Loyalty fraud: What is it really?
14 November 2016
No doubt that fraud is one of the burning issues for many travel loyalty programs. But before looking into remedies, it is worth understanding what fraud is all about since there is a lot of confusion about this point, created often by self-proclaimed specialists.
Fraud is nothing new to the travel industry as a whole. Credit card fraud has been a topic for much of the past two decades and corresponding technical solutions are widely deployed in the industry. Given the global nature of the travel business, this is indeed a topic not to be underestimated by any market participant.
Fraud at the level of loyalty programs started to emerge only much later, at the beginning of the current decade. There is indeed a small overlap with classical credit card fraud for any payment-related activities within a loyalty program, such as the payment of taxes on award tickets or the purchase of points. That kind of fraud should hence be covered by the normal credit card prevention mechanisms in place.
As an extension to that, there is a lot of talking about hacking of loyalty accounts in a criminal manner, what is indeed done in a pretty organised manner and at big scale in certain markets. The regular warning e-mails about phishing attempts many loyalty programs send to their members witness of that issue.
On the back of that fear, some technology-focused experts reduce fraud to that perspective, trying to push their corresponding solutions to prevent hacking attacks etc. Nothing to say against such solutions, which are often extensions to existing credit card fraud solutions, but airlines or hotels buying and deploying such solutions and thinking that loyalty fraud is off the table for them should have a second thought – because they simply miss the trick and might have covered, at best, a very small part of the fraud issue.
So if I say fraud is not about all these things, what is it about?
As a matter of fact, it is about three things: about the loyalty IT platform, about management processes and about customer behaviour.
It is easy to understand that the combination of these three main topics with their uncountable sub-topics is individual to each loyalty program operator. While they are certainly learning experiences from other companies, an individual thorough analysis of all relevant aspects is definitely required as part of an initial status quo analysis before thinking how to correct them. Questions to be looked at as part of that process include: Are their loopholes in the IT system? Who has access to the system? How is the redemption behaviour of members controlled? What are the standard sanction procedures against fraudsters?
Once this assessment made, you can look into addressing the issues, aiming at reducing both internal and external fraud. This will, to put it simple, consist of a mix of prevention mechanisms and the introduction of intelligent tracking logic. As a very easy example, your program has obviously to allow the accrual of miles on First Class flights and would typically be open to members worldwide. Many programs would also like to give members the possibility to transfer awards to third parties. But if you have a member in Nigeria accruing each day miles on a First Class flight and having his awards used by somebody flying between North and South America, it would be wise to have a closer look at this account.
All this is not necessarily related to hacking accounts or even doesn’t require a lot of criminal energy, but members just use weaknesses of the system to their own benefit. While phishing victims can actually be protected pretty easily by some easy mechanisms as part of a fraud prevention system – what might be even easier than fighting permanently against the technology advancements of professional hackers to prevent hacker attempts upfront -, loyalty fraud goes unfortunately far beyond that dimension.
Our experience shows that it is much more recurrent that a call center agent next door credits each day 1,000 miles to his account as nobody controls such postings than that hackers manage to take control of an account. Such losses might even not be visible to you since you don’t have a victim coming to you and asking you what happened to his points – but be assured that they are much, much higher than you dare to presume.
So if you don’t have a decent fraud prevention system in place, you should probably look into this not only rather sooner than later, but especially also start from the right angle: Fraud is not a technology, but a management issue. And if you are already more advanced in the fraud prevention game, an external health check – with corresponding possibilities for cross-learning from other program operators – can’t do any harm in order to point you to shortcomings in your system.
The sums at stake are simply too important to mess around with that topic or to get fooled by « experts » not understanding the full picture.