How to protect digital accounts from loyalty fraud and account takeover
Loyalty and rewards programs can increase spending and improve brand loyalty. Businesses can incentivize small acts like repeat purchases, sharing content on social media, and referring new customers. In return, customers can get free products, store credit, and more. It pays to retain customers with loyalty programs, and businesses are willing to invest.
Global direct loyalty and customer relationship management costs topped $126 billion, said a 2019 LoyaltyOne survey. The same survey found that loyalty members spend two to three times more than non-members. Businesses that don’t use loyalty fraud and account takeover protection put loyal customers — particularly, their digital accounts, points, and rewards — at risk.
ATO losses are up 72% — loyalty fraud may be to blame
Loyalty fraud (or rewards fraud or points fraud) happens when a bad actor accesses a customer’s digital account looking for high-value points. Loyalty fraud is most prevalent in account takeover (ATO) attacks, especially those that target gas rewards and travel miles.
In an ATO attack, a bad actor may program a bot or botnet to access customer accounts using stolen or hacked credentials. Once the bad actor has access to the customer’s account, they can drain, use, transfer, or resell the customer’s loyalty points, rewards, miles, etc. The objective of account takeover and loyalty fraud is to steal points and convert them into cash or cash equivalents.
ATO losses are up 72% year over year, according to Javelin’s 2020 Identity Fraud Report. And loyalty fraud may be among the reasons why. 10% of shoppers in a Connexions Loyalty survey said they’ve never signed in to their loyalty accounts. And most only sign in every few months. Customer inactivity leaves the window of opportunity open for fraud. And bad actors know that, typically, businesses don’t exercise the same scrutiny over loyalty programs as other transactions. Less scrutiny makes it easier for bad actors to access digital accounts through phishing scams and identity theft.
But it’s not just bad actors at work. Average shoppers can perpetuate loyalty fraud, which can also come in the form of friendly fraud, rewards fraud, and promo abuse. For example, a customer may exploit a loyalty program or try to redeem rewards on high-value items. Or a business may ask for product reviews in exchange for rewards without specifying the quality of the review or verifying that customers purchased the products they’re reviewing.
Beyond lost revenue, loyalty fraud damages a brand’s reputation and customer trust. So businesses need to protect customer loyalty and reward programs. Businesses can prevent loyalty fraud by protecting the entire customer journey and implementing fraud analytics solutions.
Where to find loyalty fraud and account takeover in the customer journey
Rewards programs are a powerful way for companies to invest in and engage with customers. Essentially, rewards and loyalty programs carry the same weight as cash transactions. Every year, $160 billion in rewards and loyalty points go unredeemed, PYMTS estimated.
Customers have a lot to lose, and bad actors have a lot to gain. So businesses need to understand that loyalty fraud from ATO attacks can happen throughout the customer journey — not just at the point of payment.
Account creation: Account creation is the first step on the customer’s path to payment. Any business that offers rewards for opening an account needs to watch for ATO attacks at this point. A bad actor may create accounts using stolen or fake email addresses to amass loyalty or referral points.
Loyalty and coupon redemption: Businesses that reward customers with coupons or promo codes need to watch for ATO attacks at this point. Bad actors or customers may attempt to exploit policies for greater rewards. A bad actor may also use social engineering to get more use out of coupons or promo codes. Or they may launch an ATO attack to steal loyalty points and redeem them on high-value items.
Payment: Businesses that only detect fraud at the point of payment are missing opportunities to stop attacks at earlier stages in the customer journey. At this point, a bad actor or customer may attempt to use shared or stolen promo codes or loyalty points. At payment, a bad actor may also create and register new email addresses to collect more loyalty points.
4 ways Kount protects the customer journey and prevents loyalty fraud
When businesses protect the complete customer journey, they can establish a baseline of normal behavior and quickly identify abnormal, high-risk behavior. A solution like Kount’s Identity Trust Platform is AI fraud prevention that reduces digital payments fraud and provides industry-leading fraud protection for the entire customer journey. It helps businesses fight loyalty fraud by detecting malicious login events, fake or fraudulent email addresses, stolen payment information, and more.
1. Its global network of fraud signals informs identity trust levels
Kount’s Identity Trust Global NetworkTM gives customers access to a global network of trust and fraud-related signals from 32 billion annual interactions from over 75 industries. This data helps establish the level of trust for the identity behind every payment, account creation, and login event.
For example, bad actors may use multiple accounts and devices to make hundreds of fraudulent redemptions or combine points into accounts to earn high-value rewards. On their own, businesses don’t have enough data to connect events to fraud at scale, in real-time. Accessing a global network is critical for protecting loyalty accounts.
2. Its advanced AI detects high-risk activity
Kount’s advanced AI quickly detects anomalies, risks, and unusual activity. And it evaluates purchasing details such as device type, email address, shipping address, and product type. This advanced AI enriches global network data and uses supervised and unsupervised machine learning.
Unsupervised machine learning detects emerging fraud and anomalies faster, more accurately, and on a more scalable basis than a human fraud analyst. Supervised machine learning analyzes historical transactions to identify patterns and behaviors from past fraud events.
3. Its Email Insights add confidence to account creation and login events
Fake or fraudulent email addresses are key in loyalty fraud. For example, bad actors may try to earn referral rewards by generating and sharing fake email addresses. Kount’s Email Insights analyzes email addresses to evaluate past behavior, determine risk, and predict a user’s expected behavior. It provides deep insights into the risk, safety, and value of an email address for online transactions, adding confidence to account creation and login events.
Email addresses can establish identity trust through their risk and usage trends, associated transaction volumes, associated chargebacks, and dates first and last seen. Businesses can use this data to predict and stop fraudulent transactions. Or they can use it to learn more about a customer’s lifetime value and likelihood of repeat purchases.
For example, a business may avoid sending upsell campaigns to email addresses that are associated with a high number of chargebacks. Meanwhile, an email with an age of zero indicates that someone may have created it for fraud. These insights can signal additional friction is needed to authenticate the user’s identity.
4. Its multi-layered approach prevents ATO attacks
Kount Control for account takeover protection takes a multi-layered approach to fraud prevention. The protection layer uses advanced AI to evaluate device and network anomalies and detect high-risk activity. Kount uses advanced AI and trust-based user authentication policies to help businesses determine, in real time, if they should allow or decline a login or challenge it with step-up authentication.
The policy customization layer allows for customized user experiences. And it reduces friction by identifying and segmenting users based on common characteristics like geolocation, account age, and billing address. Businesses can challenge potentially fraudulent activity and reduce friction for good customers. As a result, they don’t have to compromise customer experiences and risk sales.
The reporting layer reveals valuable customer insights that help fine-tune business policies. This approach reduces false positives, allows for customized user experiences, reveals trends, and informs future policies. Businesses can quickly identify and report on failed login attempts, risky IPs, compromised accounts, and inbound anomalies to stop ATO attempts.