Keeping Fraud Out of the Loyalty Equation
Loyalty is an attribute we highly prize in our personal and professional relationships. And companies value customer loyalty through loyalty programs, which boast a long record of helping companies of all kinds achieve growth and revenue goals.
In brief: A loyalty program builds brand engagement and customer loyalty through benefits provided to program members; it also increases company revenue. Loyalty programs are popular, even expected by today’s consumers. In fact, Pymnts.com indicates a whopping 86% of shoppers have joined at least one loyalty program.
Members’ increased engagement lets them earn points, accumulate program benefits, and redeem for rewards (e.g., products, discounts, services, and/or perks). However, millions of earned points are never redeemed. In fact, according to Gartner, loyalty programs result in $140 billion of value in unspent points in the U.S. Business Wire indicates that total may be as much as $48 trillion globally.
This stockpile of unredeemed points presents an attractive and lucrative opportunity for cybercriminals, employees and other internal stakeholders, and even loyalty members. A 2019 report by Forter Fraud Index cites an 89% increase year-over-year in loyalty fraud, with 72% of loyalty managers saying they’ve experienced fraud. Loyalty Security Association estimates that on an annual basis, $3.1 billion in U.S. loyalty program redemption transactions are believed to be fraudulent.
Despite those eye-popping numbers, loyalty fraud is rarely a top priority for companies or members. Let’s examine the three types of loyalty fraud:
External fraud
External fraud is likely what first comes to mind when you imagine fraud. Picture cybercriminals bypassing firewalls as they seek to take over loyalty member accounts through credential stuffing and other attacks. Hackers gain access to accounts, sell personal data on the dark web, and redeem loyalty currency for rewards to use or sell.
Internal fraud
Internal fraud is initiated by employees or other insider stakeholders, such as third-party service providers with system access. This may be intentional, such as creating fake member accounts, stealing identities, abusing goodwill, or manipulating invalid transactions. Unintentional behavior, such as entering an extra zero for goodwill points or invalid information into required fields, may not be fraudulent in the truest sense. However, it still has a negative impact and requires additional training—both to identify such behavior and, more importantly, to ensure the behavior isn’t repeated.
Gaming or friendly fraud
Friendly fraud happens when members creatively exploit program or promotional rules through loopholes or policy violations to illegitimately access program rewards. Common examples include sharing coupons or promotional codes targeted to a specific member or designed for one-time use, submitting excessive complaints to receive goodwill points, opening multiple accounts to earn enrollment bonuses, or conducting multiple point transfers that fall outside program rules.
A 360-Degree View of Loyalty Fraud
Member perspective
Loyalty currency and benefits in a loyalty account aren’t tracked or protected using the same protections as a bank account or investment portfolio. Less-secure password parameters, limited authentication factors, and inactive accounts reduce loyalty account security. Yet many accounts contain payment information and other personally identifiable information (PII) plus valuable loyalty currency, such as points or miles.
Organization outlook
Although we can all agree that program and member security are important, many organizations lack the skills or internal resources to prevent fraud and program abuse. In fact, according to the 2019 report by Forter Fraud Index, 42% of merchants admit they don’t have the skills required to prevent fraud and abuse. Nearly half report insufficient resources and say loyalty program account fraud prevention is considered a low organizational priority.
Companies tend to prioritize projects that deliver a top-notch user experience or appealing competitive offerings, i.e., projects that drive market share and revenue growth. So getting buy-in for loyalty fraud management can be a challenge—especially if the perceived risk is low and fraud management is viewed as a speed bump that slows the rollout of important functionality.
Sometimes loyalty fraud security garners attention—but then gets deprioritized “until next year.” Or perhaps it’s a priority, but the prevention strategies just aren’t broad enough to make the necessary impact. One example might be a security focus at point of account registration and login, but not across the entire member journey. Companies that deal with loyalty program security successfully stay abreast of points vulnerability within their loyalty programs and leverage industry best practices to bolster any weaknesses that would otherwise increase organizational risk.
Fraudster viewpoint
Cybercriminals target under-managed loyalty programs for three key reasons:
-
Less regulated: Banking, credit card, and other financial industries are supported by strictly controlled and regularly reviewed regulatory rules. Loyalty programs, on the other hand, lack robust regulatory controls—and many aren’t diligently managed.
-
More members and attractive benefits: With the growth and popularity of loyalty programs, a substantial number of member accounts contain valuable loyalty currency, rewards, and benefits.
-
Valuable personal data: There’s a vast amount of highly valuable PII stored within loyalty programs, and successful loyalty data breaches fuel ongoing cybercrime.
What’s the Damage?
The negative impact of loyalty program fraud takes many forms, including:
-
Lost revenue: According to iApp, loyalty and rewards points fraud results in $1 billion in direct and indirect losses annually.
-
Brand reputation and trust: Negative member and public perceptions plus poor public relations erode trust. And that lack of trust results in a negative financial impact, potentially including an overall devaluation of a loyalty program.
-
Impact on business growth: Fraudulent activity may result in internal and external business pressure, which can lead to apprehension about championing or expanding the loyalty program.
-
Increased operational costs: This may include cost of fraud investigations, remediation (such as reissuing rewards and redepositing loyalty currency), damage control through public relations, and legal and/or regulatory penalties for a data or privacy breach.
Mitigating Loyalty Fraud Is Worth the Effort
Limiting the risk of loyalty fraud is part of a holistic approach to creating a brand-enhancing member experience. Fraud management should be a top priority for all stakeholders, including loyalty management, security and compliance, and executive teams. Prioritizing and investing in loyalty fraud prevention is critical to your program’s long-term viability and success.
To transform loyalty management from emergency disaster recovery and business continuity to the realm of proactive protection, your organization needs to be proactive. Putting systems and processes in place to detect and prevent potential loyalty fraud is crucial—and far better than being forced into damage control to resolve existing fraud and its negative business impact.
Your loyalty program also needs to build trust through transparency. Building awareness is key. Educate employees and members about the negative impacts of loyalty fraud plus the strategies used to reduce fraud risk.
Start slow if necessary. But get organized now and mature your fraud-prevention processes over time. To guide you, use these four pillars:
1. Standardize: Begin with a loyalty fraud risk assessment and define standard practices.
2. Operationalize: Put those standard practices into operation.
3. Optimize: Implement adjustments to improve efficiency and/or effective usage.
4. Transform: Continue to evolve and mature program operations to mitigate loyalty fraud.
Process-Improvement Maturity Model
Whatever your strategies for managing loyalty fraud risk for your brand, maintain a proactive approach. Stay focused on intentional evolution and strategic optimization of your program operations to ensure a safe, smooth customer experience.
Making loyalty program security a priority and proactively combatting cybersecurity threats will help your brand maintain trust and achieve program growth and profitability.
Wanda Kauffman, director, technology solutions, and Robyn Zeller, director, strategic services, are part of The Lacek Group. The Lacek Group—a Minneapolis-based data-driven loyalty, experience, and customer engagement agency that has been delivering personalization at scale for its world-class clients for more than 30 years—is an Ogilvy company.