Retail and hospitality data breaches of consumers’ payment card data grab headlines, but cybercriminals don’t always target point-of-sale systems.
Oracle estimates that 72% of U.S. adults belong to at least one brand rewards program, also known as a loyalty program. These programs entice consumers to patronize a particular brand by offering incentives for frequent purchases, such as special discounts or free merchandise. In some cases, loyalty program discounts can be significant. For example, frequent travelers can earn free or steeply discounted hotel stays, airline trips, and rental cars.
Both consumers and businesses benefit from loyalty programs. Consumers enjoy discounts on their favorite brands. Businesses enjoy loyal patronage and, because these programs collect customers’ personal data and track their buying habits, access to a wealth of primary market research information about their customer base.
Unfortunately, cybercriminals like loyalty programs, too. Retail Dive reports that loyalty program fraud increased by a whopping 89% in just one year. Cyber attacks on loyalty programs come from three sides:
- External cybercriminals, who use credential-stuffing attacks to take over customer accounts — or an account belonging to an employee with access to customer rewards accounts. After a successful account takeover, cybercriminals can steal customers’ personally identifiable information (PII), steal existing rewards balances, or accumulate additional rewards in unauthorized ways.
- Malicious brand employees, who fraudulently pad rewards balances, steal unclaimed rewards from dormant accounts, and steal customers’ PII.
- The brand’s own customers, who can take advantage of loopholes in the program, such as creating multiple accounts to earn rewards.
Loyalty program fraud is extremely costly, even in cases where a brand is selling relatively low-ticket items. Restaurant Business reports that following a breach of its popular DD Perks loyalty program, Dunkin’ was sued by the State of New York. In a settlement, Dunkin’ agreed to reimburse customers for stolen rewards and pay a $650,000 fine.
Tips for Avoiding Cyberattacks on Loyalty Programs
Tips for businesses
- Improve the cybersecurity posture of your loyalty programs. Prevent credential-stuffing attacks and other password-related breaches by requiring customers to use strong passwords and multi-factor authentication (2FA). Prevent abuse by customers by closely monitoring loyalty program metrics for suspicious activity.
- Prevent insider threats by implementing role-based access control (RBAC) and monitoring employees’ network activity for signs of abuse.
- Require your employees to use a password manager such as Keeper. Keeper’s zero-knowledge password management and security platform, gives IT administrators complete visibility into employee password practices, enabling them to monitor password use and enforce password security policies, including strong, unique passwords, 2FA, RBAC, and other security policies. Fine-grained access controls allow administrators to set employee permissions based on their roles and responsibilities, as well as set up shared folders for individual departments, project teams, or any other group.
Tips for consumers
- Beware of phishing attacks. Never click on unsolicited links or open attachments sent through email, text messages, or social media. Log into your loyalty account by visiting the brand’s website directly, not through a link.
- Use strong, unique passwords for all of your online accounts, and enable 2FA on all accounts that support it.
- Use a password manager like Keeper. Keeper automatically generates unique, high-strength, random passwords for all your sites and apps and stores them in a personal, encrypted digital vault that you can access from any device, running any operating system. In addition to passwords, Keeper stores your 2FA codes, sensitive files, documents, photos, and videos.