As companies strive to become more successful than their competition, they can find it a struggle to secure new clients and retain their current customers. Loyalty programs are often seen as an answer to solving these difficulties and have become one of the most popular ways to improve customer engagement and retention. To put it simply, these programs give either a welcome bonus or a reward for constantly buying something from the same retailer. Such campaigns are well received amongst consumers and, according to a Kaspersky survey, 53% of customers have purchased something with their bonus points.
Loyalty programs first appeared at the end of the 19th century in the form of copper tokens and special stamps, which could be exchanged for bonus points. By the 1990s loyalty cards were become familiar amongst consumers – these plastic cards with a barcode or magnetic line helped customers top up their loyalty points quickly and stored them in one place. However, today, these cards are becoming redundant as people prefer to shop online, with 70% of consumers worldwide purchasing goods via the internet.
Now, many merchants are turning to digital loyalty programs. They enable a seamless customer experience, allowing shoppers to access their account from any device, check how many loyalty points they have and even transfer them to a friend or put them towards their next online purchase. Nonetheless, there is a fly in the ointment. Digital loyalty programs may allow malefactors to conduct malicious activity as well. In practice, there are two common scenarios of how a loyalty program can be leveraged by fraudsters.
Bonus points takeover
There are different ways malefactors can gain access to the accounts of reward program participants. They can brute force the password for a certain email. The task can be even simpler as an attacker can try to use credentials which were previously compromised in a breach or data leak. It increases the chances of success, as people tend to use the same passwords for different accounts. Malicious programs that covertly collect passwords and usernames (password stealers) can also help an attacker attain valid credentials.
Once a malefactor has access to a personal account, they have several opportunities to make their actions profitable. Firstly, if the loyalty program allows bonus points to be transferred between accounts, a fraudster can then send all the collected points from the breached account to their own. Otherwise, they can use their own delivery address to buy goods for themselves using the breached account. Secondly, if malefactors don’t need anything from the retailer, they can sell stolen account details on the dark web. For example, there is a thriving business for selling frequent flier miles. This crime is widespread – according to our survey, about 70% of respondents have either personally found out that their loyalty points have disappeared or know people who faced this situation[1].
Besides this, hackers can access not only the loyalty points, but also personal information – be it addresses, phone numbers or shopping preferences.
Welcome gifts for fraudsters
Accounts of existing users are not the only target for cybercriminals. It’s even easier for fraudsters to jeopardise and take advantage of welcome points given to new customers. They can register multiple fake accounts to accumulate points. On one occasion, Kaspersky’s fraud analytics team discovered a case in which fraudsters had created almost 3,000 accounts registered with just a single email address. It was possible because Gmail and the e-commerce platform involved have a different approach on how to identify emails. Gmail doesn’t distinguish dots in emails making johnsmith@gmail.com and j.o.h.n.s.m.i.t.h@gmail.com the same address for an email service, which guarantees that addressee will receive a message even if someone used a dot by mistake.
“Pic. 1 – The scheme depicting how legal users and devices are interconnected “
Usually, a group of fraudsters uses a limited set of devices to create and control a plethora of bogus accounts. Pic.2 demonstrates how this scheme differs from legitimate usage (which is visible in Pic. 1.), when a user logs in into their account from several devices. For example, Kaspersky’s fraud analytics team once revealed more than 9,000 fake accounts controlled by a group of people from several devices who were trying to attain bonuses from a major marketplace platform. However, sometimes fraudsters do not even bother themselves with finding several devices, as on the platform we also detected around 230 accounts registered from one device.
“Pic 2. Scheme showing fraudulent scheme where numerous fake accounts are created from a single device”
So, what do fraudsters do with the welcome bonuses they illegally generate? They can find a legitimate user and ask to opt for a product from them with a discount, which is greater than a merchant suggests to newly-registered users, even taking into account that the fraudsters keep some of the money as income. The more people they attract, the bigger discount they have as a frequent customer. With this, there is no need for surfing the dark web – this activity can be easily found on popular peer-to-peer e-commerce websites or social media.
If a business does not pay attention to fake accounts, it may believe that its loyalty program effectively drives sales, while in reality it is helping fraudsters gain a profit.
A loyalty program can be an effective marketing tool, but fraud can turn it from a benefit to a burden. If a company’s loyalty scheme is exploited, the business will not only lose potential clients and profit, but also face the negative reaction of those who it is trying to attract if one day bonuses suddenly start to disappear.
Normally, customers don’t care about the security of their bonus points. For instance, our survey revealed that only 26% of consumers always remember how many points they have[2]. The main reason behind that is that consumers don’t see loyalty points as their currency – unless these points totally disappear from their accounts, leaving the customer disappointed with the seller. However, with businesses devoting budget towards loyalty programs and giving them a defined ROI, it’s clear that bonuses are considered an equivalent to real money.
To protect loyalty programs from fraud, we recommend merchants consider a fraud prevention solution that:
- Can identify unique devices, and if the device in use is unique to the program
- Discover fake account generation by applying biometry and signature to detect bots
- Discover anomalies in how browser windows are opened with machine learning models
Balance usability and security and use additional authentication steps only in suspicious cases through risk-based authentication for loyalty accounts. This will help to prevent account takeovers
[1] ‘P7N27 Loyalty points lost/disappeared with no clear reason by Money Banner
[2] ‘P7N21 How many loyalty points you have at any moment in time by Money Banner
