From Loyalty to Loss: The New Reality of Travel Rewards Fraud
Loyalty and reward program accounts have become low-security wallets.
For many, points and loyalty programs feel like a possibility: a trip that would never fit into the normal budget, a seat upgrade that turns a long haul into something you can actually endure, a family flight that would otherwise stay in the group chat as wishful thinking. However, criminals see loyalty awards as the embodiment of “easy” money as points that can be sold and cashed out leaving no trace behind.
The Email That Made His Stomach Drop
Matt Rice was scrolling through his emails during a work break when he saw a message from a major airline confirming a points redemption he did not make.
When he opened his inbox later, the subject line did not look like a warning. It read like a routine travel confirmation, the kind you usually skim.
“Thank you for your redemption for 240,000 miles.”
Matt did what most people do in the first minutes after a takeover. He tried to get in his account, tried to understand if something changed but when none of his personal information had been altered, he knew he needed to take action before the loss became permanent.
His first call to the airline came with a seven-hour estimated wait time to simply talk to a representative.
He tried again later to get a shorter wait time with varying results. He kept trying to reach someone who could help. When he finally got clarity, he learned the account had already been locked and he was asked to send proof of identity to regain access.
In total, two separate redemptions had drained almost 300,000 miles and there was no booking in his name.
The part that dragged the longest was not the panic. It was the waiting. A month to get back into the account and an additional month to get the miles returned.
Both Matt and his wife are teachers in Chicago. Travel is a luxury for them and travel rewards are the only reason why they get to see the world at all. The 300,000 miles he built up represents thousands of dollars of travel they would normally not be able to afford.
With winter break in just a few months, a typical time for family and travel for the school teacher, the time gap was critical and agonizing. For others in the same situation, the time between suffering an account takeover to receiving your points back interrupts planned trips or trips needing to be booked before availability disappeared and leaves them wondering and constantly stressing about whether the same access exists across other accounts.
Matt noticed fast because he checks his email and his balance regularly. A lot of people only learn the hard way, right when they finally try to book.
“It took me about a month to gain access back to the account… and about a month to get the 300,000 points back.”
Most people fear and talk about the theft itself. They skip the part after, the part that eats the victim's time and attention. Matt was not just fighting a hacker. He was recovering from an account takeover within a process built for routine requests.
When Matt finally got control back, the airline gave him a choice. Keep redemptions online or add a PIN that forces redemptions through a phone call.
Then came the line that reframed everything. Matt was told that if he did not establish the PIN, the airline could reserve the right not to reinstate points lost in a future hack.
Adding the PIN solved one problem but created another. If he spots award availability late at night, he cannot grab it himself. He must call. He is at the mercy of phone lines and a possible wait time for something he used to do in seconds.
The PIN was the only safe option the airline offered and thus the only real choice he could make but the tradeoff he absorbed was the result of the airline’s design choice and not a limit of what is possible.
Points Are a Stored Value
Loyalty points feel like money because they buy real trips, and in some cases, products. The difference is you rarely know the exact value until the moment you redeem, because airlines can change award pricing at any time. That uncertainty makes people watch their points less closely than cash.
Fraudsters do not have that ambiguity. They see stored value and a clean path to cash out.
Rewards balances can take years to build, but many accounts are protected like they are low stakes and many loyalty points organizations don't have Multi-Factor Authorization, or MFA. Attackers take advantage of that gap. They reuse leaked passwords on accounts that sit untouched, then move quickly to redeem, transfer or sell the value.
What Travel Brands Are Balancing
Travel brands want to stop account takeovers without slowing down real customers. The tradeoff is harder in travel because speed is part of the product. When someone is trying to grab the last award seat, seconds matter.
Loyalty accounts sit in the middle of this. They hold stored value and they are designed for fast self-service.
Jason Lane Sellers, director of fraud and identity at LexisNexis® Risk Solutions, describes travel as a prime target because it combines high value transactions, ecommerce journeys and loyalty programs that rely on trust.
Declines and false positives carry costs, too. Customer support volume rises, bookings drop and teams spend hours untangling problems. The LexisNexis® True Cost of Fraud™ Study puts a number on that compounding effect. In the latest North America merchant edition, the average merchant spends $4.60 for every $1 lost to fraud due not only to the loss itself, but the downstream work as well.
Reduce friction too far and takeover can become easier. Add friction in the wrong places and you may push away legitimate travelers.
Brands get boxed in by those tradeoffs. If controls are too light, takeovers get easier. If friction shows up at the wrong moment, legitimate travelers bail.
Matt’s experience sits inside that reality. He now sits comfortably in multi-factor authentication and step-up checks because like any recent fraud victim, he now treats them as basic protection. He also pointed out that some airlines offer stronger safeguards, which changes how safe he feels using them.
He described the day-to-day mess of modern account management, too. Families juggle multiple airline accounts and programs which increases the odds that security breaks down even for careful people.
This is where loyalty fraud becomes a broader identity story and rarely stays contained. Once a fraudster exposes credentials tied to an email, a device or a pattern of behavior, it can lead to fraud in other accounts.
He pointed out that some airlines already offer stronger protections and that changes how safe he feels using them.
Stopping Takeover Without Punishing Travelers
People book fast, sometimes from unfamiliar places and devices. Reward redemptions are time sensitive because award seats can vanish in minutes.
That creates a hard requirement for fraud teams: Stop account takeover and cash out attempts without adding unnecessary friction that makes legitimate travelers lose the trip.
Better defenses focus on three moments: the cash out attempt, high risk account changes and the moments when you need proof a real person is present.
Security does not have to mean a worse customer experience but it often does when the response is blanket restrictions. Matt got his miles back though he lost the ability to redeem online.
That is the reality for this airline right now. It is also avoidable when a brand can separate trusted behavior from suspicious behavior in real time by applying step-up checks only where they are warranted.
Better defenses can stop the cash out before they happen.
Stop the cash out moment
Redemption is where takeover becomes loss. Product and services providers should use device and digital identity signals to spot abnormal sessions before miles move.
Redemptions are time sensitive, so detection has to be fast.
Strengthen account security and high-risk detail changes
Attackers change email, phone, password and recovery options once they are inside. Add step-up checks when email, phone or password changes or when risk spikes.
Verify the person when it matters most
When risk is high, confirm a real person is present without sending everyone to a call queue. This avoids punishing the customer who just got hacked.
What Travelers Should Keep in Mind
Turn On Multi-Factor Authentication
Helps stop easy takeovers at login
Check Your Balance Regularly
Spot takeovers quickly
Don’t Click Unexpected Links
Go directly to the official site to prevent some types of fraud
Use A Trusted Password Manager
Re-used passwords can sink multiple accounts
Report Suspicious Redemptions
Speed can help change outcomes
Avoid Public Wi-Fi for Account Logins
Fraudsters can capture credentials in transit
Matt got his miles back. That is the clean ending that people want but it is not guaranteed. We do know that the stolen miles were used to book what appears to be a family trip from Manchester to New York, but it remains a mystery what happened to the tickets or the traveling family after Matt got his miles back.
What his story really shows is how thin the line is between a loyalty balance feeling like an abstract perk and that same balance becoming the most stressful thing in your week.
His story shows how fast a loyalty balance can flip from a perk to a personal crisis, mainly because recovery is slow and cash out is fast.
Rewards fraud fits the fraudster playbook because it's low friction, quickly converted and points sit in accounts that consumers rarely monitor.
For deeper data on how these tactics are evolving across industries, including the role of AI in scaling attempts, read the Global State of Fraud and Identity Report.
This document is for informational purposes only and does not guarantee the functionality or features of any LexisNexis® Risk Solutions products identified. LexisNexis Risk Solutions does not represent nor warrant that this document is complete or error free.
*Images in this article are AI generatetd