Loyalty schemes operated by retail, hospitality, entertainment, travel and dedicated card businesses have become very popular to the extent that they represent a billion-pound industry. Schemes vary in how they operate: some reward customers with a simple discount off purchases, whilst some offer purchases from third-party organisations as well as the issuer. Other schemes are more generic, enabling customers to accrue points by redeeming points with a wide range of organisations, often at two or more times their face value. Many people rely on their accrued points to help towards buying Christmas presents, travel or experiences.
Loyalty scheme members can build up substantial credits over a period, depending on how much they spend, and with whom. Unfortunately, this has made them an attractive target for fraudsters, who exploit the following:
· Many people use the same login details to their loyalty card accounts as their other accounts, making them vulnerable if one of these other accounts is hacked.
· Many scheme operators do not exercise the same security as banks – with no Chip & PIN or two-factor authentication, for example.
Yet, because schemes do not directly provide access to actual cash – and many people regard them as a bonus they would not have received if they hadn’t made the purchases – they pay less attention to safeguarding their card or account than they would their bank account. This makes them vulnerable to fraud.
Account takeover, in other words having your loyalty scheme account unlawfully accessed, resulting from:
- Using the same login details (email address and password) as another account which has suffered a data breach. This may be especially so where people have been members of loyalty schemes dating back to when such strong and unique passwords were not as important.
- Being duped or manipulated into revealing your loyalty card serial number online, on the phone or in person.
- Losing your loyalty card, or if it is stolen.
- Your card being cloned.
- Using third-party loyalty apps which collect your details including your name, address, telephone number, date of birth and shopping habits. Such apps may not be secure, or could be fraudulent. Alternatively, such app operators could sell your data to other organisations, resulting in you being spammed with phone calls, emails and/or texts.
How to avoid loyalty card fraud
- Treat your loyalty card with the same care as you would a bank or store card. Remember, it is an asset with real value.
- Never reveal your card number to anybody who you are not certain is from the provider, or an organisation with whom you are redeeming points. Fraudulent requests may be via email, phone call, text, a link in a social media post or as part of a competition entry.
- If you receive a spurious call, email, text or other message claiming to be from your loyalty card provider, call back on the number on the back of the card if you have any doubts.
- Do not post photos of your loyalty card on social media.
- Select a strong password, and ensure that you do not use the same one for your loyalty card as you do for any other account. This advice applies to all online accounts.
- Change your password periodically – to one that is very different from your existing one – in case your username/email and password appear on a list of hacked login details being shared between criminals.
- Log out of your account on your loyalty card website or app when you have completed your transaction, or finished checking your balance. Simply closing the page or app may not be sufficient to log out.
- Never enter login or other personal details on third-party loyalty apps, in other words those not operated directly by individual loyalty scheme operators themselves. Authentic operators have no association with these spurious apps, so they are not bound by the appropriate privacy and cookie policies. If in doubt, ask the official loyalty scheme operators.
- Check your points balance regularly online or instore.
- If you are the victim of loyalty card fraud, report it to your loyalty scheme operator immediately via the contact details on their official website.