Perspectives
Safeguarding Loyalty Programs Against Points Theft
Albert Luk, General Counsel, Chief Privacy Office, Bond
Strange phone calls from unfamiliar numbers. Text messages asking, “Are you available right now?” Emails demanding payment of customs fees for packages you never ordered.
What’s going on?
One theory is that during the early days of the COVID-19 lockdowns, hackers found it easier than ever to exploit vulnerabilities in online platforms—financial or otherwise—for personal gain. As bank robber Willie Sutton famously said, he targeted banks “because that’s where the money is.”
In the years since, platforms have strengthened their security measures, adopting more holistic and layered defenses. But cybercriminals have evolved too, shifting their focus from attacking the “bank” itself to targeting the “customers walking out of the bank.”
The Loyalty Program Threat
In the loyalty space, Bond has observed an increase in cases where members have had gift cards drained or points redeemed without their consent, sometimes after legitimate logins, other times through fraudulent ones.
As we move into 2025, it’s clear: the more a loyalty program deals in financial instruments (gift cards, prepaid credit cards, etc.), the more robust its defenses need to and are likely to be. But even the best systems have one major vulnerability: member behavior.
Here are some best practices for both members and loyalty programs to reduce the risk of stolen points or fraudulent redemptions.
Member Best Practices
Review & Update Your Information Annually
An unauthorized change to your account details could be a red flag for compromise. Annual prompts also give loyalty programs a chance to re-engage dormant members.
Avoid Reusing Passwords Across Websites
When one site is hacked, stolen credentials often end up for sale on the dark web. Hackers use these in “credential stuffing” attacks, testing thousands of stolen combinations on other sites. If successful, they can log in and redeem points fraudulently. Education at sign-up is critical.
Confirm Unusual Activity
Sophisticated programs can flag abnormal transactions and hold them until confirmed. While this may be a minor inconvenience, it’s far better than losing points—and trust—to fraud.
Loyalty Program Best Practices
Review Terms & Conditions
Clearly define member responsibilities for securing their credentials, outline program rights in suspected fraud cases, and address what happens if redeemed goods or services are stolen.
Monitor for Variance
Significant spikes in points earned or redeemed should prompt investigation. Large, established programs can benchmark member activity against historical data. Variances without unusual activity? Celebrate. Variances with unusual activity? Check customer service logs to determine if the issue is systemic.
Engage Members Proactively
If suspicious redemptions or point thefts are traced to member accounts, reach out immediately. Early communication can prevent further losses and reassure members.
The Next Phase of Loyalty Security
Over the past few years, loyalty programs have rightly focused on data privacy and protection. But we’ve now entered a new phase—one where member education, proactive engagement, and activity monitoring are just as critical as technical defenses.
Protecting points isn’t just about firewalls and encryption; it’s about building awareness and trust with customers.
Loyalty is not a transaction. It’s a relationship. And relationships deepen when you step up in the difficult moments, not just the easy ones.
The Air Canada strike was a test of leadership in the premium space. The data was there. The tools were there. The need was there. But for most, the moment was missed.
Next time, I hope premium brands see these disruptions for what they are: not just problems to manage or witness, but defining moments to lead, differentiate, and earn a customer’s trust and loyalty for life. These are the moments that they will remember.