accrues points, transfers them to other accounts in the portfolio, redeems them and even sells them. A hacker may even trade points for a tangible reward and then sell it. Untraceable gift cards are evidently a popular item.

Transactional looting. An offspring of account pirating, transactional fraud takes place when point pirates steal information from the loyalty members’ credit card accounts, digital wallets or other payment methods linked to their memberships. They then go to town making transactions they won’t have to pay for, gaining more points they can quickly redeem in the process. Many also sell this information on the dark net (contributing to the aforementioned credential stuffing, detailed under “account pirating”).

Breaking policy. This is a practice that tragically may be performed by legitimate loyalty members. They seek and take advantage of loopholes in the policy, or weaknesses in the platform, such as signing up for many credit cards that are linked to the same rewards initiative or booking a hotel room for a friend (who pays) in order to gain the points. Sometimes the user may not see this as a nefarious act – giving coupons or promotional codes to friends and family is sharing! But as the rewards operator, you pay. The one upside is the recipient may like the offer and enroll in your program.

How to Put a Points Pirate in the Crosshairs

Spotting a scam requires detecting sudden, notable irregularities in an account or group of accounts. That level of detection requires monitoring.

If you are among the 50% of organizations that don’t have the resources, hire a company that does. Some payment protection companies, such as Forter, offer account protection to block fakes, policy abuse prevention and multi-authentication services (think text codes). In my opinion, multi-factor authentication should be the standard, as well as automated emails to remind members to change their passwords every six months.

If you believe your program is the target of a scam, seek help from organizations such as the Loyalty Security Association, your state attorneys general or the Federal Trade Commission. And act now – $3 billion in reward points can buy a lot; it’s what Kanye West estimated his worth to be in 2020, according to Unstopped, such theft can cause significant material loss to a company. Reward program plundering has emerged from petty theft to organized crime for a reason.


This article originally appeared in The Wise Marketer.

Jenn McMillen
Incendio Founder Jenn McMillen has been building and sharing expertise in the retail industry for 20+ years. Her expertise includes customer relationship management, shopper experience, retail marketing, loyalty programs and data analytics. She's a retail contributor for Forbes.


Please use comments to add value to the discussion. Maximum one link to an educational blog post or article. We will NOT PUBLISH brief comments like "good post," comments that mainly promote links, or comments with links to companies, products, or services.

Please enter your comment!
Please enter your name here