Loyalty points can usually be exchanged for food, clothing, toys, electricals or even flights and have as much value to criminals as they do to their rightful owners.
In recent weeks, Which? has noted an increase in Sainsbury's customers reporting that their Nectar card balances have been ransacked, but it's not a new scam and Nectar isn't the first loyalty scheme to be targeted.
Here, we look at five times fraudsters have targeted loyalty schemes and what to do to prevent your points from being nabbed.
undefinedundefined1. Sainsbury's Nectar scheme
Loyal Sainsbury's customers have been contacting Which? to tell us their Nectar points have been stolen from their account.
This isn't a new issue for the Nectar scheme. We've covered it in previous years and it's been widely reported in the media.
An investigation by This Is Money recently found criminal groups selling on the Nectar balances of unsuspecting victims.
Thankfully, victims typically have their stolen points reinstated by Sainsbury's, but exactly how these accounts are being compromised remains unclear.
Nectar told Which? it is constantly improving its systems and processes to help safeguard customers’ points. It said that over the past few years, it has introduced a number of security measures, including pre-emptively blocking redemptions when a fraudulent transaction is detected, allowing customers to pause any spending of points on their account by contacting Nectar and requiring photo ID for all Nectar redemptions over £50 in Argos stores.
It said it ensures that customers impacted by points theft will get their money back.
Read more:2. Boots Advantage Card
In 2020, Boots temporarily suspended all payments made with points from its Advantage Cards, after cybercriminals tried to force their way into thousands of accounts.
Boots said its own systems were secure, but the hackers had tried to gain entry via passwords its customers had reused on other sites.
This kind of attack, known as password stuffing, comes about when login details from data breaches are dumped online. The criminals bank on victims having used the same or similar passwords across different accounts.
Read more:3. Tesco Clubcard
Just weeks before the Boots cyberattack, criminals had tried the same tactic on Tesco Clubcard accounts, resulting in 600,000 of them being cancelled and reissued.
Tesco said it thought a database of passwords and usernames stolen from other sites had been tried out on its own site, and some accounts may have been breached. It vowed to replace any stolen points or vouchers.
At the time, a Tesco spokesperson said: 'We are aware of some fraudulent activity around the redemption of a small proportion of our customers' Clubcard vouchers.
'Our internal systems picked this up quickly and we immediately took steps to protect our customers and restrict access to their accounts.'
4. British Airways Avios scheme
In 2021, The Times exposed a scam in which British Airways air miles, known as Avios points, were stolen and converted into Nectar points.
Avios points themselves aren't thought to be of much value to fraudsters, because they would need to supply their passport details in order to book a flight with them. However, converting the points enabled them to be spent in branches of Sainsbury's and Argos.
Avios said it had informed a small number of customers that they had been affected and that their Avios points would be reinstated.
In response, BA said: 'We immediately investigate any alleged instances of fraud against our members, take measures to protect their accounts, and inform the police of potential criminal activity.'
5. Iceland Bonus Card
Last Christmas, a number of Iceland's Bonus Card account holders found their balances had been wiped.
The popular loyalty programme is often used as a Christmas saving scheme, where shoppers earn an extra £1 for every £20 spent.
Customers took to social media to complain about their missing balances in the run-up to Christmas, with some concerned that they wouldn't be able to do their Christmas food shop.
At the time, Iceland said there had been 'unlawful access to a small proportion of its customers’ Bonus Card accounts'. It added that the login details had been stolen through breaches on other websites and there had been no breach of Iceland's systems.
The missing points were restored by the supermarket.
How safe are your loyalty scheme accounts?
Which? spoke to Steve Goddard, a fraud prevention expert at Featurespace, about the theft of loyalty points and scams.
He said the use of generative artificial intelligence (AI) is making it easier for cybercriminals to perform 'brute force' attacks, where passwords stolen in data breaches are then tried on different sites, in the hopes that victims have reused their password.
He added that AI 'can summarise and make the breached data more usable' more quickly than traditional methods.
Thankfully, those who lose their points often have them reinstated.
If you find your points are missing, you should contact your loyalty scheme provider immediately using the contact details found on their website.
source https://www.which.co.uk/news/article/loyalty-scheme-scams-how-to-keep-your-points-safe-aZn7b8A6tk2N