Your credit card, airline or hotel rewards could be a target for theft. Here’s how to protect your rewards points and what to do in case they are stolen.
Having your credit card stolen is a hassle as someone can use it to charge fraudulent purchases. But, bogus purchases aren’t your only concern if the card that has been jacked is a rewards card.
The points and miles you’ve earned through an airline or hotel loyalty program could also be at risk.“Exploiting rewards and loyalty programs is an increasingly appealing abuse method for online criminals,” says Michael Reitblat, CEO and co-founder of fraud prevention platform Forter. “For a fraudster, rewards are effectively free money.”
If someone’s able to gain access to your account fraudulently, “they can exploit rewards points or loyalty point programs connected to the account, depleting the accrued points without an account owner ever being notified,” says Reitblat.
When you’ve accumulated a cushion of cash back, points or miles with your rewards card, or banked miles and points through a travel loyalty program, the last thing you want is a hacker to swoop in and redeem them behind your back.
These tips can help you keep your travel rewards from taking off without you.
See related: How to protect your cards and accounts online
Protect your rewards points from being stolen
Identify what can leave your rewards vulnerable – and act
The first step in protecting your credit card and travel loyalty rewards is knowing what could make them a target for thieves.
“Rewards programs have been targeted for at least a decade and many of the schemes are mature now,” says Seth Ruden, senior fraud consultant at payment system company ACI Worldwide. “The most common mechanisms I’ve seen revolve around credential stuffing – the act of using common passwords or authentication data elements that have been breached and exposed from other websites or forms for the rewards vendor.”
Use strong(er) passwords
Of those scenarios, Ruden says it’s often passwords that make for the weakest link in your rewards security chain. Poor password management practices could give thieves an opening to drain your rewards balance.
“Using the same password across multiple accounts is the easiest way to be compromised,” says Robert Siciliano, security analyst with virtual private network provider Hotspot Shield. If a hacker can crack the password code on just one of your reward credit card or travel loyalty program accounts, that could be a free pass to all of them.
Using simple passwords is also a mistake. The more difficult a password is to guess, the stronger line of defense you can build around your rewards.
Enable two-factor authentication
Updating your passwords is essential for safeguarding your rewards, but there’s more you can do to protect them.
“Credit card users must create two-factor authentication controls where possible,” says Ruden.
Two-factor authentication adds an extra layer of security by requiring you to punch in a unique code, typically sent to your smartphone or email, when you log in to your credit card or travel loyalty accounts. Without that code, hackers bent on rewards theft could be stopped in their tracks.
Don’t let rewards sit unused
Redeeming your rewards regularly can also help ward off fraud if you’re in the habit of letting points, miles or cash back pile up.
“Consumers who stockpile excess rewards may be more appealing targets for fraudsters after gaining access to an account,” says Reitblat.
It’s also important to keep your defense up when it comes to your inbox.
“Fraudsters often phish for account details by luring shoppers to enter their credentials into what look like legitimate text fields,” says Reitblat. “Consumers should always be wary of where they enter their information.”
In one of the most recent phishing scams involving rewards, hackers posed as Delta Air Lines in an attempt to steal frequent flyer information.
If you get an email from what appears to be your credit card company or your travel loyalty program asking you to share personal or financial information, always reach out to the company directly to make sure it’s legit.
And don’t hesitate to report any phishing emails that hit your inbox to your email providers.
See related: 5 ways to maximize rewards earning potential
What to do if your rewards are stolen
When hackers redeem your credit card rewards points or treat themselves to a free hotel stay courtesy of your loyalty points, your first question will be whether you can get those rewards back.
Stolen credit card or travel rewards aren’t necessarily a lost cause if you report the theft to your credit card company or the loyalty program as quickly as possible.
See related: 3 major mobile security risks, and how to avoid them
Rewards programs’ approach to stolen rewards points
“PNC actively monitors and urges customers to review their own accounts on a regular basis,” says corporate communications representative Alan Aldinger. “If we identify any suspicious activity on any account, we will notify the customer. Customers should also contact us immediately if they notice unusual activity on their account.”
In PNC’s case, rewards lost because of verified unauthorized activity reported by the customer are replaceable.
Barclays doesn’t have a specific policy for rewards fraud; instances of stolen rewards are handled individually.
“In the event we have confirmed rewards fraud has occurred on an account, we would follow our normal fraud procedures – which includes replacing the rewards, ensuring the customer is kept whole,” says Nicole Dye-Anderson, Barclays’s assistant vice president for media relations.
American has a policy of emailing customers after mileage redemptions to help prevent fraud.
If you suspect fraudulent activity, you’d need to contact AAdvantage customer and American’s Corporate Security team to investigate. If miles are proven stolen, American can cancel fraudulent redemptions and return them to you.
Bank of America
“We always advise consumers to monitor their accounts and report any unauthorized transactions immediately,” says spokeswoman Betty Reiss. “It all starts with protecting your account.”
Delta Air Lines, Hilton, Marriott
Delta also encourages flyers to reach out to customer service and request a miles credit if they believe their miles were stolen.
Representatives of the Hilton Honors and Marriott Rewards programs offered similar advice.
TD Bank, Chase, Wells Fargo, Citi and U.S. Bank offered no comment when asked how they handled stolen credit card rewards.
United Airlines, Alaska Airlines, Hawaiian Airlines, Southwest Airlines, JetBlue, Frontier Airlines, Radisson, Choice Privileges, Ritz-Carlton Rewards, Wyndham, IHG and World of Hyatt were also contacted, but also offered no comment.
If your credit card rewards or travel loyalty rewards are compromised, reach out to the program or your credit card company as soon as possible. The sooner you give them a heads-up that your rewards have been stolen, the better the odds that they’ll be able to restore them to your account.
And in the meantime, be sure to log in to your accounts regularly to check your rewards balance and activity.