How to keep your rewards points from being stolen

Rewards points are free money to fraudsters; follow these tips to stop them in their tracks

Rebecca Lake
Personal Finance Writer
Making complex credit topics simple

Rewards points stolen: What to do

The content on this page is accurate as of the posting date. Please review our list of best credit cards, or use our CardMatch tool to find cards matched to your needs.

Having your credit card stolen is a hassle as someone can use it to charge fraudulent purchases. But, bogus purchases aren't your only concern if the card that has been jacked is a rewards card.

The points and miles you’ve earned through an airline or hotel loyalty program could also be at risk. 

“Exploiting rewards and loyalty programs is an increasingly appealing abuse method for online criminals,” says Michael Reitblat, CEO and co-founder of fraud prevention platform Forter. “For a fraudster, rewards are effectively free money.”

If someone’s able to gain access to your account fraudulently, “they can exploit rewards points or loyalty point programs connected to the account, depleting the accrued points without an account owner ever being notified,” says Reitblat.

When you’ve accumulated a cushion of cash back, points or miles with your rewards card, or banked miles and points through a travel loyalty program, the last thing you want is a hacker to swoop in and redeem them behind your back. 

These tips can help you keep your travel rewards from taking off without you.

See related: How to protect your cards and accounts online

Identify what can leave your rewards vulnerable – and act

The first step in protecting your credit card and travel loyalty rewards is knowing what could make them a target for thieves. 

“Rewards programs have been targeted for at least a decade and many of the schemes are mature now,” says Seth Ruden, senior fraud consultant at payment system company ACI Worldwide. “The most common mechanisms I’ve seen revolve around credential stuffing – the act of using common passwords or authentication data elements that have been breached and exposed from other websites or forms for the rewards vendor.”

Use strong(er) passwords

Of those scenarios, Ruden says it’s often passwords that make for the weakest link in your rewards security chain. Poor password management practices could give thieves an opening to drain your rewards balance.

“Using the same password across multiple accounts is the easiest way to be compromised,” says Robert Siciliano, security analyst with virtual private network provider Hotspot Shield. If a hacker can crack the password code on just one of your reward credit card or travel loyalty program accounts, that could be a free pass to all of them.

Using simple passwords is also a mistake. The more difficult a password is to guess, the stronger line of defense you can build around your rewards.

Incorporating a mix of upper- and lowercase letters, numbers and special characters can make passwords stronger. Using acronyms or phrases can also make passwords more unique.

See related: 7 hot spots for credit card theft and how to cut your risk

Enable two-factor authentication

Updating your passwords is essential for safeguarding your rewards, but there’s more you can do to protect them. 

“Credit card users must create two-factor authentication controls where possible,” says Ruden. 

Two-factor authentication adds an extra layer of security by requiring you to punch in a unique code, typically sent to your smartphone or email, when you log in to your credit card or travel loyalty accounts. Without that code, hackers bent on rewards theft could be stopped in their tracks.

"Fraudsters often phish for account details [via email] by luring shoppers to enter their credentials into what look like legitimate text fields. Consumers should always be wary of where they enter their information."

Don’t let rewards sit unused

Redeeming your rewards regularly can also help ward off fraud if you’re in the habit of letting points, miles or cash back pile up.

“Consumers who stockpile excess rewards may be more appealing targets for fraudsters after gaining access to an account,” says Reitblat. 

It’s also important to keep your defense up when it comes to your inbox. 

“Fraudsters often phish for account details by luring shoppers to enter their credentials into what look like legitimate text fields,” says Reitblat. “Consumers should always be wary of where they enter their information.”

In one of the most recent phishing scams involving rewards, hackers posed as Delta Air Lines in an attempt to steal frequent flyer information.

If you get an email from what appears to be your credit card company or your travel loyalty program asking you to share personal or financial information, always reach out to the company directly to make sure it’s legit.

And don’t hesitate to report any phishing emails that hit your inbox to your email providers.

See related: 5 ways to maximize rewards earning potential

What to do if your rewards are stolen

When hackers redeem your credit card rewards points or treat themselves to a free hotel stay courtesy of your loyalty points, your first question will be whether you can get those rewards back. 

Stolen credit card or travel rewards aren’t necessarily a lost cause if you report the theft to your credit card company or the loyalty program as quickly as possible. 

However, every credit card and loyalty program has different guidelines for dealing with stolen rewards. Here’s a roundup of a few of them.

See related: 3 major mobile security risks, and how to avoid them

Rewards programs' approach to stolen rewards points

PNC Bank

“PNC actively monitors and urges customers to review their own accounts on a regular basis,” says corporate communications representative Alan Aldinger. “If we identify any suspicious activity on any account, we will notify the customer. Customers should also contact us immediately if they notice unusual activity on their account.”

In PNC’s case, rewards lost because of verified unauthorized activity reported by the customer are replaceable. 

Barclays 

Barclays doesn’t have a specific policy for rewards fraud; instances of stolen rewards are handled individually. 

“In the event we have confirmed rewards fraud has occurred on an account, we would follow our normal fraud procedures – which includes replacing the rewards, ensuring the customer is kept whole,” says Nicole Dye-Anderson, Barclays's assistant vice president for media relations. 

"We always advise consumers to monitor their accounts and report any unauthorized transactions immediately. It all starts with protecting your account."

American Airlines 

American has a policy of emailing customers after mileage redemptions to help prevent fraud. 

If you suspect fraudulent activity, you’d need to contact AAdvantage customer and American’s Corporate Security team to investigate. If miles are proven stolen, American can cancel fraudulent redemptions and return them to you.

Bank of America

“We always advise consumers to monitor their accounts and report any unauthorized transactions immediately,” says spokeswoman Betty Reiss. “It all starts with protecting your account.”

Delta Air Lines, Hilton, Marriott

Delta also encourages flyers to reach out to customer service and request a miles credit if they believe their miles were stolen. 

Representatives of the Hilton Honors and Marriott Rewards programs offered similar advice. 

TD Bank, Chase, Wells Fargo, Citi and U.S. Bank offered no comment when asked how they handled stolen credit card rewards. 

United Airlines, Alaska Airlines, Hawaiian Airlines, Southwest Airlines, JetBlue, Frontier Airlines, Radisson, Choice Privileges, Ritz-Carlton Rewards, Wyndham, IHG and World of Hyatt were also contacted, but also offered no comment. 

Bottom line?

If your credit card rewards or travel loyalty rewards are compromised, reach out to the program or your credit card company as soon as possible. The sooner you give them a heads-up that your rewards have been stolen, the better the odds that they’ll be able to restore them to your account. 

And in the meantime, be sure to log in to your accounts regularly to check your rewards balance and activity.

 


Join the discussion
We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, do not disclose confidential or personal information such as bank account numbers or social security numbers. Anything you post may be disclosed, published, transmitted or reused.

If you are commenting using a Facebook account, your profile information may be displayed with your comment depending on your privacy settings. By leaving the 'Post to Facebook' box selected, your comment will be published to your Facebook profile in addition to the space below.

The editorial content on CreditCards.com is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company's business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.




Weekly newsletter
Get the latest news, advice, articles and tips delivered to your inbox. It's FREE.


Updated: 12-09-2018