On this page
- Scale and prevalence
- How the vault connects
- Attack types
- Account Takeover (ATO)
- Promo abuse / sign-up bonus farming
- Gift card bridge
- Buy-earn-return cycle
- Chargeback-linked loyalty fraud
- Social engineering
- Fashion and retail-specific patterns
- The P&L invisibility problem
- Detection signals
- Prevention controls
- Redemption delay / cooling-off period
- Award points after return window
- Step-up authentication on redemption
- Lock dormant accounts
- MFA and fraud prevention integration
- Vendor landscape
- Regulatory and liability context
- Key terms
- Frontier links
Loyalty Fraud
Loyalty Fraud
The exploitation of ecommerce loyalty and rewards programs through Account Takeover Fraud, synthetic account creation, redemption abuse, and return/chargeback schemes. Loyalty programs are structurally vulnerable because their primary currency — accumulated points — represents real economic value with fewer fraud controls than payment transactions.
Scale and prevalence
Loyalty fraud accounted for approximately 31% of all fraud attempts against online merchants globally, per Statista data cited by DataDome (as-of 2024-12-18). [1]
It ranked as the 4th fastest-growing fraud type in 2024, per the 2024 Global eCommerce Payments and Fraud Report, cited by Rivo. [2]
72% of loyalty program managers report experiencing fraud; 42% admit to insufficient fraud prevention capabilities; 50% cite loyalty fraud as a low organisational priority. (Rivo, 2026-01-24)
31% of merchants specifically identified loyalty fraud incidents during 2024. (Rivo, 2026-01-24)
Loyalty-linked accounts are attacked 4 to 5 times more often than non-loyalty customer accounts (as-of 2026-01-24). (Transmit Security, cited by Rivo, 2026-01-24)
45% of loyalty accounts are inactive or infrequently used, making them prime targets for undetected account takeover (as-of 2026-01-24). (Rivo, 2026-01-24)
Global unredeemed loyalty points exceed $200 billion in value, creating a large dormant pool vulnerable to theft (as-of 2026-01-24). (Rivo, 2026-01-24)
Annual loss estimate — global vs. US, and methodology differences. Rivo (citing Agilence) puts global losses at $1 billion per year. Propello Cloud states up to $3 billion per year globally. The Loyalty Security Association's 2020 figure places US-only fraudulent redemptions at $3.1 billion — but this is pre-2024 data.
- $1B/yr global: https://www.rivo.io/blog/fraud-detection-loyalty-programs-statistics (Rivo, 2026-01-24)
- Up to $3B/yr global: https://propellocloud.com/blog/loyalty-program-fraud/ (Propello Cloud, updated 2026-06-16)
- $3.1B US-only fraudulent redemptions (2020, pre-2022): Loyalty Security Association, cited by Rivo
Loyalty Security Association $3.1B figure is from 2020. Fraud between 2018–2019 on loyalty programs reportedly surged 89% (Forter's 2019 Fraud Attack Index). Both included as historical baselines; no equivalent 2024+ primary benchmark was found in public sources.
How the vault connects
Loyalty fraud sits at the intersection of multiple attack clusters already documented in this vault:
- Account Takeover Fraud → Credential Stuffing → Infostealer Malware → Session Hijacking → AitM (Adversary-in-the-Middle) Phishing: these are the delivery mechanisms. Once an attacker controls the session, loyalty points are one of the fastest cash-out paths.
- Gift Card Fraud: the primary conversion mechanism — stolen points are converted to gift cards and resold at 25–60% of face value on dark web marketplaces and Telegram channels. [3]
- Returns Management / Bracketing (Fashion Returns) / Wardrobing: return fraud exploits loyalty programs directly via buy-earn-return cycles.
- Bot Management: bot attacks on customer service portals and sign-up flows for promo abuse.
Attack types
Account Takeover (ATO)
ATO is the most common method of loyalty fraud — executed via Credential Stuffing with stolen username/password pairs, phishing emails impersonating loyalty programs, or brute force attacks against weak passwords. [1]
Loyalty account portals are targeted because security is typically weaker than on payment-facing pages. Practitioners in r/fraud (312 upvotes, 2024-03): "Nobody puts MFA on their Tesco Clubcard." [4]
Attackers scan specifically for accounts with high accumulated point balances via automated tools — selection is not random. "They're not guessing — they get the dump, sort by login pattern, hit the big fish first." [5]
After a successful ATO, attackers drain points within minutes to outrun fraud detection or notification delays. "By the time the customer sees the email, the points are gone and the gift card has been sent to a burner address." [4]
Points hacking has evolved from opportunistic theft into systematic attacks on entire point storage infrastructures, with complete loyalty profiles — including login credentials and reward card numbers — sold on dark web marketplaces. [3]
Promo abuse / sign-up bonus farming
Promo abuse involves criminals exploiting sign-up bonuses and promotional offers through multiple fake accounts, often using stolen identities to farm welcome points or referral bonuses. (DataDome, 2024-12-18)
Ecommerce operators report chronic "earn X points on first purchase" welcome bonus abuse: synthetic emails (temp-mail, plus-addressing), multiple accounts per device, buy-earn-return cycle. "We had one IP that created 40 accounts in a weekend. All got the welcome bonus, all returned the goods." [6]
2023 Reddit thread included as no more recent public equivalent was found. Pattern is consistent with 2024 sources on synthetic account farming.
Shopify store owners also describe referral farming — generating fake referral links between owned accounts to stack both referrer and referee bonuses. [7]
25% of ecommerce merchants faced affiliate/referral fraud attacks in 2024, exploiting referral programs that lack robust new-customer verification (as-of 2026-01-24). (Rivo, 2026-01-24)
Gift card bridge
Gift card fraud acts as a bridge between payment fraud and loyalty fraud: fraudsters buy a gift card with a stolen credit card, convert it to loyalty points, then transfer points to clean accounts for redemption. (DataDome, 2024-12-18)
Once fraudsters gain loyalty account control via ATO, they systematically purchase gift cards with stolen points; these are resold through dark web marketplaces and Telegram channels at 25–60% of face value (as-of 2026-06-16). [3]
r/cybersecurity commenters flag loyalty programs are targeted because points can be converted to gift cards — effectively cash-equivalent and near-irreversible. "Airline miles converted to Amazon gift cards — game over." [8]
2023 Reddit thread included — the gift card cashout mechanic is independently corroborated by 2024–2026 web sources.
Buy-earn-return cycle
The "buy-earn-return" cycle is described as widespread in r/fraud: buy goods to earn points, redeem points for gift card, return original goods for full refund. "You're basically giving them free money. They paid nothing, got a gift card, and got their money back." [9]
This exploit is enabled by programs that award points before the return window closes. One r/ecommerce merchant: "We moved to only awarding points after the 30-day return window — it cut this by ~80%." [10]
r/fraud commenters describe "coupon stacking" layered with loyalty redemption — using stolen or farmed promo codes alongside points to drive purchase price to near-zero, then reselling goods. "Gift cards, points, stacked codes — it's arbitrage. The item costs them maybe 3% of retail." [11]
Chargeback-linked loyalty fraud
Chargeback-linked loyalty fraud is a growing pattern: customer earns points, redeems them, then files a chargeback on the original purchase. "They get the refund AND keep the redemption. The loyalty platform and the payment processor don't talk to each other — nobody claws back the points." [12]
Shopify merchants report that loyalty apps (Smile.io, LoyaltyLion) do not automatically reverse earned points after a chargeback — no webhook exists for it. "I had to manually adjust 60 accounts. There's no webhook for it." [13]
Social engineering
Social engineering attacks target customer service representatives via automated bots to fake qualifying activities and convince agents to reset passwords or transfer loyalty points. (DataDome, 2024-12-18)
Signifyd documents a sophisticated multi-step fraud chain: fraudster buys a refundable ticket using the account holder's on-file credit card, adds an upgrade paid with their own debit card, cancels the ticket, then social-engineers the call centre to refund the full ticket value to the debit card. [14]
Fashion and retail-specific patterns
Apparel merchants on the Signifyd network saw a 2% rise in sales coupled with a 30% rise in fraud pressure in 2024 (as-of 2024). [15]
Signifyd documents four specific fraud vectors for fashion retail: manual review slowdown from ecommerce growth, promo abuse during seasonal inventory clearances, return and refund abuse via Bracketing (Fashion Returns) and Wardrobing, and reseller exploitation. [16]
Wardrobing ranked as the most common return fraud type at 60%, followed by returns from fraudulent or stolen tender at 55%; total fraudulent/abusive returns in ecommerce grew to $103 billion in 2024 from $101 billion in 2023 (as-of 2025-01-07). [17]
Loyalty fraud in fashion spikes during double-points or multiplier events (Black Friday, end-of-season sales). "Double-points weekends are a honey pot. Every fraudster knows those are the windows." [18]
2023 Reddit thread — included as the pattern is consistent with 2024 sources on promotional event targeting.
Fraudsters specifically target high-margin, easy-to-resell apparel items for buy-earn-return cycles. Premium denim and outerwear cited as highest-risk SKU categories in fashion. [19]
A 2024 UK case saw a restaurant café manager convicted and sentenced to jail for £21,000 in loyalty fraud after creating fake email addresses and loyalty profiles to exploit a £20-off welcome offer. [20]
The P&L invisibility problem
A practitioner self-described as working in fraud at a UK fashion retailer (r/ecommerce, 134 upvotes, 2024-06) notes that loyalty fraud is chronically under-resourced because "the losses show up in the marketing P&L, not the fraud P&L, so fraud teams don't own it and finance doesn't flag it the same way." [21]
This P&L invisibility dynamic explains the statistic that 50% of loyalty managers cite loyalty fraud as a low organisational priority despite 72% reporting it. (Rivo, 2026-01-24)
Detection signals
Propello Cloud documents specific redemption anomaly signals as "critical" risk indicators: instant redemption of newly earned points, points redeemed across multiple locations simultaneously, and large redemptions from dormant accounts. [3]
Device fingerprinting and geographic mismatch detection (multiple logins from different countries within hours) are recommended controls; multiple accounts accessing from identical device IDs is a high-confidence synthetic account signal. (Propello Cloud, 2026-06-16)
Velocity controls — monitoring redemption frequency, points earned per time window, transaction count per 24 hours, and number of accounts accessing from a single device — form a core detection layer. [22]
However, velocity rules on redemption are widely known to fraudsters, who now "warm" accounts first — logging in from a home IP several times before moving in. "Old velocity rules miss it." [23]
Device fingerprinting and email address graph analysis (detecting shared device across multiple "different" email addresses) are the most practical tools for catching synthetic account farming at signup. Tools named by practitioners: Sift, Kount, Stripe Radar — none described as fully solving the problem. [24]
Prevention controls
Redemption delay / cooling-off period
Implementing a delay between point accumulation and redemption (a cooling-off period) gives time to detect suspicious activity before rewards are issued. Velocity alert triggers within 24-hour windows are recommended best practice. [25]
Cooling-off periods for welcome points reduce sign-up farming. One r/ecommerce operator: "We added a 30-day hold on welcome points and the abuse dropped immediately. The legitimate customers didn't even notice." [26]
2023 Reddit thread — included because no 2024+ equivalent thread was found; the effectiveness of cooling-off periods is debated in a 2024 thread below.
Cooling-off periods: effective vs. easily gamed. r/ecommerce operators report 30-day holds on welcome points sharply reduce sign-up farming (143 upvotes, 2023). A 2024 r/ecommerce practitioner counters that organised farming operations simply wait out any static time delay, and that BIN/card diversity requirements (requiring 3+ separate card BINs over 60 days before redemption) are far more durable than time holds alone (92 upvotes, 2024-06).
- Cooling-off effective: https://www.reddit.com/r/ecommerce/comments/15e4r7s/ (2023)
- Easily gamed by organised fraud: https://www.reddit.com/r/ecommerce/comments/1dxpg4o/ (2024-06)
Award points after return window
Only awarding points after the return window closes reduces the buy-earn-return cycle by approximately 80%, per one r/ecommerce merchant (119 upvotes, 2024-02). [10]
Step-up authentication on redemption
MFA on redemption: strongest control vs. CX damage to best customers. r/cybersecurity practitioners argue MFA on redemption actions (not just login) is the single strongest technical control (73 upvotes, 2024-03). r/ecommerce operators push back that the customers with the largest point balances — the most loyal — are exactly those most likely to abandon if redemption friction is added. Both treated as simultaneously valid in their respective communities.
- MFA on redemption as strongest control: https://www.reddit.com/r/cybersecurity/comments/1bnxppb/ (2024-03)
- MFA damages best customers' CX: r/ecommerce (no specific URL filed; recurring theme)
Step-Up Authentication (re-auth modal, not full logout) for high-value redemptions resolves this tension: >95% of legitimate users complete it; hijackers abandon. Cross-reference with Session Hijacking and AitM (Adversary-in-the-Middle) Phishing.
Lock dormant accounts
Locking inactive accounts by requiring step-up verification on re-login, or designing programs so points expire after a set period, reduces the attack surface on the 45% pool of dormant accounts. (DataDome, 2024-12-18)
Proactive forced password resets on accounts inactive 12+ months is the fastest triage. (Cross-reference: Credential Stuffing)
MFA and fraud prevention integration
Multi-factor authentication (MFA) blocks up to 99% of phishing attacks, per Google research cited by Propello Cloud and DataDome. (Propello Cloud, updated 2026-06-16; DataDome, 2024-12-18)
64% of merchants report that fraud prevention measures creating excessive customer friction reduce conversion rates, creating tension between security and experience (as-of 2026-01-24). (Rivo, 2026-01-24)
Vendor landscape
The main fraud prevention vendor categories for loyalty fraud:
- Fully liable (chargeback guarantee): Signifyd (#1 in Digital Commerce 360 Leading Vendors Report for 5 consecutive years as-of 2026, vendor-reported), Riskified, Forter
- Risk optimisation / AI scoring: Sift (#1 across all fraud categories in G2 Fall 2025 Reports, vendor-reported), Kount (Equifax), HUMAN Security (Forrester Leader Q2 2026)
- Bot management with loyalty application: DataDome, Netacea, Imperva
- Behavioural and device intelligence: BioCatch, Seon, LexisNexis Risk Solutions
Sift is mentioned most consistently across Reddit threads for ecommerce/loyalty fraud use cases specifically. (r/ecommerce, multiple threads, 2024)
Average ecommerce business uses 5 fraud detection tools across operations, creating complexity and potential inter-system gaps (as-of 2026-01-24, unattributed to primary source by Rivo).
[!unverified] The "5 fraud detection tools on average" figure in Rivo's compilation lacks a named primary source. Treat as directional only.
75% of merchants planned to increase fraud prevention budgets in 2025 (as-of 2026-01-24). (Rivo, 2026-01-24)
Regulatory and liability context
Loyalty program data breaches attract substantial regulatory penalties:
- FTC (US, 2024): Marriott agreed to pay $52 million to several US states following multiple data breaches between 2014 and 2020 that impacted 344 million customers, including restore of stolen loyalty points. [27]
- ICO (UK, GDPR): Marriott 2020 breach also resulted in an £18.4 million UK fine under GDPR. (DataDome, 2024-12-18)
Under GDPR, loyalty program ATO constitutes a personal data breach requiring 72-hour DPA notification. Data used for fraud prevention is not subject to consent requirements. [28]
For card-not-present transactions, merchants bear liability for accepted fraudulent orders — the same liability model applies to fraudulent loyalty redemptions where in-person identity cannot be confirmed. [29]
Visa's VAMP (Acquiring Monitoring Program) launched April 2025, consolidating two prior programs, with renewed focus on preventing chargebacks through robust authentication at login and checkout (as-of 2025). (Justt, 2025)
Key terms
| Term | Meaning |
|---|---|
| ATO (Account Takeover) | Attacker gains control of an existing loyalty account via stolen credentials or session tokens |
| Promo abuse | Exploiting welcome bonuses, referral schemes, or promotional multipliers via fake accounts |
| Buy-earn-return | Buy goods to earn points, redeem points for gift cards, return original goods for full refund |
| Wardrobing | Buying, using (wearing), then returning items — a specific form of return fraud |
| Points laundering | Converting stolen points → gift cards → cash via resale, making value harder to trace |
| Chargeback-linked loyalty fraud | Earning and redeeming points, then disputing the original purchase |
| Cooling-off period | Delay between point accumulation and redemption to allow fraud detection |
| P&L invisibility | Loyalty fraud losses appearing in marketing P&L rather than fraud P&L, making them invisible to fraud teams |
Frontier links
- Gift Card Fraud — primary cash-out mechanism; 5+ cross-references; no standalone page
- Wardrobing — most common return fraud type (60%); distinct from bracketing; no standalone page
- Step-Up Authentication — optimal control for high-value redemption; no standalone page
- Device Bound Session Credentials (DBSC) — Chrome GA May 2026; structural fix for session theft → loyalty drain
- Smile.io — Shopify loyalty app; no chargeback→points reversal webhook; no standalone page
- LoyaltyLion — Shopify loyalty app; same gap; no standalone page
- Consent Management — elevated from Server-Side Tracking run 54
- Omnichannel Retail — P3 seed unchecked; parent of SFS/BOPIS cluster
References
- DataDome, 2024-12-18 — datadome.co/learning-center/loyalty-fraud
- Rivo, 2026-01-24 — www.rivo.io/blog/fraud-detection-loyalty-programs-statistics
- Propello Cloud, updated 2026-06-16 — propellocloud.com/blog/loyalty-program-fraud
- www.reddit.com/r/fraud/comments/1bxqihy
- r/fraud, 204 upvotes, 2025-01: — www.reddit.com/r/fraud/comments/1ig8v5z
- r/ecommerce, 178 upvotes, 2023-11: — www.reddit.com/r/ecommerce/comments/17w3iol
- r/shopify, 67 upvotes, 2024-02: — www.reddit.com/r/shopify/comments/1axq5jh
- r/cybersecurity, 89 upvotes, 2023-12: — www.reddit.com/r/cybersecurity/comments/18jqfm5
- r/fraud, 261 upvotes, 2024-01: — www.reddit.com/r/fraud/comments/1ap4s8n
- r/ecommerce, 119 upvotes, 2024-02: — www.reddit.com/r/ecommerce/comments/1b6ekm1
- r/fraud, 88 upvotes, 2024-04: — www.reddit.com/r/fraud/comments/1cx5ozy
- r/fraud, 177 upvotes, 2024-04: — www.reddit.com/r/fraud/comments/1cx5y2b
- r/shopify, 54 upvotes, 2024-02: — www.reddit.com/r/shopify/comments/1b3tfbm
- Signifyd, 2025-03-14 — www.signifyd.com/blog/loyalty-reward-programs-fraud
- Signifyd, 2024 — resources.signifyd.com/fashion-industry/sof-datasheet-apparel
- Signifyd, updated 2026-03-04 — www.signifyd.com/industries/fashion
- Digital Commerce 360, 2025-01-07 — www.digitalcommerce360.com/2025/01/07/online-returns-2024-holiday-season
- r/ecommerce, 98 upvotes, 2023-12: — www.reddit.com/r/ecommerce/comments/18jvxr6
- r/ecommerce, 88 upvotes, 2024-03: — www.reddit.com/r/ecommerce/comments/1bk2zqg
- DataDome, citing BBC: , 2024-12-18 — www.bbc.co.uk/news/articles/crgegv4j7ddo
- www.reddit.com/r/ecommerce/comments/1ddstai
- Chargebacks911 — chargebacks911.com/velocity-checks
- r/fraud, 156 upvotes, 2025-01: — www.reddit.com/r/fraud/comments/1hmh3gj
- r/ecommerce, 101 upvotes, 2024-07: — www.reddit.com/r/ecommerce/comments/1fo3r3b
- Merchant Loyal n Save — merchant.loyalnsave.com/blog/loyalty-program-fraud
- r/ecommerce, 143 upvotes, 2023-07: — www.reddit.com/r/ecommerce/comments/15e4r7s
- DataDome, citing FTC, 2024-12-18: — www.ftc.gov/news-events/news/press-releases/2024/10/ftc-takes-action-against-marriott-starwood-over-multiple-data-breaches
- ChargebackHelp — chargebackhelp.com/gdpr-and-chargebacks-what-merchants-need-to-know
- Signifyd — www.signifyd.com/resources/fraud-101/merchant-liability-in-credit-card-fraud