Loyalty programs are a big deal. Organizations are continually looking to reap the rewards from customer loyalty. So much so, that the global market for loyalty programs is expected to reach $215-$216 billion by 2022. However, they are often undervalued—in many cases, with the perception that they represent little more than a bonus latte or a 10 percent discount on a pair of sneakers.
But at the other end of the scale, they can represent big-ticket items: luxury hotel stays, intercontinental flights, or cash values that count towards purchases. And when the numbers are measured in the billions, it’s hardly surprising that loyalty programs and the points they represent are a prime target for fraudsters.
CNP Editor-in-Chief D.J. Murphy recently sat down with CallSign’s Joe Micara to discuss loyalty fraud, how fraudsters are leveraging loyalty programs and why it’s so important for merchants to address it.
CNP: Why is loyalty fraud increasing?
Joe Micara: There are a number of interlinked reasons, but they boil down to the same thing. The value of points and rewards has steadily increased, while the account security has not. Often, it’s limited to just a username and password, with no other mechanisms for recognizing returning customers, or linking them to a previously used payment card or delivery address.
Tied into this is the low perception of the value and threat of loyalty fraud, from both organizations and their customers. Those 10 percent discounts will add up swiftly. Equally, a customer who lends their login details—and associated privileges—to their friends also deprives a business of revenue.
It bites both ways, though. With credentials exposed by data leaks freely available on the dark web, an account can be compromised and its points cleaned out long before the user is aware of it. Customers don’t habitually check their loyalty accounts with the same regularity as their bank accounts.
CNP: How are fraudsters attacking organizations and accessing loyalty points?
JM: Account Takeover (ATO) is the most common attack vector that bad actors are using. Bots, malware, scripted attacks, and Remote Access Trojans (RATs) are tried and tested approaches that fraudsters have been using for years. So it’s hardly surprising that they’ve adapted their technologies and techniques to target loyalty programs.
Equally, loopholes and account security weaknesses are being exploited to create new or fake accounts to take advantage of signup bonuses and discounts or transfer stolen points.
This is also increasingly a friendly fraud vector with actual customers rather than organized criminals who are the perpetrators. That “new” customer who’s benefitting from the 10 percent first-purchase discount might well be a returning customer with a different email address.
And if it is... what should a business do? Block the customer, or let them through in the hope that they’ll stick around?
CNP: Why is loyalty fraud such a critical thing for organizations to combat?
JM: The figures alone should give any organization pause for thought; $160 billion is no small change. If a customer has built up a stockpile of points for a big spend, and those points are then stolen, that’s a direct loss of revenue for the business.
But fraud generally carries a bill far greater than the obvious fiscal impact, and loyalty fraud is no exception.
Even if the cost to a customer is no more than a skinny latte (and at least one coffee-based loyalty program holds more money than some banks), a compromised account is a massive cause for concern. Customers are increasingly concerned about privacy and the value of their personal data. A fraudster who gains access to their account also gains access to that sensitive information—their address, contact details, and even their SSN or passport number.
On the flip side, the methods that businesses put in place to combat the bad actors are often counter-intuitive, adding increased friction to the user journey for genuine customers. In a world where competition is fierce, customers encountering the slightest bit of friction are likely to gravitate to guest checkout options and bypass loyalty programs altogether.
The potential for customer disengagement doesn’t stop there. Reputation is a serious currency for businesses, and it’s something that can take a significant hit if loyalty points are allowed to become a currency for fraudsters.
Like loyalty points, reputation is hard to win and easy to lose. Unfortunately, a single instance of fraud can do it—and so can a user journey that’s paved with friction.
Worse, failing to combat loyalty fraud has the potential for undermining those very loyalty programs, making it harder to create new programs or expand existing ones. It’s like a flywheel that feeds itself.
CNP: What are some recommendations for organizations looking to protect their loyalty programs?
JM: The critical step that needs to be taken is to tighten up security. A program requires protection at all stages of the journey: registration, transaction, redemption.
Equally, it’s imperative that any security measures that are put in place don’t impede the customer journey and dissuade genuine customers from using and benefitting from the program.
That’s something that simply can’t be delivered if you’re relying solely on a password, or additional friction-filled measures such as outmoded (and easily compromised) out-of-band authenticators such as SMS OTPs. They’re also costly to deliver, and with passwords frequently being forgotten—to the extent that password resets have become the new login—those costs swiftly mount up.
What’s needed is a shift away from outdated or legacy solutions such as cookies to passive layered technology that can help identify genuine users.
Technologies such as behavioral biometrics and device fingerprinting allow an organization to positively identify customers, passively—which helps prevent ATO and friendly fraud. And because device intelligence also detects threats, it keeps bots at bay effectively.
There’s a perception that protecting loyalty programs is difficult and costly. But it shouldn’t be complex, and it doesn’t need to be. Callsign helps organizations improve every aspect of every customer journey – boosting transactions and securing logins and, in turn, helping to build loyalty. Which, after all, is the operative word in the phrase ‘loyalty program.’
Businesses and customers alike invest time and energy in loyalty programs—don’t let it be the fraudsters who benefit.