Loyalty fraud is not new, but it is increasing
According to the Loyalty Security Alliance, 17.6% of survey respondents said loyalty fraud grew “a lot” in the last three years, while 23.5% said it grew “somewhat.” And according to Statista, 27% of all fraud attempts experienced by online merchants in 2021 were loyalty fraud.
Loyalty fraud can be lucrative because these accounts are typically less secure than financial accounts and fraudulent activity may go unnoticed for some time if accounts are infrequently used or not closely monitored. The Loyalty Security Association estimates that $3.1 billion in redeemed loyalty points are fraudulent—which does not account for the large number of unredeemed points that remain vulnerable. Member profiles may also contain sensitive data such as forms of payment or additional personally identifiable information, which could provide access to other accounts and assets.
When it comes to correctly identifying or preventing loyalty fraud, the solution is complex at best. As brands adopt new tools to fight fraud, fraudsters continue to evolve their methods to commit it. Brands are forced to balance their approach—weighing the true cost of fraudulent activity against the impacts (positive and negative) that prevention processes may have on the customer experience, customer lifetime value, and brand reputation among both consumers and partners, in addition to any impact on operating costs.
Adding layers of security and monitoring, without negatively impacting CX
Account Takeover (ATO) fraud is by far the most frequent type of loyalty fraud committed, according to the Loyalty Security Alliance. Promotion fraud, where members or employees try to game the system to increase rewards or discounts earned, is also common with loyalty programs.
Account takeovers happen when fraudsters get their hands on logins, passwords, or email addresses, typically through database breaches or phishing attacks in conjunction with weak security measures—such as members reusing login and password combinations. This information is then used to access loyalty accounts and, once in, fraudsters can redeem points or transfer them into other accounts.
Brands may educate members about how to choose better passwords, but members won’t always take the steps to ensure the uniqueness or level of complexity needed to protect their program currency and personal information. Taking it a step further, brands can require members to use proper passwords, set up multi-factor authentication, or use additional forms of verification—but they do so at the risk of adding friction to the customer journey.
Implementing behind-the-scenes risk assessments and fraud prevention tactics are also popular strategies. Two examples are continuous authentication and risk-based intervention.
Continuous authentication, or continuous security, identifies abnormal and potentially fraudulent behavior by measuring activity against a baseline of “normal” consumer behavior for a given brand. The assessment is continuous across the entire member journey, not just at login. Examples of abnormal activity triggering a security alert could be an excessive number of account login attempts in a short period of time or unusual variances in redemption activity.
- Risk-based intervention, or adaptive authentication, can be leveraged throughout the member journey from login to redemption, as well. A risk profile is assigned to a member or device based on individual behavior. Depending on the risk assigned, progressive verifications may be requested, or accounts may be temporarily locked or converted to “earn only,” among other actions to mitigate potentially fraudulent behavior.
While behind-the-scenes risk assessment and fraud prevention are generally low touch and add little friction to the (true) member’s experience, it’s also important to consider the experience when fraud is identified. Risk-based intervention tries to match the amount of friction added to the level of potential loss, but this can be tricky when false positives add too much friction to the member’s experience, potentially causing members to look elsewhere for services.
For true positives that result in loss, members might not just be upset and angry—they can also blame the brand. While reimbursing points results in “double-dipping,” which of course has a negative impact on the financial bottom line, it’s very important for brands to acknowledge the loss of trust, empathize with the member’s position, and work to right the situation while taking additional measures to prevent future loss.
The Tally loyalty platform prevents and mitigates fraud using a robust set of technology and analytic tools to monitor login attempts, call center activity, and integrated client or third-party exchanges. In addition, we mitigate fraud for our clients via web application firewalls and a proprietary combination of advanced modeling techniques, including federated modeling, to successfully capture new fraud that humans alone are unable to identify or address in a scalable way.
Revisiting or creating a security roadmap is critical
Consumers in general are more aware of data privacy and regulatory oversight is also increasing. The consequences of not investing in fraud management will likely cost brands in noncompliance fees and eroded consumer trust. And as brands work to increase point utility within loyalty programs to provide members more value and opportunities to engage, fraudsters will be even more motivated to target this currency.
It’s understandable that some detection solutions will not be the right fit, whether due to cost or relative risk, but for brands who increasingly engage members via digital channels, investment in loyalty program security is table stakes. Consider the following steps for upping your game in loyalty fraud mitigation and better securing trust with your customers:
When starting or revisiting a security roadmap, conduct a risk assessment across the member journey and layer it against the broader customer experience. This will help illustrate trade-offs when it comes to balancing increased security and impacted member experiences.
- Work cross-functionally between security, IT, operations, and marketing stakeholders to align on budget, monitor KPIs, and assess in-house capabilities. Identify gaps and discuss how to fill them—utilizing in-house resources, outsourcing, or by leveraging the right partner.
- Apply an action priority matrix to prioritize the implementation of security features based on their level of impact and effort.
- Start executing on what can be done while resources are put in place to achieve higher-effort goals.
Loyalty programs are a great way to get your brand closer to your audience, deepen engagement through personalization, garner rich zero-party data that is contextualized to each individual member’s relationship with your brand, and level-up experiences to be there for your customers when and how they need and want. These relationships need to be protected in order for trust to be preserved.
As the incidence rate of loyalty fraud increases and consumer trust hangs in the balance, the right partner can help mitigate these risks without negatively impacting the customer experience. Look for service providers that tailor their approach based on client-specific needs. In addition to our proprietary fraud detection models, we track all changes to customer accounts and offer flexibility via our self-serve data portals and dashboard visualization—enabling client security teams to perform fraud monitoring from secure locations.