Michael Smith (Board Advisor, Airline Information) joined us at our 2022 Annual International Loyalty Conference to discuss ‘Immunising your Loyalty Program Against Fraud’.
While Michael was unable to participate in a live Q&A during the conference, he has kindly provided answers to seven of our audience’s top-rated questions. Read his answers below.
Would you consider credit card loyalty gamers (getting the card for the bonus points then cancelling the card) and applying for another card from another bank to get the bonus points and repeating this again as fraud?
The gamers are certainly active anywhere there are large promotional bonuses. There are a myriad of different legal definitions of fraud and we’ve tended to view it as “getting a benefit for which they are not entitled”. It can be a tad more complex than that, but, to take my cashier example, they are not entitled to the program benefits by swiping their card.
Some of this type of gaming comes down to the program/promotion design. If you’ve done the promotional ROI and the rules in such a way that you take account of the people that will jump through all the hoops, spend the required amount and then not renew and/or cancel (assuming your T&Cs then allow clawback if that’s part of the promotion) then that’s probably not fraud. If they are constantly recycling then promotional abuse, but, in those cases, when the customer re-appears at the next promotion, then identifying them before issuing any points is probably an effective strategy (harder to spot if they’ve gone to another bank though.)
Monitoring the blogs – in the airline world FlyerTalk and others – will let you see the folks that are promoting the various bonuses and any ways around T&Cs. It might not stop promotional abuse for something that you have just launched, but might give you some pointers to help prevent it the next time.
In the Loyalty Security Alliance, this is an ongoing topic for debate. My personal view is that it isn’t fraud (if they jump through the conditions you set then the benefits are for them) but means better promotional design if someone discovers a loophole!
Are Loyalty Fraud laws in AU/ state-wide strong?
This is an interesting one. I’m not an Australian (or other territory) legal expert and someone like Lincoln Hunter is probably much more qualified to answer this.
What I do know is that (a) there is an interesting bit about jurisdiction – if I live in Victoria and I defraud an entity in NSW who is responsible from the authorities side and (b) the likes of the FBI and Europol who have been to the LSA events have been mainly there because of their interest in the associated criminality.
In my presentation I mentioned about the hotel program being defrauded with the points being turned in to free hotel nights which were being used by a prostitution ring. That was where the police and the authorities were interested. Not the poor person’s account that had been cleared out.
As yet, it is not something that has come up as a major issue – yet. A few years back I was approached by a BBC researcher as they wanted to feature it on a radio program. But that never went anywhere!
Not sure if that answers the question or not!
In countries where naming conventions and use ( eg Middle East) do not follow set norms (first name/last name), what is the easiest way to verify credit card holders name and member ID name, when they are likely to not be the same?
There’s a bit of a wider question here in terms of KYC/Know Your Customer. Banks in most parts of the world have to do KYC checks, but loyalty programs don’t. There’s a cost in doing the KYC checks and, in the past, that wasn’t something that programs either thought to do, had to do, or were willing to pay for.
If I was answering this in person, I’d try to find out why you want to match them, so I am going to have to assume some reasons why you might, so forgive me if I am getting the wrong end of the stick with what you are after. If your program allows people to store card details and then process transactions, then you could then see if the name on the card was one thing and the name on the account another (in a slightly different format.) Assuming the bank has done KYC and transaction process on the card, then you could assume that things are ok. And perhaps have a report that highlights these mismatches and if there are large numbers then it might be a red flag – or it might just be as you suggest, naming differences.
Alternatively, if you are looking at sign up bonuses for a card and the names mismatch, then, from my experience of looking after these card programs if the card name and loyalty program name didn’t match then the miles weren’t posted and that information returned to the issuing/bank partner for them to handle direct with their customer. The hand back file would include the reason for the non posting – invalid account number, name mismatch or whatever reason the miles didn’t post. From there, the bank/issuer could contact the customer to figure out what had gone wrong.
Are there particular industries that are more susceptible to loyalty fraud than others and are there any early warning signs that we should be looking out for?
In terms of Account Take Over, you can (apparently) buy $10 Pizza Hut reward vouchers on the dark net. So, it looks like anyone can be hit!
Having said that, the bigger the program and the richer the program are more the targets of the organised scammers. If you split the warning signs in to two areas – one at the corporate level, where IT is looking at all the hits to the website and the various attacks – for example, Qantas has a C level executive who is watching out for all of these kinds of signals.
The next level is, for want of a better phrase “account entry”. So, how often are attempts being made to access an account. How does that look in terms of past history (both earning and redeeming). If you look at the graphic from the Arkose people there are lots of signals/signs that working with IT with throw up red flags.
So, where’s there’s decent value in an account and where that account can easily be turned to cash or near cash (like that flat screen TV) is the main target. Although, $10 Pizza Hut reward vouchers have also shown up!
Customers aren’t always aware their Reward numbers are on their boarding passes, do airlines see fraud in this way when boarding passes are discarded in airports?
In previous presentations on this topic, I’ve included this type of “security flaw” as one of the ways people can get a couple of bits of data to help them access an account. Two seconds on google and you’ll get plenty of boarding pass images with the numbers clearly shown, as well as lots of them lying around at airports too.
So, whilst this might be one way of gaining access, it is generally on a smaller scale than get data in a breach or from bots.
Hotel staff can often see the number too on a booking form, so it is not just airlines!
I believe that Qantas has stopped putting the number (or masking some of the numbers) on their boarding pass and we’ve mentioned it several times to IATA (the airline trade association) and maybe, slowly, like the credit card numbers on receipts being masked, that will start to happen.
Did the COVID lockdowns see an increase in Loyalty Program fraud, or has it been increasing YOY?
We are currently in the process of doing some research to see what has happened. We’ve heard from some people saying it is up, and others saying it remains the same. There are plenty of stats for Account Take Over in general which shows really big increases and whilst it isn’t broken down in to what types of account (like loyalty) given many of these surveys are all showing big increases, there’s a good chance that it is increasing.
A few years back in Adam Posner’s “For love or Money” report he asked if Australians had been the victim of loyalty fraud. That number was 3% saying they had. It didn’t quantify their loss (if any) but if larger value accounts are cleared out, then 3% doesn’t sound many, but, could be significant value.
Is there not a worry about “passive”/”lazy” loyalty and driving up costs by rewarding people/giving points to people that aren’t actively participating in your programme? Once they signup to card linking, they might just forget about it? How do you make sure you’re actively getting those members to engage? Do you see companies having this issue?
The eternal challenge – how to not pay for business you would have got anyway!
I could wax lyrical about engagement and promotions (as well as preventing fraud!) as it is the holy grail for any serious program manager. Might I suggest (since there is a chapter on Loyalty Fraud in there too) that there’s some great, detailed info, in the Complete Guide to Loyalty Programs which might answer some of this question better!
About Michael Smith
Michael Smith is a co-founder of the Loyalty Security Alliance (LSA) as well as a Board Advisor for Airline Information (Ai Events). Ai Events run conferences for Loyalty Programs (including Fraud) as well as Payments, Co-brand cards and Ancillary Merchandising for the airline and travel industries.
With a career spanning British Airways (managing the non air partner’s of BA’s Frequent Flyer Program, the Executive Club) and Financial Services he’s a frequent speaker at events on the topics of Account Take-over, Loyalty as well as Loyalty Fraud.
