How Loyalty Programs Can Pose Cyber Threats

img blog How Loyalty Programs Can Pose Cyber Threats
logo adaptive

In today’s digital era, where convenience and rewards have become paramount, loyalty programs have emerged as a popular tool for businesses to retain and engage customers. These seemingly innocuous cards offer an array of benefits, such as discounts, exclusive offers, and points accumulation, fostering a sense of loyalty among consumers. However, beneath the surface of this seemingly harmless customer relationship strategy lies a lurking danger: the potential for cyber threats.

As technology advances and our lives become increasingly intertwined with digital platforms, the reliance on data collection and analysis has grown exponentially. Loyalty cards, too, have adapted to this paradigm shift by integrating sophisticated data-driven systems, capturing vast amounts of personal information and purchasing habits. While this data can undoubtedly be leveraged for strategic marketing and customer profiling, it also attracts the attention of cybercriminals who exploit vulnerabilities in these systems for their nefarious purposes.

In this article, we will delve into the multifaceted world of loyalty cards and the unexpected cyber threats they can pose. We will shed light on the various ways in which loyalty card systems can be compromised, leading to potential data breaches, identity theft, and financial fraud.

Furthermore, we will examine the potential consequences for both businesses and consumers, as well as offer insights on how to mitigate these risks and safeguard personal information.

By raising awareness about the potential hazards associated with loyalty cards, we aim to empower individuals and organizations to make informed decisions when participating in these programs. Understanding the vulnerabilities and implementing robust security measures can help protect not only personal data but also the reputation and trust of businesses that rely on loyalty programs to foster customer loyalty.

In excerpts from this article by Norton, they wrote, “Many people don’t think twice before signing up for a loyalty or rewards program that offers points, discounts, and prizes. Loyalty programs are a great way to earn freebies, frequent flier miles, or deals on products that customers will buy anyway. It is good for businesses, too, as rewards programs encourage customers to make shopping at their store or website more of a priority or even a habit.

However, there has been a lot of recent concern around loyalty cards and privacy. Cybercriminals have found ways to illegally acquire these reward points and use them, either for themselves or in the underground economy.

With the rise in identity theft and credit card fraud, criminals have also been able to connect loyalty cards with credit and debit cards and have been able to commit larger crimes as a result.

Data collection concern

Some uses of your shopping information can seem innocuous enough. Sometimes it may be beneficial to you. While earning coupons for your yogurt purchase, for example, you are also providing more information about you and your shopping habits to the store.

Unfortunately, in some rare instances, this information can be used against you, as in the case of the Washington-based firefighter who was accused of arson based on the purchase records showing he bought a fire starter. In another instance, a gentleman sued a supermarket after he slipped on yogurt and shattered his knee while grocery shopping. The store retaliated by accusing him of being an alcoholic based on his alcohol purchase.

Data breaches

Third-party companies maintain most databases that store your information. When these companies go through a data breach, the privacy of your information is also at risk. You may wonder what someone would do with your reward points. Buy discounted yogurt? Sadly, it’s not a discount on dairy products they’re after. The real threat here is identity theft. Rewards cards not only have your name, address, and telephone number, but are frequently linked to partial credit and debit card information as well. Identity thieves use this information and combine it with other pieces of your information from other sources. With all these pieces, criminals can easily create a synthetic identity and go on a crime spree.

Steps You Can Take to Protect Your Information

For most consumers, it’s a matter of weighing the potential costs and risks to your privacy against the upside of participating: getting those discounts and saving some real money. If you do use frequent shopper cards, you can still take smart steps to safeguard your privacy, say the experts. Consider these tips:

Watch what you share

Never include your Social Security number on a card application. Some stores request a driver’s license number; leave that space blank unless it is mandatory. It is okay to ask why they need any personal information and what they will do with it.

Consider a secondary email address

If a loyalty program asks you for an email address, use a secondary email account you’ve created just for club memberships and the like. While it’s never a good idea to lie about your name and address, experts advise disclosing the least amount of information possible.

Use password protection

Some loyalty cards require a password to access the account associated with it. Ensure you are using a unique password: don’t reuse a password from another account. (Remember, if you use the same password for all of your accounts, all it takes is one data breach, and cybercriminals can hack into all of your other accounts that share the same password.)

Mind the App

Most loyalty cards have an app associated with it. Sometimes fake apps masquerade as the real thing and pose bigger problems for your phone. Make sure your phone is properly protected with a comprehensive security suite like Norton Security Premium that not only keeps your device safe from malware and viruses but also guards against dangerous apps.

By following a few common sense precautions with loyalty programs, you can reduce the risks to your privacy and get the rewards you want.”

Think something like this will never happen to Canadians? It just did…

Cyber Attack on Suncor Energy Indefinitely Suspends Electronic Payments at Canadian Gas Stations

In an article by CPO Magazine, they wrote, “Motorists who have pulled up to one of Canada’s Petro-Canada gas stations in the last few days (early July 2023) have been greeted by “cash only” signs, as a cyber attack on parent company Suncor Energy has disrupted the company’s payment and loyalty reward systems.

Petro-Canada has about 1,500 gas stations that span most of the country. Suncor Energy is one of the largest synthetic crude producers in Canada. The outage is very likely to cost the company millions of dollars when all is said and done, and some security experts believe there is a link to Russian hackers with a nationalist bent.

Suncor Energy customers, suppliers impacted by cyber attack

Suncor issued a press release on June 25 indicating that there is “no indication” that customer, supplier, or employee data is impacted. The press release is extremely short and does not provide any further indication about what happened, but the extended downtime of payment systems at the gas stations points to ransomware.

Stephen Gates, Principal Security SME of, expands on how a ransomware attack might have ended up compromising payment portals: “Most occurrences of ransomware lock up workstations and data stores but rarely target what most would consider to be IoT. But on the other hand, many gas pumps run commonly used operating systems (like Windows CE) which could make them a considerable target to ransom since an outage could cause untold consumer pain.”

Petro-Canada locations remain open, but visitors have not been able to use cards or loyalty rewards points to pay for transactions. Cash at the register is the only sure means of payment until the incident is sorted out. It does not appear that customers will be able to earn new “Petro-Points” on transactions while the gas stations are hobbled in this way, and loyalty program accounts cannot be accessed via the company app or website.

Petro-Canada has also been selling a “Carwash Season Pass” for use at its gas stations, offering one wash per day for 90 days for a flat price of $65. The cyber attack has also prevented locations from scanning these passes, and customers currently have no means to redeem them.

The full extent of the impact on customers, employees, and suppliers remains unknown so long as Petro-Canada and Suncor remain tight-lipped about what happened. Naturally, it takes some time for internal investigations to unfold. However, statements of “no indication” of abuse of sensitive information usually only mean that the company has not yet spotted the data being posted or transferred on the dark web or elsewhere.

Ransomware gangs are increasingly using the “double extortion” approach of stealing files prior to locking up victim systems and using the threat of public leaks as added pressure. Suncor has verified that third-party cybersecurity investigators have been brought in to assist.

Carol Volk, EVP of BullWall, believes that the “radio silence” approach does not necessarily mean that the attack was devastating to the company: “A company as large as Petro-Canada would most likely have had a plethora of security tools in place to prevent attacks like this. We are never going to stay one step ahead of motivated bad actors. A new approach that layers on active attack containment is the new frontier for cyber security.”

An update from Petro-Canada on June 29 indicated that “most” of its locations are again able to take credit and debit card payments as it makes headway on remediation of the cyber attack.

Hack reduces services for Canada’s second-largest chain of gas stations

The impact is significant, with some customers taking to Twitter and other social media platforms to report that they coasted into Petro-Canada gas stations on fumes only to find that they had no means available to pay for their fill-up, instead having to use their credit card to pay for a tow to another station. Petro-Canada is the second-largest chain of gas stations in the country, holding nearly 11% of the national market share as of early 2023 and second only to Parkland Fuel.

Hackers have shown an increased interest in the oil and gas sector in recent years. While some of this is driven by expected nation-state espionage and the occasional attempt at causing damage, the biggest share of growth has been for-profit criminals looking to steal valuable data and extort these companies.

The 2021 Colonial Pipeline attack was the obvious poster child for this trend, but there have been numerous other major incidents involving for-profit criminal hackers in recent years. A 2022 report from the S&P Global Platts Oil Security Sentinel project found 35 major cyber-attacks within the prior five years, and that ransomware attempts on oil and gas companies were up 150%.”

The What, Why, and How of Loyalty Fraud

In excerpts from an article by Kount, they wrote, “Offering rewards and incentives to your customers through loyalty programs is a great way to maintain positive customer relationships. Unfortunately, good things often attract fraudsters and opportunistic customers. These programs can become easy targets — which is why you need to be prepared to counter loyalty program fraud.

Loyalty program fraud is when a fraudster or opportunistic customer manipulates the rules of a rewards program. It can also involve stealing points from a loyalty account. Most programs allow customers to accrue loyalty points that are redeemable for cash, bonuses, products, or services — which is what makes loyalty accounts so appealing to fraudsters.

Types of Loyalty Fraud

There are a few ways that loyalty program fraud happens. And it can happen at any point throughout the customer journey — which is why it’s important to have a complete fraud detection solution.

1. New account fraud

Fraudsters and opportunistic customers create fake accounts — sometimes using untraceable synthetic identities — to accumulate loyalty points. Fake accounts might also be created to transfer loyalty points from fraudster to fraudster. If you offer rewards for opening an account, watch for attacks.

2. Account takeover fraud

During an account takeover (ATO) attack, a fraudster aims to gain unauthorized access to an account associated with a loyalty rewards program. The fraudster typically works from a list of stolen email addresses and passwords, then programs bots to test the credentials.

3. Policy abuse and exploitation

Customers often perpetuate loyalty fraud by abusing the rules of a rewards program or exploiting its benefits. For example, if you offer a free item for a customer’s birthday, they may accept the item and later try to get a refund for it.

Why Fraudsters Target Loyalty Program Members

Many customers don’t monitor their loyalty accounts regularly and often reuse passwords across multiple accounts — which leaves the window of opportunity open for fraud. Plus, merchants often don’t exercise the same scrutiny over loyalty programs as other transactions — making it easier for fraudsters to access accounts.

Fraudsters are increasingly targeting accounts because once they gain access, they can drain, use, transfer, or resell loyalty points and rewards. To make matters worse, they can also gain access to all the stored customer data. And if the account password is used elsewhere — such as online banking accounts, digital wallets, etc. — they can get access to those, too.

How Loyalty Program Fraud Affects Businesses

If you haven’t included loyalty program scams in your fraud prevention strategy, your business is susceptible to exploitation. And the lack of protection can be costly — both in revenue and customer loyalty.

1. Revenue loss

If a fraudster hacks into a customer’s account, steals and redeems points worth $100, then you theoretically lose that $100. Because that fraudster most likely won’t be doing business with you long-term. That adds up quickly. In 2020 alone, the Loyalty Security Association (LSA) estimated that $3.1 billion of redeemed loyalty points were fraudulent. And if the victim detects the loss, you may be asked to replace the rewards that were stolen.

2. Brand damage

Negative public perception can harm you just as much as revenue loss. If word gets out that your accounts — and their contents — aren’t safe, you could lose brand loyalty and trust. Depending on the type of attack, you could face regulatory fines and penalties. Ultimately, you could potentially lose your business altogether.

3. Negative customer experiences

Some customers spend a lot of time accruing points. If those are stolen, they will most likely blame you for not protecting their accounts. They may stop shopping with you altogether. And considering that 64% of US online adult consumers spend more with brands that offer loyalty programs, you have a lot to lose.

4. Operational costs

Fighting fraud on your own can be expensive and inefficient. A common approach is to hire a team to manually review interactions, but that may not provide the most accurate results or be the most cost-effective option.”

Loyalty Program Cyber and Fraud Prevention

In excerpts from an article by F5, they wrote, “For cybercriminals, compromising loyalty point accounts is low-hanging fruit. Even though these accounts may hold thousands of dollars of value, most consumers don’t monitor them as closely as financial accounts from a bank or financial institution. Many accounts are protected with a simple username/password pair, and since many consumers reuse passwords, criminals using stolen credentials find it relatively simple to use automated bot attacks to conduct credential stuffing on loyalty accounts.

Once they control the points, criminals can cash them out, exchange them for untraceable items such as gift cards, or sell the points for monetary value on the dark web, all with low risk for fraudsters. In addition, criminals know that compromising loyalty accounts can bring not just short-term financial gains but also access to data and intelligence for further fraudulent activities, including identity theft using personally identifiable information, trip and stay data, shopping patterns, and more.

In fact, it’s not just cybercriminals you should watch out for. Here are three types of loyalty fraud you should keep your eyes on:

  • The Double Dip: This is when legitimate members defraud the program by “double-dipping,” that is, by simultaneously redeeming points over the phone and online. Or members can attach their loyalty account number to a purchase they don’t make and fraudulently accrue the points. Members can also make purchases to generate large amounts of reward points and then cancel the transaction—but not before redeeming the points for cash awards. Also, legitimate consumers and loyalty members can also abuse policy or business logic by manipulating loopholes in programs. Examples include sharing coupons or promotional codes, violating merchant policies, or signing up for numerous credit cards linked to the same rewards program to illegitimately gain rewards.
  • The Insider Job: This is when fraud involves insiders or employees of your organization. They can manipulate the loyalty program by doing things like assigning unused or unclaimed points to a different member account or by transferring points fraudulently between accounts.
  • The Cybercriminal:By far, the greatest source of loyalty program fraud is cybercrime, and the most common exploit involves account takeover (ATO) via automated tools such as credential stuffing, form jacking, or simple phishing to gain access to accumulated points and stored credit card information. Credential stuffing involves a bad actor testing large numbers of compromised credentials (such as usernames and passwords breached from another site) against another site’s login.

And because people reuse passwords across multiple accounts, these tactics can be remarkably successful at unlocking loyalty accounts, allowing attackers to take over the account by changing usernames and passwords. Formjacking opens other avenues for hackers to take over accounts and involves hijacking loyalty program web forms to collect and transmit data as consumers fill in personal information.

This hands the attacker the keys to the account, who can plunder the points at leisure or use the account for other nefarious purposes. Protecting your customers and your loyalty program from fraudulent activity is critical. If not properly addressed, it can severely damage consumer trust and brand reputation.

However, traditional cyber defenses are no longer powerful enough to deter sophisticated attacks on loyalty programs. Outmoded protections and needlessly restrictive policies tied to short session timeouts, geo-blocking, multi-factor authentication, and forcing members to solve CAPTCHAs can frustrate users and are easily bypassed.

By spending just a few dollars, attackers can incorporate low-cost CAPTCHA-solving services to bypass basic bot defenses and can purchase higher fidelity lists of credentials for specific geographic targets. Criminal organizations can rapidly change tactics and methodologies when defenders try to prevent their activities, and keeping ahead of attackers becomes an almost insurmountable problem without specialized tools and dedicated security teams.

5 Best Practices to Protect Your Loyalty Program Against Fraud

Loyalty programs reward your business’ most valuable customers and help you build stronger relationships with your customers. In the face of increasing attacks, protecting these programs and the customer rewards they maintain is more important than ever. The following five best practices can help you focus on addressing the most common attack scenarios, without unduly burdening legitimate members from monitoring or redeeming points.

  1. Prevent new account fraud. New account fraud involves a fraudster creating loyalty accounts, often at scale, using stolen, synthetic, or otherwise false identities. Leveraging these fraudulent accounts, criminals can accumulate and resell points and abuse redemption programs. Make sure your cyber-defense solution can detect if attackers try to create multiple fake accounts using automated tools or sophisticated manual techniques.
  2. Mitigate account takeover efforts. Ensure your defenses can detect account takeover attempts by criminals intent on stealing points or exploiting saved customer personal data. Your defenses must be able to adapt to changes in attack patterns and retool in real-time. Monitor loyalty program traffic to understand input patterns using telemetry signals to detect anomalous behavior so you can determine whether traffic is from malicious bots or humans.
  3. Protect awards cash-out transactions.Ensure that loyalty rewards redemptions and payments from credit cards linked to the account are legitimate by accurately determining the trustworthiness of each transaction and the customer identity associated with it. Defend your program with tools that use artificial intelligence and machine learning to monitor transaction behaviors and employ adaptive authentication, which selects the appropriate authentication process based on the risk presented by the login attempt. For instance, enhanced security challenges may be required for high-risk activities, such as changing passwords or cashing out large amounts of points.
  4. Monitor for policy abuse. Make sure to have preventions in place to limit financial losses due to exploitation or manipulation of coupons and promotions, discounts, or referral bonuses by assessing trust at every point of interaction.
  5. Understand internal threats. Loyalty programs are also susceptible to threats from insiders. Be sure to track and measure site staff activities to monitor anomalies and limit employee access to loyalty program data.

Help your customers avoid loyalty point fraud

In addition to protecting your loyalty program and its assets, help your program members defend their points and rewards from fraud by sharing the following tips:

  • Members should monitor their loyalty programs just like other financial accounts. Loyalty programs can contain thousands of dollars of value, so your customers should check on their accounts on a regular basis to make sure they haven’t been tampered with.
  • Take advantage of enhanced security options. If available, encourage members to use additional security features like multi-factor authentication. Every additional layer of security makes it more difficult for fraudsters to compromise an account.
  • Be careful of travel promotion emails and social media posts. Educate your customers on how and where you communicate promotions. Ensure they understand travel offers that seem too good to be true probably are. Unsolicited email offers and deals that pop up in their feed are likely phishing attempts designed to steal personal data, including login credentials and credit card numbers. Before responding and providing any information, members should confirm that the sender’s email address is legitimate or contact the loyalty program directly (not via the email or social media post they received) to make sure the offer or request is authentic.”


Loyalty cards, designed to enhance customer engagement and offer rewards, carry hidden cyber threats that can jeopardize personal information and lead to financial fraud. Loyalty card systems have evolved to collect extensive data on consumers, making them attractive targets for cybercriminals seeking to exploit vulnerabilities. Data breaches, identity theft, and policy abuse are among the risks associated with loyalty cards. The consequences can be severe for both businesses and consumers, including reputational damage and financial loss.

To mitigate these risks, individuals should be cautious about the information they share, use unique and strong passwords, and employ comprehensive security measures. Businesses should prioritize cybersecurity measures to protect customer data and build trust. Recent incidents, such as a cyber attack on Suncor Energy and instances of loyalty fraud, highlight the urgency of addressing these issues.

Implementing best practices, such as preventing new account fraud, mitigating account takeovers, protecting award cash-out transactions, monitoring for policy abuse, and understanding internal threats, can help safeguard loyalty programs. By staying vigilant and proactive, both businesses and consumers can navigate the potential cyber threats posed by loyalty cards and ensure a safer digital landscape.

At Adaptive Office Solutions, cybersecurity is our specialty. We keep cybercrimes at bay by using analysis, forensics, and reverse engineering to prevent malware attempts and patch vulnerability issues. By making an investment in multilayered cybersecurity, you can leverage our expertise to boost your defenses, mitigate risks, and protect your data with next-gen IT security solutions.

Every single device that connects to the internet poses a cyber security threat, including that innocent-looking smartwatch you’re wearing. Adaptive’s wide range of experience and certifications fills the gaps in your business’s IT infrastructure and dramatically increases the effectiveness of your cybersecurity posture.

Using our proactive cybersecurity management, cutting-edge network security tools, and comprehensive business IT solutions, you can lower your costs through systems that are running at their prime, creating greater efficiency and preventing data loss and costly downtime. With Adaptive Office Solutions by your side, we’ll help you navigate the complexities of cybersecurity so you can achieve business success without worrying about online threats.