24 November 2021
8 min read
The majority of eCommerce merchants aim to have a loyalty scheme in place to entice regular customers to return to their online shop and continue making purchases. The concept is fairly simple - customers buy products, and based on the amount spent, they will receive points that can accumulate over time (provided more purchases are made). These points can later be used to purchase various goods and services. But where merchants aim to prevent fraudulent activities against regular payment methods, many do not afford the same value of protection against theft of loyalty points. Fraudsters are fully aware of this and are prepared to take advantage of this oversight - and in certain cases, lack of action from merchants enables fraudster activities in this area.
A typical fraudster will aim to gain access to a customer’s loyalty program account by means of an account takeover (ATO), either through social engineering methods and/or use of phishing tools. A fraudster will prefer to remain under the radar of any merchant anti-fraud systems in place, therefore, a ‘dormant’ account is the perfect target - customers rarely check them or have simply forgotten they possess one. For a fraudster, gaining access to an account is like a bear finding a beehive full of honey! Especially when the true owner isn’t aware of suspicious activities taking place, and unlikely to discover it as they rarely (or ever) check such accounts. The fraudster can then create many fake accounts and transfer loyalty points between them, trying to disperse them before potentially being discovered.
As for promo abuse, this is much easier to perform, not requiring sophisticated hacking tools, but just the willingness and time to take advantage of loopholes in merchants’ internal rules and regulations. Just like with loyalty points, merchants will try to encourage existing and potential new customers to make purchases, either with discount codes, or rewards for signing up to their service with a new account. A typical sign-up offer may be to receive a free bet on a gambling website, or free 1st ride with a car-ride service. Sign-up referral codes can be exploited to gain credit/points and even gift vouchers. Of course, such offers are great, and what makes this type of fraud so harmful to a merchant’s finances is that it’s not only taken advantage of by cybercriminals, but by normal individuals who simply wish to get themselves a good deal. Everyone loves a freebie, right? And it can be as easy as one individual or household signing up for multiple accounts using different names through numerous email addresses.
Surprisingly, some big global brands have been affected, and these are problems not unique to one industry or sector. Some of those with loyalty programs to be affected have included:
In terms of promo abuse, the most common industries to be affected by sign-up promotions have included:
Whereas national and international financial institutions seek to maintain a highly regulated system, the result is that money is generally well protected - by governments and banks etc. Where regulation does not have a hold are the points and various promotions that provide a financial value but are not by definition monetary. Fraudsters continually search for the best methods and techniques to earn money as quickly as possible, and as easily as possible. The mainstream media image conjures up an image of highly-skilled hackers going after high-value and risky targets, the reality can be somewhat different. The ongoing COVID-19 pandemic has given rise to a new style of cybercriminal, newbies who were previously not involved with online fraud, but struggling with recent job loss, they found a quick way to make some easy money without much effort. The professionalisation of cybercrime tools and techniques has resulted in a fairly easy way for fraudsters to succeed in their attempts. Loyalty and promo schemes are therefore seen as a soft touch that can lead to big gains.
No merchant should ignore the threat, although many choose to, as they are more concerned with ensuring customers are loyal and continue purchasing on their site. However, the damage to reputation can have a major impact if the company acknowledges they do not effectively prevent the problem, let alone take it seriously . But there are relatively easy options to prevent loyalty and promo fraud - easy, but also advanced and very effective.
Merchants can introduce some internal processes to better record and monitor the levels of loyalty fraud and promo abuses taking place. Knowing the scale of the problem is half the problem, effectively dealing with it is the other. Some basic regulations for points and promotions can be introduced, which can be:
Dealing with loyalty fraud and promo abuse can be done manually with the right procedures and checks in place, but of course, this can be a lengthy process, yielding fairly poor results. The sheer volume of data required to be sifted through can be overwhelming, which is why an automated solution is required. With Machine Learning (ML) backed models, over 5000 pieces of data can be analysed in real-time, effectively identifying suspicious patterns of behaviour that indicate a high probability of fraud.
Indicators can be the use of multiple email addresses coming from the same IP address (and physical home address) being used to create new accounts to take advantage of sign-up promotions. Although this doesn’t necessarily have to be the actions of a seasoned or newbie cybercriminal, the scale of such actions by so-called ordinary users can financially impact a merchant. Therefore, deploying an effective fraud detection and prevention solution not only ensures that you prevent cybercriminals from defrauding you or your customers, but you can improve the integrity of your loyalty schemes and put an end to promo abuses. And with such an effective solution in place, the company's reputation improves. And with that you have a win-win situation, ensuring customer loyalty and satisfaction - the whole point of loyalty schemes and promotions. But now you can ensure this in a fraud-free environment.