Effectively Managing Fraud in Loyalty Programs: Part Two

Written by: Bill Byrne, CPA, CIA, CISA

This blog post is part two of a two-part series on loyalty program fraud. Part one on HFTP Connect covered loyalty program fraud committed by customers and insiders.

Cyber Fraud

The final of the three loyalty program fraud threats to be covered in this two-part series is cyber-attacks. These attacks typically are initiated outside the corporate walls. Cyber-attacks target everything from loyalty program points to the loyalty members’ credit card and protected personal information (PPI). Specifically to loyalty programs, stolen points can be used to make purchases or be converted to gift cards. The PPI data can be sold and exploited for account takeover attacks. 

Security blogger, Brian Krebs, tells the story of a Hilton Honors loyalty program member’s account being breached. In this particular breach, a quarter-million points were stolen from the individual’s account. The thieves used the points to pay for a half-dozen stays at Hilton properties on the East Coast. After spending all the rewards points in the account, the thieves then used the credit card attached to that account to buy even more reward points for themselves. It was also discovered that similar types of loyalty account points were being offered for sale on the dark web for a fraction of their face value.

Being educated on common practices employed by cyber criminals is a good first step to prevent a loyalty program cyber breach. The following describes some favorite techniques criminals employ in order to gain unauthorized entry to loyalty program platforms and customer accounts.

• Social engineering encompasses a broad range of malicious activities designed to deceive users or I.T. administrators at a target site into revealing confidential or sensitive information. “Phishing” is a common form of social engineering that has gained awareness over the past several years. Phishing generally involves information requests via email. Smishing (SMS Phising) is similar to phishing except it is conducted via a text message, and vishing involves requests via voice calls. The list of deceptive communication methods and I.T. expressions is extensive; however, the intention is generally to acquire information such as usernames, passwords, PPI data and/or credit card details. These requests come from fraudsters masquerading as a legal entity or other authorized party. These requests may also redirect customers to fake websites where they are prompted to enter sensitive data into the site for capture and use by the fraudsters. Additionally, requests may come with attachments that contain malware that, if downloaded, allows fraudsters to access information on your electronic device. Malware is described as malicious software designed to interfere with the normal functioning of an electronic device.
• Bots, also known as robots, are autonomous software applications that are programmed to perform tasks on a network or over the internet. The tasks performed by bots are repetitive in nature and can be performed at a much higher rate than is humanly possible. Bots can be programmed to be helpful or harmful. Good bots can be programmed to conduct useful legitimate tasks like retrieving, analyzing and summarizing information, while malicious bots/malware bots can be programmed to perform criminal activities. Travel and hospitality companies are known targets of malicious bot activities. Malicious bots can be designed with the intent to damage or gain control over end-user devices. Within the context of loyalty programs, malicious bots are being used to attack corporate websites and gain access to customer accounts.

Social engineering awareness training for employees is an important part of reducing the risk of an attack. And with loyalty programs, it is just as important to build customer awareness and inform them about the preventive actions they can take to keep their accounts safe. Customer actionable options include:

• Using unique and complicated passwords for different loyalty accounts, as this can limit the damage to one account if credentials are stolen.
• Monitoring loyalty account balances and transactions as if they were bank accounts.
• Verifying apps are from reputable sources before downloading.
• Patching/updating devices and software used to access loyalty accounts.
• Using a password manager to assist with the generation, storing and retrieval of complex passwords.

Companies can also prevent and minimize damage to loyalty accounts by providing their customers with the latest security options, which may include:

• Using a security mechanism known as multi-factor authentication. This process requires customers to use two or more factors of authentication in order to access their loyalty account.
• Providing real time alerts of activities in loyalty accounts so that frauds can be quickly identified and potentially averted. 

Identifying bot traffic on your website and then discerning if those bots are good or bad is a lengthy and complex topic generally known as bot management. Research suggests that some current technologies being deployed are limited in their abilities to even distinguish between human activity and bot activity. Regardless of current level of effectiveness, implementing a bot manager software solution is a best practice. With the amount and sophistication of malicious bot activity on the rise, bot manager software can provide a deeper analysis of bot traffic and minimize fraudulent attacks. 

Balancing the risks and rewards of your loyalty program includes having a good understanding of how susceptible your program is to fraud. Each type of fraud will have a negative financial impact. There will be the administrative costs of handling frauds. Stolen points or fraudulent redemptions will generally require some type of customer reimbursement. Loss of data and failure to comply with data privacy laws has the potential to lead to significant fines and penalties. The negative news created by customer, employee, or external frauds may have an irreversible reputational cost to the company. And, if the loyalty program has to be closed due to inadequate consideration of fraud risks and controls, there will be the lost costs associated with the development and implementation of a failed program. 

As more digital channels become available, new fraud risks will have to be considered and more advanced security measures will have to be deployed. Knowing that you will not be able to think of every possible fraud scenario may be the motivation you need to stay vigilant against the internal and external threats to your loyalty program. 

Billy Byrne, CPA, CIA, CISA has over twenty years of gaming and hospitality experience and over ten years of audit, compliance, and risk management experience. He has led audit projects and teams, analyzing risks and testing design, operating efficiency and effectiveness of controls, systems, processes and procedures.