Blog | THINKINK

Fighting Airline Loyalty Fraud: The Constantly Moving Target

Written by Vanessa Horwell | Mar 27, 2017 5:01:32 AM

The monetary value of loyalty programs continues its global ascent. In the U.S. alone, the current stored value of loyalty currency stands at approximately $50 billion, by some estimates.

That's an impressive number.

Here's another: Nearly three-fourths (72%) of all airline loyalty programs have been hacked or defrauded in some way, according to a survey of loyalty program managers.  Most members of those loyalty programs, however, are completely unaware.

Airline loyalty programs have become a more recent target for criminals as other industries, notably financial institutions, have significantly improved their fraud prevention programs and developed more effective barriers to hacking.  Apart from the increased security measures being applied across other verticals, it’s also very possible that airline loyalty programs have been singled out because of their sheer value and frequency of member interaction. How often does a consumer check the balance of their grocery or fuel rewards account instead of, say, their airline mileage balance?

While this growing problem has not gone unnoticed - airline stakeholders were instrumental in the formation of the Loyalty Fraud Prevention Association in 2016 (which among other things establishes best practices for preventing fraud) - there are no other groups dedicated to tackling travel loyalty fraud.

Just how vulnerable are loyalty programs to fraud? Reporting mileage theft doesn't necessarily meet the strict disclosure requirements of a credit card data breach, for example, but in one widely publicized case, American Airlines acknowledged that some 10,000 member accounts were affected. The full scope of that problem, however, could be many multiples of that.

Loyalty fraud typically involves the theft of loyalty currency from a member's account, employee manipulation or theft of rewards, unauthorized use of the member’s accrued rewards by someone other than the member, or outright cyberattacks directed at an entire airline’s system or loyalty program. But because the “currency” is not used frequently like actual cash (or credit), the time of theft to the time of actual detection may be weeks or months, making much harder – if not impossible – to impede.

The IT Department Doesn't Own Loyalty Program Security – Every Team Does
While loyalty programs may be seen as belonging to a marketing team’s domain, fraud issues cross many internal corporate boundaries. An aviation company called Global Flight, frames loyalty fraud in three broad categories:

  1. Loyalty IT platforms
  2. Management processes
  3. Customer behavior

The first two categories should already be in management's direct line of sight. An IT platform may represent a significant financial investment, but it's an investment that successful airlines must make to protect their the integrity of passengers’ and members’ data, and to ward off cyber thieves. But in any case, an airline cannot depend solely on its IT department to solve the growing problem of its loyalty program’s security.

When it comes to management processes, loyalty program managers and marketing teams have a more direct (and critical) role to play - a role that requires very close cooperation with IT, sales and other departments responsible data security and risk management as well as customer relations. Of course, marketing's instinctive desire to deliver a seamless and satisfying member experience risks clashing with the security concerns of IT and risk management. While overall ownership needs to be clear -- and marketing is the right place to start -- other departments need clearly defined roles and accountability to strike that balance between security and customer satisfaction.

Program Design Failures
Management processes can also explain flaws in program design. While most program fraud and data theft is committed by professional thieves or cyberhackers, some is done by program members and company employees who, for example, exploit redemption loopholes, create and fill dummy accounts, or transfer points/miles without member permission. The creativity of thieves -- both professional or the person in the next cubicle -- also points to the need for better program design that will adapt to meet new forms of fraud that seem to surface daily.

Customer Behavior is a Different Kettle of Fish
Certainly an airline has a duty to protect its customer data, and customers expect that their airline or travel brand of choice has taken all reasonable measures to protect their valuable miles and travel rewards.

But in some instances, customers are their own worst enemies.

A 2015 Connexions’ Loyalty survey uncovered a paradox: While 81% of the U.S. respondents said they consider their points or miles as valuable as cash, very few protected their points the way they would protect their money. Most were oblivious to the possibility of fraud, yet 25% said they would leave a loyalty program if it were hacked, and 17% would simply stop doing business with the organization.

What action is a loyalty program manager supposed to take? Incentive Magazine lists four steps that can apply to airlines and other industries equally:

  1. Routinely and rigorously monitor account activity, including registration and transactions, and be alert to any changes or patterns that depart from the expected member behavior(s).
  2. Increase login security measures with multiple authentication steps, with the goal of balancing customer satisfaction and the need for security.
  3. Boost internal communication about fraud and get management buy-in for increasing customers’ data protection.
  4. Educate program members about the risks of fraud and warning signs of attempted hack.

Want to learn more about the state of Loyalty Program Fraud? Register for the annual Loyalty Fraud Prevention Association Americas event in Atlanta on May 24, 2017.

Helping Loyalty Program Members Help Themselves
The last part, however, is the tricky bit. As the Connexions Loyalty survey revealed, program members profess to see the financial value of rewards, and many would flee a company if they felt that inadequate steps had been taken to guarantee the security of their data, points and mileage. But members often contribute to security failings, sometimes by simply failing to protect their log-in information and personal data.

Creating the best possible customer experience, including allaying security concerns, must extend from rewards program management to include risk management, and risk management must share in creating customer satisfaction even if, deep down, the customer is as much a security problem as a security solution.

While it won’t prevent program fraud, educating consumers and members about protecting their rewards is a critical (yet often overlooked) step in the fight against cybercrimes. As a frequent flier and longstanding member of several airline and hotel loyalty programs, I’m yet to receive any communications from these companies telling me how I can better protect my account data. I wonder if it will take a really heinous hack for their communications strategies and complacency to change?

If you would like to receive a copy of my controversial presentation at the LFPA London forum, please email me at vhorwell@thinkinkpr.com.  You can also hear more about the proliferation of loyalty program fraud by registering for my April 4 webinar, “Data Breaches, Angry Customers and a PR Crisis”.