Is this Loyalty Fraud? Join us at the Loyalty Fraud Prevention Conference in Brighton in May to discuss
Editorial Commentary by Christopher Staab, Co-Founder, LFPA, 23 April 2019
I recently booked a Marriott property with my Bonvoy Loyalty Points. At the time of booking, a cancellation policy of a 48 hours prior to arrival without penalty was displayed to me by Marriott(dot)com. Additionally, there was no information disclosed about a credit card deposit required with this booking. However, the property subsequently charged my credit card on file with Marriot a $122 deposit for this 3 night stay. This was on top of the Bonvoy Points that were deducted.
As my plans changed, I decided to cancel. I then discovered that my reservation had been changed to a “Pre-Pay and Stay” rate that was not cancellable. To figure out what was going on, I did a test booking for another reservation at this same property. It still was still coming up with a 48 hour cancellation policy with no deposit disclosed.
Accordingly, I called the elite number of Marriott to cancel. The agent was also unable to cancel my “Pre-Pay and Stay Rate” and so she called the hotel, which informed her that they had changed their policy and that cancellation was now only permitted within 24 hours after booking. The agent also did a test booking while speaking to the property and found the same thing that I had. The hotel showed a 48 hour cancellation policy and there was no information relayed about a credit card deposit.
The property informed this agent that they would refund my stay since I was an elite member of the Bonvoy Program and I have since been refunded the credit card deposit and the loyalty points. However, I have a few questions:
- How is a hotel property changing loyalty redemption reservations with a 48 hour prior cancellation policy to non-cancellable pre-paid rates?
- Why is the hotel charging a deposit on loyalty stays without disclosure to the customer?
- Is the property purposefully turning cancellable rates into non-cancellable ones in order to keep undisclosed deposit monies upon cancellation?
- Is this an example of hotel franchise fraud?
To look at these questions and many more related to loyalty program frauds, gaming and database breaches, join us at the Loyalty Fraud Prevention Conference in Brighton from the 7th to the 9th of May 2019.
And, join the Loyalty Fraud LinkedIn Group here: https://www.linkedin.com/groups/8551103
Editorial: Fighting fraud can’t be a competitive issue since criminals are not “brand loyal”. Just the way companies are fighting card payment fraud, there is a need to combat loyalty fraud in a similar manner, writes Ritesh Gupta
Revenue leakage, clean fraud, fresh fraud, criminal fraud…you may have heard of all of these. But there is one more type of fraud – loyalty fraud - that is now added to it.
Loyalty fraud isn’t a typical phenomena anymore. In fact, nothing is worse than companies haven’t come to grips with this menace.
This is exemplified by the fact that not only hackers, but current employees or ex-staff are also currently indulging in illegitimate activities related to Customer Loyalty Programs such as Frequent Flyer Programs (FFP's) and Hotel Guest Programs. Not only is there claiming or awarding of miles/points fraudulently, but the brand value as well as the trust of the customers takes a beating.
A couple of months ago Air India was embroiled in one such controversy. Type “Air India loyalty” on Google UK or Google India, then on the first page itself there is a news link about theft of passengers’ frequent flyer miles. This means any search about Air India’s loyalty program can have a detrimental impact on the brand, and negative impact on the association of a passenger with the airline or its FFP.
As it turned out, in case of Air India, FFP accounts were hacked and the bunch of fraudsters also featured an ex-employee. He apparently had access to Air India’s intranet and Internet-based systems.
“This is completely unacceptable (ex-staff gaining access even after not being associated with the organization),” stated Peter Maeder, Co-Founder & Secretary, Loyalty Fraud Prevention Association (LFPA), a new entity set up to fight loyalty fraud.
Stealing of points/miles is attractive
FFPs and Loyalty Programs worldwide continue to face capacity, regulatory, accounting and liability pressures, notwithstanding the fact that they compete for “share of mind” in an over-crowded loyalty environment.
Loyalty Programs have evolved, and as a result the earning and redemption options today are more than ever. Maeder says because of the new accounting rules introduced in 2008/2009, loyalty program managers are seeking more ways for their customers to redeem their points and miles. “Therefore, cash-like redemption programs are on the increase. As a result, stealing points/miles have become much more interesting for the criminal fraternity. Furthermore, so called “friendly fraud” - we should not talk about “friendly” fraud , fraud is a criminal act and can’t be friendly! - is very simply done by all people involved in loyalty programs (staff, but also travel agents or other third party organizations),” explained Maeder.
Simple measures first
Maeder says its imperative companies comprehend all possibilities of fraud - fraud by members, staff, travel agents, partners, data breaches/ hacks/ malware etc. and accordingly train relevant teams and find ways to forge reliability and security across the organization. “Rather than just dwelling on costly initiatives from the beginning, a solid foundation needs to be in place – enforcing certain values and creating awareness. Companies owe it to their loyal customers – protecting their data and shielding their reputation. This is absolutely mandatory at this juncture,” said Maeder. For example, a tendency to keep simple passwords is still there and this can result in a compromise of any IT system if the staff goes ahead with say “123456” as a password.
“Fighting fraud requires resources, both human (trained and dedicated staff) and technical (secure IT infrastructure). Many loyalty programs are being run on legacy IT systems, which are prone to hacking.
A professional organization is another requirement - Loyalty Programs are just starting to invest in developing teams and systems to respond adequately to the rapidly increasing threat. Not investing can cost even more money, but above all their reputation! Does it require media pressure, until the loyalty industry is waking up and starts taking the necessary steps to fight the phenomena?” questioned Maeder.
Companies with Loyalty Programs need to take simple measures first to ascertain the danger of cyber security and gradually move on to embracing high-level risk-based rule engines to monitor accounts for suspicious or unusual activity, and establishing automatic alerts for questionable activities.
For instance, Maeder referred to penetration tests. This evaluates the effectiveness of information security controls implemented in the real-world. Advantage of penetration testing: Knowing a system’s vulnerability before an invader gets to know it. This way areas susceptible to attack are exposed. Accordingly, remedial initiatives can be taken to foster a secure environment. Other than evaluating threat from outsiders, an internal assessment, too, can be done with the assistance of specially designed plug-computers to replicate an attack from within the client’s network.
Maeder referred to an important point when we talk of collective improvement.
“The credit card industry has long recognized that fraud is a significant cost facture to all parties involved in card payments. Therefore, they have set-up standards, guidelines and rules that have to be adhered to when accepting or transmitting credit card data (the Payment Card Industry Data Security Standards or PCI DSS).
To date, there is no body/organization that seeks to support the loyalty industry in a similar way,” pointed out Maeder. “Some companies have invested significant time and money to make their card payment infrastructure more secure and have been able to reduce their losses due to fraud. Unfortunately, similar efforts have not yet been undertaken so far and the hackers are clearly taking advantage of these “opportunities”.”
Hackers, who are usually a step ahead of the “good guys” have started to switch their activities to loyalty programs, which are not as well protected as card programs. Also, the airline industry, among other industries, is working together in fighting card payment fraud – work groups, data sharing, chat forums etc. “Nothing similar is available so far in the loyalty area,” said Maeder, who added that the objective of the LFPA is to provide guidelines, share best practices, offer training and exchange ideas about fighting loyalty fraud.
Collaboration is definitely going to be an important weapon in the armoury. Maeder made an important remark.
“Fighting fraud can’t be a competitive issue – the criminals are not “brand loyal”,” he said.
The LFPA will allow and encourage collaboration among industry professionals by running chat forums (open to registered members only), providing a data base of data elements that have been used in confirmed fraudulent transactions, workshops where best practices are being discussed and developed, webinars, conferences. “We are not reinventing the wheel, but are using the experience gaining in fighting credit card fraud. Membership is open to all parties in running loyalty programs. However, participation in work groups, chat forums, etc. is limited to registered members only,” he said.
Join the Loyalty Fraud LinkedIn Group here: https://www.linkedin.com/groups/8551103
Editorial by Michael Smith, Managing Partner, Airline Information & Co-Founder, LFPA
Survey research carried out by Airline Information revealed that 72% of airline loyalty programs have an issue with fraud. Additionally, 30% of airline programs reported the problem was growing rapidly year-on-year. However, surprisingly, 10% of airline loyalty programs didn’t know if they had a fraud problem or didn't know that it was possible for loyalty fraud to occur.
Miles and points have truly become cash. In addition to being redeemed for flights or hotel stays, they can now be turned into many goods & services, including gift cards, which are effectively cash. In many cases, loyalty fraud is occurring because people have their accounts hacked or stolen, since fraudsters have realised that consumers and companies handle the security on loyalty accounts with less precaution than the would bank accounts. However, for many customers, they may have loyalty points worth thousands of Dollars.
The research revealed that the most pressing loyalty fraud problem involved criminals posing as “travel agents” using either stolen or illegally bought miles to turn in to tickets which are then sold to unsuspecting customers. Often the customer does not know this is case until they try to claim the frequent flyer miles earned on the itinerary.