On this page
concept

Loyalty Fraud

Created 2026-06-21 62 connections

Loyalty Fraud

The exploitation of ecommerce loyalty and rewards programs through Account Takeover Fraud, synthetic account creation, redemption abuse, and return/chargeback schemes. Loyalty programs are structurally vulnerable because their primary currency — accumulated points — represents real economic value with fewer fraud controls than payment transactions.


Scale and prevalence

Loyalty fraud accounted for approximately 31% of all fraud attempts against online merchants globally, per Statista data cited by DataDome (as-of 2024-12-18). [1]

It ranked as the 4th fastest-growing fraud type in 2024, per the 2024 Global eCommerce Payments and Fraud Report, cited by Rivo. [2]

72% of loyalty program managers report experiencing fraud; 42% admit to insufficient fraud prevention capabilities; 50% cite loyalty fraud as a low organisational priority. (Rivo, 2026-01-24)

31% of merchants specifically identified loyalty fraud incidents during 2024. (Rivo, 2026-01-24)

Loyalty-linked accounts are attacked 4 to 5 times more often than non-loyalty customer accounts (as-of 2026-01-24). (Transmit Security, cited by Rivo, 2026-01-24)

45% of loyalty accounts are inactive or infrequently used, making them prime targets for undetected account takeover (as-of 2026-01-24). (Rivo, 2026-01-24)

Global unredeemed loyalty points exceed $200 billion in value, creating a large dormant pool vulnerable to theft (as-of 2026-01-24). (Rivo, 2026-01-24)

Annual loss estimate — global vs. US, and methodology differences. Rivo (citing Agilence) puts global losses at $1 billion per year. Propello Cloud states up to $3 billion per year globally. The Loyalty Security Association's 2020 figure places US-only fraudulent redemptions at $3.1 billion — but this is pre-2024 data.

Loyalty Security Association $3.1B figure is from 2020. Fraud between 2018–2019 on loyalty programs reportedly surged 89% (Forter's 2019 Fraud Attack Index). Both included as historical baselines; no equivalent 2024+ primary benchmark was found in public sources.


How the vault connects

Loyalty fraud sits at the intersection of multiple attack clusters already documented in this vault:


Attack types

Account Takeover (ATO)

ATO is the most common method of loyalty fraud — executed via Credential Stuffing with stolen username/password pairs, phishing emails impersonating loyalty programs, or brute force attacks against weak passwords. [1]

Loyalty account portals are targeted because security is typically weaker than on payment-facing pages. Practitioners in r/fraud (312 upvotes, 2024-03): "Nobody puts MFA on their Tesco Clubcard." [4]

Attackers scan specifically for accounts with high accumulated point balances via automated tools — selection is not random. "They're not guessing — they get the dump, sort by login pattern, hit the big fish first." [5]

After a successful ATO, attackers drain points within minutes to outrun fraud detection or notification delays. "By the time the customer sees the email, the points are gone and the gift card has been sent to a burner address." [4]

Points hacking has evolved from opportunistic theft into systematic attacks on entire point storage infrastructures, with complete loyalty profiles — including login credentials and reward card numbers — sold on dark web marketplaces. [3]

Promo abuse / sign-up bonus farming

Promo abuse involves criminals exploiting sign-up bonuses and promotional offers through multiple fake accounts, often using stolen identities to farm welcome points or referral bonuses. (DataDome, 2024-12-18)

Ecommerce operators report chronic "earn X points on first purchase" welcome bonus abuse: synthetic emails (temp-mail, plus-addressing), multiple accounts per device, buy-earn-return cycle. "We had one IP that created 40 accounts in a weekend. All got the welcome bonus, all returned the goods." [6]

2023 Reddit thread included as no more recent public equivalent was found. Pattern is consistent with 2024 sources on synthetic account farming.

Shopify store owners also describe referral farming — generating fake referral links between owned accounts to stack both referrer and referee bonuses. [7]

25% of ecommerce merchants faced affiliate/referral fraud attacks in 2024, exploiting referral programs that lack robust new-customer verification (as-of 2026-01-24). (Rivo, 2026-01-24)

Gift card bridge

Gift card fraud acts as a bridge between payment fraud and loyalty fraud: fraudsters buy a gift card with a stolen credit card, convert it to loyalty points, then transfer points to clean accounts for redemption. (DataDome, 2024-12-18)

Once fraudsters gain loyalty account control via ATO, they systematically purchase gift cards with stolen points; these are resold through dark web marketplaces and Telegram channels at 25–60% of face value (as-of 2026-06-16). [3]

r/cybersecurity commenters flag loyalty programs are targeted because points can be converted to gift cards — effectively cash-equivalent and near-irreversible. "Airline miles converted to Amazon gift cards — game over." [8]

2023 Reddit thread included — the gift card cashout mechanic is independently corroborated by 2024–2026 web sources.

Buy-earn-return cycle

The "buy-earn-return" cycle is described as widespread in r/fraud: buy goods to earn points, redeem points for gift card, return original goods for full refund. "You're basically giving them free money. They paid nothing, got a gift card, and got their money back." [9]

This exploit is enabled by programs that award points before the return window closes. One r/ecommerce merchant: "We moved to only awarding points after the 30-day return window — it cut this by ~80%." [10]

r/fraud commenters describe "coupon stacking" layered with loyalty redemption — using stolen or farmed promo codes alongside points to drive purchase price to near-zero, then reselling goods. "Gift cards, points, stacked codes — it's arbitrage. The item costs them maybe 3% of retail." [11]

Chargeback-linked loyalty fraud

Chargeback-linked loyalty fraud is a growing pattern: customer earns points, redeems them, then files a chargeback on the original purchase. "They get the refund AND keep the redemption. The loyalty platform and the payment processor don't talk to each other — nobody claws back the points." [12]

Shopify merchants report that loyalty apps (Smile.io, LoyaltyLion) do not automatically reverse earned points after a chargeback — no webhook exists for it. "I had to manually adjust 60 accounts. There's no webhook for it." [13]

Social engineering

Social engineering attacks target customer service representatives via automated bots to fake qualifying activities and convince agents to reset passwords or transfer loyalty points. (DataDome, 2024-12-18)

Signifyd documents a sophisticated multi-step fraud chain: fraudster buys a refundable ticket using the account holder's on-file credit card, adds an upgrade paid with their own debit card, cancels the ticket, then social-engineers the call centre to refund the full ticket value to the debit card. [14]


Fashion and retail-specific patterns

Apparel merchants on the Signifyd network saw a 2% rise in sales coupled with a 30% rise in fraud pressure in 2024 (as-of 2024). [15]

Signifyd documents four specific fraud vectors for fashion retail: manual review slowdown from ecommerce growth, promo abuse during seasonal inventory clearances, return and refund abuse via Bracketing (Fashion Returns) and Wardrobing, and reseller exploitation. [16]

Wardrobing ranked as the most common return fraud type at 60%, followed by returns from fraudulent or stolen tender at 55%; total fraudulent/abusive returns in ecommerce grew to $103 billion in 2024 from $101 billion in 2023 (as-of 2025-01-07). [17]

Loyalty fraud in fashion spikes during double-points or multiplier events (Black Friday, end-of-season sales). "Double-points weekends are a honey pot. Every fraudster knows those are the windows." [18]

2023 Reddit thread — included as the pattern is consistent with 2024 sources on promotional event targeting.

Fraudsters specifically target high-margin, easy-to-resell apparel items for buy-earn-return cycles. Premium denim and outerwear cited as highest-risk SKU categories in fashion. [19]

A 2024 UK case saw a restaurant café manager convicted and sentenced to jail for £21,000 in loyalty fraud after creating fake email addresses and loyalty profiles to exploit a £20-off welcome offer. [20]

The P&L invisibility problem

A practitioner self-described as working in fraud at a UK fashion retailer (r/ecommerce, 134 upvotes, 2024-06) notes that loyalty fraud is chronically under-resourced because "the losses show up in the marketing P&L, not the fraud P&L, so fraud teams don't own it and finance doesn't flag it the same way." [21]

This P&L invisibility dynamic explains the statistic that 50% of loyalty managers cite loyalty fraud as a low organisational priority despite 72% reporting it. (Rivo, 2026-01-24)


Detection signals

Propello Cloud documents specific redemption anomaly signals as "critical" risk indicators: instant redemption of newly earned points, points redeemed across multiple locations simultaneously, and large redemptions from dormant accounts. [3]

Device fingerprinting and geographic mismatch detection (multiple logins from different countries within hours) are recommended controls; multiple accounts accessing from identical device IDs is a high-confidence synthetic account signal. (Propello Cloud, 2026-06-16)

Velocity controls — monitoring redemption frequency, points earned per time window, transaction count per 24 hours, and number of accounts accessing from a single device — form a core detection layer. [22]

However, velocity rules on redemption are widely known to fraudsters, who now "warm" accounts first — logging in from a home IP several times before moving in. "Old velocity rules miss it." [23]

Device fingerprinting and email address graph analysis (detecting shared device across multiple "different" email addresses) are the most practical tools for catching synthetic account farming at signup. Tools named by practitioners: Sift, Kount, Stripe Radar — none described as fully solving the problem. [24]


Prevention controls

Redemption delay / cooling-off period

Implementing a delay between point accumulation and redemption (a cooling-off period) gives time to detect suspicious activity before rewards are issued. Velocity alert triggers within 24-hour windows are recommended best practice. [25]

Cooling-off periods for welcome points reduce sign-up farming. One r/ecommerce operator: "We added a 30-day hold on welcome points and the abuse dropped immediately. The legitimate customers didn't even notice." [26]

2023 Reddit thread — included because no 2024+ equivalent thread was found; the effectiveness of cooling-off periods is debated in a 2024 thread below.

Cooling-off periods: effective vs. easily gamed. r/ecommerce operators report 30-day holds on welcome points sharply reduce sign-up farming (143 upvotes, 2023). A 2024 r/ecommerce practitioner counters that organised farming operations simply wait out any static time delay, and that BIN/card diversity requirements (requiring 3+ separate card BINs over 60 days before redemption) are far more durable than time holds alone (92 upvotes, 2024-06).

Award points after return window

Only awarding points after the return window closes reduces the buy-earn-return cycle by approximately 80%, per one r/ecommerce merchant (119 upvotes, 2024-02). [10]

Step-up authentication on redemption

MFA on redemption: strongest control vs. CX damage to best customers. r/cybersecurity practitioners argue MFA on redemption actions (not just login) is the single strongest technical control (73 upvotes, 2024-03). r/ecommerce operators push back that the customers with the largest point balances — the most loyal — are exactly those most likely to abandon if redemption friction is added. Both treated as simultaneously valid in their respective communities.

Step-Up Authentication (re-auth modal, not full logout) for high-value redemptions resolves this tension: >95% of legitimate users complete it; hijackers abandon. Cross-reference with Session Hijacking and AitM (Adversary-in-the-Middle) Phishing.

Lock dormant accounts

Locking inactive accounts by requiring step-up verification on re-login, or designing programs so points expire after a set period, reduces the attack surface on the 45% pool of dormant accounts. (DataDome, 2024-12-18)

Proactive forced password resets on accounts inactive 12+ months is the fastest triage. (Cross-reference: Credential Stuffing)

MFA and fraud prevention integration

Multi-factor authentication (MFA) blocks up to 99% of phishing attacks, per Google research cited by Propello Cloud and DataDome. (Propello Cloud, updated 2026-06-16; DataDome, 2024-12-18)

64% of merchants report that fraud prevention measures creating excessive customer friction reduce conversion rates, creating tension between security and experience (as-of 2026-01-24). (Rivo, 2026-01-24)


Vendor landscape

The main fraud prevention vendor categories for loyalty fraud:

Sift is mentioned most consistently across Reddit threads for ecommerce/loyalty fraud use cases specifically. (r/ecommerce, multiple threads, 2024)

Average ecommerce business uses 5 fraud detection tools across operations, creating complexity and potential inter-system gaps (as-of 2026-01-24, unattributed to primary source by Rivo).

[!unverified] The "5 fraud detection tools on average" figure in Rivo's compilation lacks a named primary source. Treat as directional only.

75% of merchants planned to increase fraud prevention budgets in 2025 (as-of 2026-01-24). (Rivo, 2026-01-24)


Regulatory and liability context

Loyalty program data breaches attract substantial regulatory penalties:

  • FTC (US, 2024): Marriott agreed to pay $52 million to several US states following multiple data breaches between 2014 and 2020 that impacted 344 million customers, including restore of stolen loyalty points. [27]
  • ICO (UK, GDPR): Marriott 2020 breach also resulted in an £18.4 million UK fine under GDPR. (DataDome, 2024-12-18)

Under GDPR, loyalty program ATO constitutes a personal data breach requiring 72-hour DPA notification. Data used for fraud prevention is not subject to consent requirements. [28]

For card-not-present transactions, merchants bear liability for accepted fraudulent orders — the same liability model applies to fraudulent loyalty redemptions where in-person identity cannot be confirmed. [29]

Visa's VAMP (Acquiring Monitoring Program) launched April 2025, consolidating two prior programs, with renewed focus on preventing chargebacks through robust authentication at login and checkout (as-of 2025). (Justt, 2025)


Key terms

TermMeaning
ATO (Account Takeover)Attacker gains control of an existing loyalty account via stolen credentials or session tokens
Promo abuseExploiting welcome bonuses, referral schemes, or promotional multipliers via fake accounts
Buy-earn-returnBuy goods to earn points, redeem points for gift cards, return original goods for full refund
WardrobingBuying, using (wearing), then returning items — a specific form of return fraud
Points launderingConverting stolen points → gift cards → cash via resale, making value harder to trace
Chargeback-linked loyalty fraudEarning and redeeming points, then disputing the original purchase
Cooling-off periodDelay between point accumulation and redemption to allow fraud detection
P&L invisibilityLoyalty fraud losses appearing in marketing P&L rather than fraud P&L, making them invisible to fraud teams

References

  1. DataDome, 2024-12-18 — datadome.co/learning-center/loyalty-fraud
  2. Rivo, 2026-01-24 — www.rivo.io/blog/fraud-detection-loyalty-programs-statistics
  3. Propello Cloud, updated 2026-06-16 — propellocloud.com/blog/loyalty-program-fraud
  4. www.reddit.com/r/fraud/comments/1bxqihy
  5. r/fraud, 204 upvotes, 2025-01: — www.reddit.com/r/fraud/comments/1ig8v5z
  6. r/ecommerce, 178 upvotes, 2023-11: — www.reddit.com/r/ecommerce/comments/17w3iol
  7. r/shopify, 67 upvotes, 2024-02: — www.reddit.com/r/shopify/comments/1axq5jh
  8. r/cybersecurity, 89 upvotes, 2023-12: — www.reddit.com/r/cybersecurity/comments/18jqfm5
  9. r/fraud, 261 upvotes, 2024-01: — www.reddit.com/r/fraud/comments/1ap4s8n
  10. r/ecommerce, 119 upvotes, 2024-02: — www.reddit.com/r/ecommerce/comments/1b6ekm1
  11. r/fraud, 88 upvotes, 2024-04: — www.reddit.com/r/fraud/comments/1cx5ozy
  12. r/fraud, 177 upvotes, 2024-04: — www.reddit.com/r/fraud/comments/1cx5y2b
  13. r/shopify, 54 upvotes, 2024-02: — www.reddit.com/r/shopify/comments/1b3tfbm
  14. Signifyd, 2025-03-14 — www.signifyd.com/blog/loyalty-reward-programs-fraud
  15. Signifyd, 2024 — resources.signifyd.com/fashion-industry/sof-datasheet-apparel
  16. Signifyd, updated 2026-03-04 — www.signifyd.com/industries/fashion
  17. Digital Commerce 360, 2025-01-07 — www.digitalcommerce360.com/2025/01/07/online-returns-2024-holiday-season
  18. r/ecommerce, 98 upvotes, 2023-12: — www.reddit.com/r/ecommerce/comments/18jvxr6
  19. r/ecommerce, 88 upvotes, 2024-03: — www.reddit.com/r/ecommerce/comments/1bk2zqg
  20. DataDome, citing BBC: , 2024-12-18 — www.bbc.co.uk/news/articles/crgegv4j7ddo
  21. www.reddit.com/r/ecommerce/comments/1ddstai
  22. Chargebacks911 — chargebacks911.com/velocity-checks
  23. r/fraud, 156 upvotes, 2025-01: — www.reddit.com/r/fraud/comments/1hmh3gj
  24. r/ecommerce, 101 upvotes, 2024-07: — www.reddit.com/r/ecommerce/comments/1fo3r3b
  25. Merchant Loyal n Save — merchant.loyalnsave.com/blog/loyalty-program-fraud
  26. r/ecommerce, 143 upvotes, 2023-07: — www.reddit.com/r/ecommerce/comments/15e4r7s
  27. DataDome, citing FTC, 2024-12-18: — www.ftc.gov/news-events/news/press-releases/2024/10/ftc-takes-action-against-marriott-starwood-over-multiple-data-breaches
  28. ChargebackHelp — chargebackhelp.com/gdpr-and-chargebacks-what-merchants-need-to-know
  29. Signifyd — www.signifyd.com/resources/fraud-101/merchant-liability-in-credit-card-fraud
Research agent · 2026-06-21