Loyalty Program Fraud and Promo Abuse - an Easy Fix

Loyalty program fraud and promo abuse is a major problem, but there is an easy fix with advanced fraud solutions.

Patrick Drexler

VP of DACH and Friendly Fraud

24 November 2021


8 min read

If we were to ask a room full of 100 people the question ‘how often do you check your bank balance?’ we would see that the majority keep tabs on their accounts on a daily, or at least a frequent basis. But if the same question were to be asked about loyalty program points, an air of uncertainty would hang over the room. The reality is loyalty program fraud is not taken as seriously as it should be by customers due to a perceived lack of value assigned to points. Ask the same group if they consider promo abuse an act of fraud or simply an act of taking advantage of loopholes, opinion would be divided. What is certain is that both of these types of fraud can have a major financial impact on any eCommerce merchant - but they can be prevented.

How are loyalty schemes and promotions targeted by fraudsters?

The majority of eCommerce merchants aim to have a loyalty scheme in place to entice regular customers to return to their online shop and continue making purchases. The concept is fairly simple - customers buy products, and based on the amount spent, they will receive points that can accumulate over time (provided more purchases are made). These points can later be used to purchase various goods and services. But where merchants aim to prevent fraudulent activities against regular payment methods, many do not afford the same value of protection against theft of loyalty points. Fraudsters are fully aware of this and are prepared to take advantage of this oversight - and in certain cases, lack of action from merchants enables fraudster activities in this area.

A typical fraudster will aim to gain access to a customer’s loyalty program account by means of an account takeover (ATO), either through social engineering methods and/or use of phishing tools. A fraudster will prefer to remain under the radar of any merchant anti-fraud systems in place, therefore, a ‘dormant’ account is the perfect target - customers rarely check them or have simply forgotten they possess one. For a fraudster, gaining access to an account is like a bear finding a beehive full of honey! Especially when the true owner isn’t aware of suspicious activities taking place, and unlikely to discover it as they rarely (or ever) check such accounts. The fraudster can then create many fake accounts and transfer loyalty points between them, trying to disperse them before potentially being discovered.

Promo abuse scheme

As for promo abuse, this is much easier to perform, not requiring sophisticated hacking tools, but just the willingness and time to take advantage of loopholes in merchants’ internal rules and regulations. Just like with loyalty points, merchants will try to encourage existing and potential new customers to make purchases, either with discount codes, or rewards for signing up to their service with a new account. A typical sign-up offer may be to receive a free bet on a gambling website, or free 1st ride with a car-ride service. Sign-up referral codes can be exploited to gain credit/points and even gift vouchers. Of course, such offers are great, and what makes this type of fraud so harmful to a merchant’s finances is that it’s not only taken advantage of by cybercriminals, but by normal individuals who simply wish to get themselves a good deal. Everyone loves a freebie, right? And it can be as easy as one individual or household signing up for multiple accounts using different names through numerous email addresses.

Who is affected by loyalty fraud and promo abuse?

Surprisingly, some big global brands have been affected, and these are problems not unique to one industry or sector. Some of those with loyalty programs to be affected have included:

  • Airlines across the world that have air miles and loyalty points. The majority of big airlines, including American Airlines, British Airways and Lufthansa have dealt with this problem.
  • Banks such as American Express with Amex points and its payback program.

In terms of promo abuse, the most common industries to be affected by sign-up promotions have included:

  • Car-ride services such as Uber. The 1st ride is free, but in 2014, promotions were famously taken advantage of by one user who shared a referral promo code on Reddit for people to sign up, gaining him $50,000 in free credit.
  • Food and beverage companies such as HelloFresh offer home-cooked meal packages, with the 1st meal being free upon sign-up. Everyone loves free food...
  • The betting industry experiences problems with new users being offered a free 1st bet with multiple accounts used for sign-up by individuals.

Financial Systems are Regulated - Loyalty and Promo Schemes are not

Whereas national and international financial institutions seek to maintain a highly regulated system, the result is that money is generally well protected - by governments and banks etc. Where regulation does not have a hold are the points and various promotions that provide a financial value but are not by definition monetary. Fraudsters continually search for the best methods and techniques to earn money as quickly as possible, and as easily as possible. The mainstream media image conjures up an image of highly-skilled hackers going after high-value and risky targets, the reality can be somewhat different. The ongoing COVID-19 pandemic has given rise to a new style of cybercriminal, newbies who were previously not involved with online fraud, but struggling with recent job loss, they found a quick way to make some easy money without much effort. The professionalisation of cybercrime tools and techniques has resulted in a fairly easy way for fraudsters to succeed in their attempts. Loyalty and promo schemes are therefore seen as a soft touch that can lead to big gains.

No merchant should ignore the threat, although many choose to, as they are more concerned with ensuring customers are loyal and continue purchasing on their site. However, the damage to reputation can have a major impact if the company acknowledges they do not effectively prevent the problem, let alone take it seriously . But there are relatively easy options to prevent loyalty and promo fraud - easy, but also advanced and very effective.

Weed out bad users by analysing behavioural patterns

Merchants can introduce some internal processes to better record and monitor the levels of loyalty fraud and promo abuses taking place. Knowing the scale of the problem is half the problem, effectively dealing with it is the other. Some basic regulations for points and promotions can be introduced, which can be:

  • Prevent accounts from accruing a huge amount of points in short spaces of time,
  • Limiting the transfer of huge amounts of points to other accounts - and frequency of transfers.
  • Setting expiry dates to limit the vast accrual of points.
  • Flagging mismatches between expected and actual points/promo usage, for example, an account which has remained dormant for a long time has all of a sudden begun redeeming and transferring points.
  • An altogether simpler approach can be to simply regularly inform customers via email to check on their accounts - education is always key in beating fraud.

Dealing with loyalty fraud and promo abuse can be done manually with the right procedures and checks in place, but of course, this can be a lengthy process, yielding fairly poor results. The sheer volume of data required to be sifted through can be overwhelming, which is why an automated solution is required. With Machine Learning (ML) backed models, over 5000 pieces of data can be analysed in real-time, effectively identifying suspicious patterns of behaviour that indicate a high probability of fraud.

Indicators can be the use of multiple email addresses coming from the same IP address (and physical home address) being used to create new accounts to take advantage of sign-up promotions. Although this doesn’t necessarily have to be the actions of a seasoned or newbie cybercriminal, the scale of such actions by so-called ordinary users can financially impact a merchant. Therefore, deploying an effective fraud detection and prevention solution not only ensures that you prevent cybercriminals from defrauding you or your customers, but you can improve the integrity of your loyalty schemes and put an end to promo abuses. And with such an effective solution in place, the company's reputation improves. And with that you have a win-win situation, ensuring customer loyalty and satisfaction - the whole point of loyalty schemes and promotions. But now you can ensure this in a fraud-free environment.


If you wish to prevent loyalty program fraud and promo abuse in your business, we can help. Click 'book a call' at the top of this page or contact Patrick directly via email at patrick.drexler@nethone.com or via LinkedIn.

Ready to detect fraud just like Azul?

Ready to detect fraud just like Azul?

Start measuring fraud attacks today and find out if there are bots attacking your site. Arrange a call to discuss a tailored solution or explore our platform for free.

Book a call