Bot Armies Are Targeting Loyalty Points; Here’s How to Safeguard Your Customers

As back-to-school season kicks into high gear and holiday-driven spending looms in the distance, retailers across the country are using loyalty point programs to build relationships with customers and incentivize them to return for future purchases, driven by the promise of discounts, perks, exclusive benefits and more.

However, over the last year, and especially during the summer spending boom, customer loyalty point accounts have become the target of cybercriminals, who see this store of data as an excellent and vulnerable entryway into consumers’ accounts and, by extension, their wallets.

For retailers whose loyalty points are a source of trust and connection with customers, a data breach or account takeover because of a loyalty program can be devastating. To adequately safeguard customers, retailers must understand and prepare now for loyalty point fraud before it’s too late.

Loyalty Points Are a Shiny Target for Cybercriminals

To protect customers, retailers must first understand what it is about loyalty points specifically that make them such an enticing target for cybercriminals.

According to Statista, average memberships in loyalty programs in the U.S. have gone up since 2015, with the average user in 2021 holding an average of 16.6 accounts. Of those accounts, however, only 7.6 were actively used. That’s only about 46 percent of accounts, meaning the average American leaves more than half of their membership accounts unused and unattended.

Any major store of valuable data that includes information like date of birth and credit card details presents a shiny target for bad actors. When you couple that with the large number of largely unused or unsupervised loyalty accounts out there, and you have a recipe for retail disaster.

How Bot Armies Make Their Mark

One of the most prevalent methods cybercriminals use to facilitate loyalty point fraud is credential stuffing and account takeover (ATO).

Credential stuffing, or the “automated injection of stolen username and password pairs (“credentials”) into website login forms,” according to the OWASP Foundation, allows attackers to use large swaths of illegally obtained data to take over accounts and access the valuable data that lies within. These types of attacks have been increasing. In fact, Akamai data from the 2021 holiday shopping season reflected a whopping 226 percent increase in credential stuffing attempts as attackers aimed to compromise customer accounts. We've seen repeated patterns of this during other key gift-giving periods, including Christmas, Diwali, and Singles Day in China.

With loyalty point accounts, we often see as many as 1 billion attacks per day that are exclusively targeting loyalty points. And, as hackers often do, it’s likely we’ll see these types of attacks grow more sophisticated and dangerous as time goes on.

How to Protect Customers and Businesses  

To effectively protect their own personal data, consumers must reevaluate their loyalty point accounts and deactivate ones they aren’t using. In addition, consumers should monitor accounts regularly and if they notice anything out of the ordinary, change their passwords and work with the organization owning the account to ensure it’s protected. Using different login credentials for each account can also make it more difficult for an attacker to gain access and is generally a best practice in cyber hygiene.

For retailers that own the loyalty programs, educating themselves and strengthening their bot detection and mitigation capabilities is the best first step to protecting employees and customers. By understanding how cybercriminals facilitate these attacks and implementing measures to address them proactively, they can not only protect customers, but keep their hard-earned loyalty and trust in the process.

Patrick Sullivan is chief technology officer, security strategy, at Akamai, the leading content delivery network (CDN) services provider for media and software delivery, and cloud security solutions.