From airlines to zoos, organizations continue to strategically leverage rewards and loyalty programs to win over and retain customers. There are many organizational benefits to the implementation and management of loyalty programs; however, the advantages gained from such programs will be lost if fraud risks are not effectively managed.

This blog post is part one of a two-part series on loyalty program fraud. It addresses two types of internal fraudsters: customers and insiders. Please check back next week for the second part, which will cover external frauds involving cyber-criminal activity.

Why Implement a Loyalty Reward Program?

Besides increased revenue, there are many benefits gained from the implementation of loyalty reward programs. In addition to encouraging repeat business, such programs can prevent customers from shopping with competitors and may even reduce the need to compete on price. By relationship building, companies can increase customer lifetime value.

Loyal customers can become brand advocates by sharing positive experiences with family and friends. Plus, loyalty programs provide a gold mine of information to organizations. Being able to easily acquire customer feedback can help improve products as well as help in the development of new products. And over time, loyalty programs have a tendency to pay for themselves as it generally costs an organization more to acquire a new customer than it does to sell to an existing one.

Loyalty points and rewards do have a cash conversion value resulting in billions of dollars sitting in digital accounts. The value of such points and rewards are often overlooked by companies and customers. In fact, some reward program websites allow you to purchase almost anything, including gift cards (as good as cash). Additionally, points are often transferable between partner companies and can be used to redeem special promotional offers outside of their membership program.

Where Is the Challenge?

Loyalty point programs are easy pickings for fraudsters. Despite having intrinsic value, the safeguards placed around loyalty points and accounts is typically weak when compared to the advanced security measures put in place by banks and credit card issuers. As such, there is evidence of rising fraud activities in these programs. And, this trend is set to continue as operators add complex features and apps to their program offerings.

What Types of Fraud Should You Look Out For?

Mismanaged or poorly monitored programs can provide opportunities for three different types of fraudsters: customers, insiders and cybercriminals. This blog post will address the first two types (customers and insiders). Please check back on HFTP Connect for the next blog post on cybercriminals.

Customer Fraud

Customers can commit fraud by taking advantage of poorly structured programs. A well-cited story involves a Healthy Choice promotion. The company offered customers a chance to earn 1,000 travel miles for every 10 bar codes submitted. David Phillips purchased 12,000 pudding cups at 25 cents each and earned himself 1.2 million travel miles. Other fraud schemes involve customers:

• Making purchases that involve massive reward points, then cancelling the order after the points have been used to obtain cash rewards.
• Booking hotel rooms in his/her name to earn points, and then authorizing someone else to be able to check-in and pay for the room.
• Trying to “double-dip” by simultaneously redeeming points over the phone and through their online account.
• Attaching their reward account number to a purchases they did not make.
• Selling points outside of the loyalty program policy.

The best way to prevent customer fraud is by considering the opportunities for fraud within your program and then constructing business rules to prevent people from gaming the system.

Understanding how other reward programs have been cheated also provides insight into potential risk areas. With such knowledge, clear restrictions and/or parameters can be put in place around the earning and redemption process which will help prevent abuse and ensure the quality of the program for other members.

Insider Fraud

The second type of fraud occurs when loyalty programs are exploited by insiders, such as employees or business partners. One example shared at an Association of Certified Fraud Examiners (ACFE) conference involved an airline agent who created loyalty accounts from the information of thousands of passengers, but he used his own email account. This allowed him to accumulate approximately 2.6 million air miles.

The scheme was uncovered when a victim customer went to book a trip and discovered his account balance to be zero. When this was brought to the attention of the parent company, an investigation pursued and the employee ended up in prison. Employees or third parties with special system access have opportunities to scam programs in these ways:

• Purchases made by non-loyalty members or members who forget to use their affiliated account provide opportunities for staff to credit the purchases to their own account or to the accounts of friends and family.
• Employees may have the authority to adjust or add points to accounts in order to resolve service issues. This type of system authority can be abused by giving out unwarranted credits to friends or fake accounts.
• Lost or stolen cards might require employees to have the system capability to legitimately transfer points from one account to another in order to service customers; however, there is potential for abuse when points are transferred to fake accounts that have been specifically set up for fraudulent activities.

Limiting and monitoring employee and vendor access to high risk system functions is key to preventing employee fraud. Applying the principle of least privilege is a good starting point and should minimize the amount of people requiring access to things like point adjustments and point transfers. Additionally, thresholds may be put in place to restrict the amount of the point adjustment or transfer to specific employee/vendor system profiles. These high risk transactions should then be logged and monitored any time a program member’s profile is accessed and these type of high risk activities occur.

Billy Byrne, CPA, CIA, CISA has over twenty years of gaming and hospitality experience and over ten years of audit, compliance, and risk management experience. He has led audit projects and teams, analyzing risks and testing design, operating efficiency and effectiveness of controls, systems, processes and procedures.