According to Forester research, loyalty card fraud increased by 89% in 2019 and the trend continued in 2020 and 2021.  Loyalty programs and reward apps continue to be a lucrative target for cybercriminals. Instead of trying to take over online loyalty programs through credential stuffing attacks, they try to steal money by using a lower risk method because it is easier to execute and scale.

With most loyalty and reward programs being managed by third parties and linked to mobile payment systems and credit cards, there is a high chance that they fail to follow the same security standards as the brand itself. This gives hackers a small opening that they can capitalize on and fulfil their malicious objectives.

Michael Reitblat, CEO and co-founder of Forter says, “Fraudsters are diversifying into softer currencies that are not primarily financial and moving beyond transactional credit card fraud into areas such as loyalty account fraud.”

In this article, you will learn seven types of loyalty and reward-based attacks that consumers should be aware of.

1.     Mastercard

Mastercard admitted that the account information of 90,000 German customers, who are members of its Priceless Specials Reward Program, was compromised in a data breach. Although the compromised records included the names addresses and credit card numbers of customers, but what was downright frightening was the fact that this loyalty program was managed by a third party that admitted to having lose security controls and protection, which multiplied the risk.

2.     Dunkin Donuts

Dunkin Donut’s DD Perks have been in the news for all the wrong reasons. Since 2015, customers have been complaining about account takeovers. This continued till 2018. In February 2019, it experienced another credential stuffing attacks where hackers tried to take over accounts and drain their points. Dunkin Donuts have started taking the complaints seriously and are doing their bit to prevent such attacks in future.

3.     Marriott

In late 2018, hackers stole user information from Starwood Preferred Guest Loyalty account holders. The target of the breach was to steal value points of customers, which might not seem like a big deal but can have far-reaching consequences than credit card information theft. The impact of this massive data breach was so high that Marriott must rebrand their loyalty program as Marriott Bonvoy after sharing the attack details with the public. Marriott had also been affected by data breaches and cyberattacks before but none of them was as massive as this one.

4.     Sainsbury’s

When the holiday season was in full swing, British retailer Sainsbury’s customers noticed something suspicious. Customers complained that the points linked to Sainsbury’s Nectar loyalty program were being stolen in big numbers. In this attack, the fraudster used a spray and pray approach and used credential stuffing attacks to steal those points.

5.     British Airways

According to research conducted by Comparitech, dark web marketplaces are dotted with offers where cybercriminals sell frequent flyer miles stolen from frequent flyers. Airline loyalty and reward programs have been a target for hackers for quite some time now, but the attack surface is increasing with each passing day. From British Airways to Emirates, Delta to Virgin, no one is safe from such incidents. If you are a customer who has a frequent flyer loyalty account, you should be worried.

6.     Pizza Hut

Information about Pizza Hut’s Hut reward program started surfacing online in June 2019. Just like in Sainsbury’s case, customers started reporting that their pizza was being stolen by cybercriminals. Fortunately, the attack did not affect Pizza Hut’s massive user base and only 1% of Hut reward customers, which means it only affected hundreds of customers, according to Pizza Hut.

7.     7-11 Japan

7-11 Japan, a popular convenience store chain in Japan launched a mobile payment feature. A few days later, their reward and payment app known as 7pay was targeted by cyber attackers. They managed to steal $500,000 from 900 Japanese customer accounts. They achieved that goal by compromising payment card data. Since these payment cards are linked to their app accounts, it made life easy for hackers.

How to Keep Your Data Safe?

If you have subscribed for a loyalty program or use a reward app, you must exercise some caution to keep your data protected. Here are some steps you can take to keep your data safe.

• Keep an eye on the information you are sharing online.
• Use a secondary email address
• Follow password best practices when setting a password
• Use safer authentication methods such as biometric authentication
• Implement multi-factor authentication
• Install programs that scan apps before installing them.
• Secure your best-dedicated server.
• Always install apps from trusted sources.

Have you ever been a victim of loyalty and reward-based cybersecurity attack? How do you protect your business from a loyalty and reward program attack? Share it with us in the comments section below.