Loyalty points can usually be exchanged for food, clothing, toys, electricals or even flights and have as much value to criminals as they do to their rightful owners.
In recent weeks, Which? has noted an increase in Sainsbury's customers reporting their Nectar card balances have been ransacked, but it's not a new scam and neither is Nectar the first loyalty scheme to be targeted.
Here, we look at four times fraudsters have targeted loyalty schemes and what to do to prevent your points from being nabbed.
undefinedundefined1. Sainsbury's Nectar scheme
Loyal Sainsbury's customers have been contacting Which? to tell us their Nectar points have been stolen from their accounts.
This isn't a new issue for the Nectar scheme. We've covered it in previous years and it's been widely reported in the media.
An investigation by This is Money recently found criminal groups selling on the Nectar balances of unsuspecting victims.
Thankfully, victims typically have their stolen points reinstated by Sainsbury's, but exactly how their accounts are being compromised remains unclear.
Nectar told Which? it is constantly improving its systems and processes to help safeguard customers’ points. It said that over the past few years, it's introduced a number of new security measures, including pre-emptively blocking redemptions when we detect a fraudulent transaction, allowing customers to pause any spending of points on their account by contacting Nectar and requiring photo ID for all Nectar redemptions over £50 in Argos stores.
It said it ensures that customers impacted by points theft will receive their money back.
Read more:2. Boots Advantage Card
In 2020, Boots temporarily suspended all payments made with points from its Advantage Cards, after cybercriminals tried to force their way into thousands of accounts.
Boots said its own systems were secure but the hackers had tried to gain entry via passwords its customers had reused on other sites.
This kind of attack, known as password stuffing, comes about when login details from data breaches are dumped online. The criminals bank on victims having used the same or similar passwords across different accounts.
Read more:3. Tesco Clubcard
Just weeks before the Boots cyberattack, criminals had tried the same tactic on Tesco Clubcard accounts, resulting in 600,000 of them being cancelled and reissued.
Tesco said it thought a database of passwords and usernames stolen from other sites had been tried out on its own site, and some accounts may have been breached. It vowed to replace any stolen points or vouchers.
At the time, a Tesco said: 'We are aware of some fraudulent activity around the redemption of a small proportion of our customers' Clubcard vouchers.
'Our internal systems picked this up quickly and we immediately took steps to protect our customers and restrict access to their accounts.'
4. British Airways Avios scheme
In 2021, The Times exposed a scam in which British Airways air miles - known as Avios points - were stolen and converted into Nectar points.
Avios points themselves aren't thought to be of much value to fraudsters because they would need to supply their passport details in order to book a flight with them. However, converting the points enabled them to be spent in branches of Sainsbury's and Argos.
Avios said it had informed a small number of customers that they had been affected and that their Avios would be reinstated.
In response, BA said: 'We immediately investigate any alleged instances of fraud against our members, take measures to protect their accounts, and inform the police of potential criminal activity.'
How safe are your loyalty scheme accounts?
Which? spoke to Steve Goddard, a fraud prevention expert at Featurespace, about the theft of loyalty points and scams.
He said the use of generative artificial intelligence (AI) is making it easier for cybercriminals to perform 'brute force' attacks, where passwords stolen in data breaches are then tried on different sites, in the hopes that victims have reused their password.
He added that AI 'can summarise and make the breached data more usable' more quickly than traditional methods.
Thankfully, those who lose their points often have them reinstated.
If you find your points are missing, you should contact your loyalty scheme provider immediately using the contact details found on their website.
source https://www.which.co.uk/news/article/four-times-fraudsters-targeted-loyalty-schemes-aZn7b8A6tk2N