Loyalty programmes are financial targets. Points and wallet balances have real monetary value, making them attractive to fraudsters. Here's what to watch for and how to protect your programme.
Common Attack Vectors
Account Takeover (ATO)
Attackers use stolen credentials to access customer accounts and drain their points or wallet balance. Prevention: enforce 2FA, monitor for unusual login patterns (new device + immediate redemption), and flag large redemptions for review.
Referral Abuse
Creating fake accounts to earn referral bonuses. Prevention: verify phone numbers, require a qualifying purchase before referral credit is released, and flag accounts that refer but never transact.
Transaction Manipulation
Exploiting race conditions or API vulnerabilities to earn points on cancelled or refunded transactions. Prevention: process refunds synchronously with point reversals, implement transaction signing, and audit earn-vs-spend ratios.
Employee Fraud
Staff crediting loyalty points to their own accounts or phantom accounts. Prevention: audit trails on all manual point adjustments, separation of duties, and anomaly detection on staff-linked accounts.
Detection Principles
- Monitor velocity — how fast are points being earned or redeemed?
- Watch for pattern breaks — a customer who usually earns 50 points/week suddenly earns 5,000
- Audit high-value events — large redemptions, tier jumps, bulk referrals