Loyalty fraud is a massive problem in the airline industry. It is estimated to cause billions of dollars in losses annually. Most of these losses used to only be “on paper” representing lost revenue; since airlines give away the seats they don’t think they’ll sell, a fraudulent redemption really only cost them a few dollars in overhead and catering. So, in the event that someone’s account was compromised and the points used, the airline would just restore the points and change the password (and optionally try to go after the fraudulent passenger, although this was usually more trouble than it was worth).
These days, it’s a much bigger deal when your miles and points get stolen because they can be redeemed for things other than airline tickets–items such as gift cards and online shopping purchases that cost the airlines real money. Naturally, given the increased risk exposure most airlines have implemented loyalty fraud programs. These look for unusual patterns in accounts and flag suspicious activity. Unfortunately, a lot of legitimate activity can look fraudulent, particularly when the algorithms aren’t updated along with changes in the way that people earn and redeem points.
I have helped people in a number of instances lately in which a frequent flier member’s account was flagged for fraud. Fortunately no tickets were outright cancelled but additional verification and security procedures had to be followed, up to even going to the airport on the day of travel with the credit card used to pay the taxes on an award ticket. However, this is happening less frequently lately and there are some identifiable patterns I will share to help you avoid being caught up by a fraud algorithm.
Now, if you’re here because you got involved with mileage brokers in the buying and selling of points and you just got caught, none of this will help you. That’s something you actually did, and if the airline is talking to you at all, you can assume they have you dead to rights. This post will only help you avoid being flagged if you’re actually innocent.
Fewer False Alarms
One thing that used to be incredibly suspicious in award programs was suddenly earning a large number of points, and then using them immediately for an expensive award redemption. And at one point, this made sense. Back when people earned most of their miles from flying, there was an upper limit to how much flying a person could reasonably do.
These days, this is a completely normal pattern. Many people have started earning points in transferable programs such as those operated by American Express, Chase, and Citi. So, they’ll earn the number of miles needed for a ticket, check for award availability across a number of different airline programs, and then transfer the miles to the program for redemption. And on the part of consumers, this is perfectly rational; airlines have devalued their own loyalty programs so much and so often that it’s better for most people to keep their options open.
The good news is that the horror stories of previous years, in which tickets were cancelled without notice or people were forced to drive to the airport to get award tickets issued, appear to have gone by the wayside in most of the programs that work with bank loyalty programs–provided that your redemption meets the new definition of “normal.” The biggest offender was Flying Blue but this wasn’t the only program that created difficulties.
Understanding Fraud Algorithms
If you book a normal award redemption these days, it’s unlikely to cause you any issues regardless of the loyalty program you’re using (with the possible exception of programs that are new to working with bank loyalty programs; these include Turkish Miles and Smiles and Avianca LifeMiles).
What’s a normal award redemption? It’s one that doesn’t trip the algorithm. To understand this, you just need to think like a computer. Algorithms like these are designed to either add or subtract points on a transaction depending on criteria that raise suspicion. So, for example, suppose that you start with 100 points, and the threshold is 50 points or below. An algorithm might work like this:
Subtract points (less suspicious):
- You earned the points through flying or partners, or you transferred them in from your own credit card.
- You are traveling on the itinerary (you won’t get flagged because you bought a ticket for your significant other, as long as you’re both traveling together).
- The person traveling is someone for whom you have previously purchased a revenue ticket.
- The person traveling is an immediate relative.
- The person traveling has an established frequent flier account with the airline and a significant points balance.
- You’re paying for the taxes with your own personal credit card.
- You are traveling 3 or more days in the future.
- The person traveling is going to a low fraud risk destination (such as Canada).
Add points (more suspicious):
- The points you are redeeming were recently purchased with a credit card.
- You aren’t traveling on the itinerary.
- The person traveling is someone with whom you have no obvious relationship.
- You’re paying for the taxes with someone else’s credit card. Bonus points if it’s a foreign credit card and you have never used one of those before, and even more bonus points if it isn’t a card associated with the person traveling.
- The ticket is for an immediate departure. Right now, today.
- The passenger is traveling to a high fraud risk destination (such as Nigeria).
How many points are assigned for what specific criteria? And are these the only criteria used? Well, that’s proprietary, and (for very good reasons) loyalty programs aren’t going to tell you. Some programs are more relaxed and others (such as Flying Blue) are less so. Nevertheless, when you look at the criteria that adds points, it’s pretty obvious why it is there.
Keep in mind that one or two things that add points probably won’t trip you up as long as there are enough things that subtract points. After all, this stuff can totally reflect normal life. Your best friend just rage quit her job and you’re buying her a ticket to Costa Rica right now. With the points you coincidentally bought yesterday because there was an incredible mileage sale. You’ll join her this weekend but plan to fly another airline. And you’re using up the crappy gift card you got this Christmas to pay the taxes before the thing starts charging you fees. I mean, nothing about that scenario is suspicious once someone has a conversation with you, but it totally looks suspicious otherwise.
Loyalty programs that over-rely on dumb algorithms will just automatically cancel a ticket, or it won’t go through in the first place. That’s why many loyalty programs implement manual review for suspicious transactions. Most commonly, a transaction that is too suspicious can’t be completed online and the member will be instructed to call the loyalty program. At this point, extensive validation is done when the ticket is being purchased.
There can also be a “soft review.” When this happens, the loyalty program will call the member at the telephone number on file to inquire about the transaction. Of course, if the member doesn’t recognize the transaction, they’ll immediately unwind it. And sometimes, additional validation is required. Most commonly, the airline will require that the credit card used to pay the taxes be presented at the airport (this is becoming a requirement even for transactions that aren’t suspicious, and some programs go even farther by requiring that the loyalty program member’s credit card always be used). The airline may also interview the traveler to determine the legitimacy of their relationship to the loyalty program member.
Every verification that I have needed to do in order to satisfy a loyalty fraud investigation was necessary because the activity objectively looked shady:
- An intra-Africa flight from Nigeria booked on short notice using an organization’s credit card, using the loyalty account of a member who had never been to Africa (this pattern matches either fraud or a church mission–it was the latter).
- A last-minute one-way ticket to Nicaragua for a foreign national who wasn’t related, taxes paid with cash equivalent (his new girlfriend had to attend a funeral, and the taxes were paid with a gift card).
- A business class trip to Asia for an apparently unrelated person on a top-tier carrier leaving the following day with points that were just purchased (his cousin’s employer reimbursed the economy class fare, and the member purchased miles to buy her a business class flight for the same amount of money).
In every case, the passenger was able to travel. It did take a little bit of extra work to explain to the airline what was going on, and in the case of the ticket from Nigeria, the airline wanted to see the physical credit card (emailing in a photo of both sides was fine). However, in every case the airline was satisfied with the explanation. No loyalty accounts were frozen, and no tickets were cancelled. The system worked.
Don’t avoid loyalty programs because of potential security problems. If you’re doing something that looks suspicious to, say, Flying Blue, it’s virtually guaranteed to also look suspicious to Mileage Plus. Airlines may react differently and have different tolerance thresholds for suspicious activity, but they’re getting a lot better at this stuff and false alarms are a lot less common these days.
5 thoughts on “Understanding Loyalty Fraud In 2018”
@ TProphet – thanks for the great explanation and examples, but I think you have one key part backwards: “So, for example, suppose that you start with 100 points, and the threshold is 50 points or below.” The next 2 main sections are “Subtract points (less suspicious)” and “Add points (more suspicious)”. I think the first statement should be “So, for example, suppose that you start with 50 points, and the threshold is 100 points or above.”
On a different thought, are there any simple steps to prevent fraud against my accounts?
Remember, you just need to think like a computer. Computers can add or subtract, so it’s really up to the programmer how to construct the algorithm. You’re correct that you could construct the algorithm either way (either start from 0 and add, or start from 100 and subtract). The important point here is that the algorithm has a threshold and data points related to the transaction influence which side of that threshold (approve or deny) that you land on.
How can you prevent fraud? Unfortunately you have to work with the available tools and many frequent flier programs don’t have good ones. Generally speaking I recommend using multi-factor authentication when it’s available, using strong passwords, using different passwords on each site, and using a tool like AwardWallet to automatically monitor changes in account balances. I think the last of these is the most important, because if you can catch a fraudulent redemption early, it’s easier to get it reversed. Most award programs will refund your points if you have been hacked, but the investigation can take a lot of time and they are under no real obligation to refund you (unlike banks, where there is a legal obligation).