Loyalty schemes are tools used by Merchants to reward customers who continue to buy their goods and services and / or increase their spend. According to estimates, 60% of companies reported that their loyalty customers spend 2 -3 times more than non-loyalty customers.
How it works
The customers will typically earn points with every purchase of the goods or services. The accrued loyalty points can then be redeemed for discounts, vouchers or free items, as an incentive to continue to spend with the merchant. It is worth noting that ‘loyalty’ is a euphemism, as many customers are members of competing merchants’ loyalty schemes.
It is not always about how loyal they are to one merchant, it is usually about how much they are spending and on what. Afterall, if the customer’s overall spend drops, but they only spend at one merchant exclusively, they will get fewer loyalty points, despite being completely loyal. Perhaps the most well-known loyalty schemes are the free coffee when you buy, say, ten cups, or the various airmiles schemes. These schemes do work for the merchant; 75% of customers said they were likely to make another purchase when offered an incentive, according to Wirecard.
Loyalty scheme fraud
Fraud associated with loyalty has been on the rise in recent years. According to a 2019 report by Forter, there’s been an 89% increase in loyalty related fraud from the previous year. Perhaps one explanation for such a rise is that the payment industry has become increasingly effective in securing the payment infrastructure and making it harder for criminals to steal money.
Another explanation could be the sheer amount of value sitting in customer loyalty accounts with merchants. For example, Starbucks has over $1.6 billion of unspent cash in customer’s loyalty cards and wallets. Such trends are increasingly turning criminals’ focus to softer targets such as loyalty schemes, taking advantage of weaker security of the systems to steal this value which can be converted into goods if not redeemed as actual money.
Fraudulent activities associated with loyalty takes different forms; at the basic level is ‘membership fraud’. This is when members of the loyalty scheme try to game the system, or to take advantage of a procedural flaw. For example, Heathrow rewards allowed only one account per household; however, members realised they could slightly tweak their address to register a second family member and take advantage of the ‘joining bonus’ points.
Another example is the infamous story of the ‘pudding guy’ - David Phillips. Mr Phillips took advantage of a promotion by a local supermarket offering air miles with the purchase of certain products. Mr Phillips calculated that the return in air miles he got from a cup of pudding outweighed its price and went ahead to purchase over 12,000 pudding cups during several weeks. He earned more than 1.2 million air miles, enough to get him 40 round trips to Europe. These are not criminal attacks, they just exploit flawed procedures.
Organised crime
At the other extreme are more determined (and often organised) criminals, trying to hack the system for criminal activities. This category pose a more serious threat as they are capable of exploiting weak security systems, as well as the use of sophisticated social engineering techniques to obtain and manipulate customer information. Customer information obtained can then be used to perform account ‘takeovers’ to exploit and steal accumulated points.
Fraudsters also rely on stolen personally identifiable information (PII) exposed during data breaches to target loyalty schemes. According to RSA travel and hospitality make up 13% of the types of accounts for sale on the dark web. Last year, many customers of UK supermarket Morrisons reported that their loyalty points had been stolen from their accounts. Morrisons insisted the problem occurred as a result of email and password reuse across multiple accounts. Notwithstanding, loyalty schemes are continually evolving, and despite their security challenges, they are not going away. And so, If loyalty schemes are to continue to deliver value, they should be protected with the same diligence as payments schemes.