Imagine getting ready to redeem your hard-earned travel points for a dream vacation, only to find that a cybercriminal has drained your account.
That’s exactly what happened to Tracy Lamourie.
The publicist travels often for work and was ready to use her hotel loyalty points to book accommodations on a trip last fall. But when she went to log into the account she shares with her husband, she found it was unexpectedly locked.
So she connected with customer service for support.
“It took several calls to figure out what was going on with our points, and through their system, they figured out there was fraud. They told me that all our points had been used by someone who booked a stay at a hotel in Chongqing, China—a country we have never been in,” she said.
So how did hackers make off with Lamourie’s hotel points? Let’s take a closer look at how thieves steal travel loyalty points and miles and what you can do to safeguard your accounts.
How travel loyalty theft works
Lamourie is far from the only traveler who has been targeted by a points thief.
Account takeover attacks skyrocketed by 307% from 2019 to 2021, according to a report from Sift, a firm that offers fraud-prevention technology. More than 1 in 4 victims of those attacks said they lost credits and rewards points as a result.
But account takeover attacks are just one of several methods hackers use to access your points.
Thieves can use information from data breaches (like one from 2021 that affected more than 2 million members of frequent flier programs of at least 10 airlines) to tap into your accounts.
They also use common strategies known as phishing and spear phishing, in which they send emails or text messages disguised to look like they came from a reputable company (such as your go-to airline) in order to trick you into revealing your username and password.
Once a hacker has broken into your account, they can quickly use your loyalty points to make travel arrangements in someone else’s name, sell them on the dark web, or convert them into gift cards—all before you’ve noticed anything fishy.
“Criminals are in the business of understanding these things and learning how to best steal them with the lowest risk of getting caught,” warned Joseph Steinberg, a cybersecurity consultant and author of Cybersecurity for Dummies.
Ways to protect your travel loyalty points
One reason why hackers target travel loyalty points is that people don’t tend to protect them the same way they do their financial accounts, said Steinberg.
“It boils down to attitude,” he said. “People think of these accounts in the context of buying airline tickets, but criminals think of it more as a bank account.”
Start by focusing your attention on your password. The Central Intelligence Agency (CIA) recommends setting a complex password that’s as long as possible, often between 8 and 64 characters. It should include a mix of upper and lower case letters, numbers, and special characters.
Make sure the password is truly unique from any other passwords you use elsewhere.
Better yet, consider using a password manager, said Steven Earls, chief information security officer at LegalShield and a former informational technology officer at the CIA.
“A password manager can create and track extremely complex passwords that no one can remember. That’s the beauty of it,” he said.
But even password managers can be targeted for theft, so before choosing a password manager, search its name online to ensure it hasn’t been hacked, Earls suggests.
Then, set up multifactor, or two-factor, authentication if it’s available for your travel loyalty program, Earls advises.
This type of authentication involves receiving a special code in an email or text message that you must enter every time you access your account. It adds another layer of protection by asking you to prove your identity a second way a hacker is unlikely to have access to, even if they've managed to figure out your password.
Keep a close eye on your points and miles balances as well. Experts recommend checking your accounts frequently, such as weekly, and noting your balance.
“You don’t want to let long periods of time go by where you haven’t logged in. The sooner you notice if someone has taken over your account, the more likely it is that you can recover [your points],” said Steinberg.
Finally, be wary of accidentally clicking malicious links and sites. If you receive an email that looks like it came from your travel loyalty program and it offers you a deal that seems too good to be true (like half a million points for filling out a short survey), keep your guard up. It may be someone trying to phish your identity.
“Never respond to the email or click a link inside of it. Instead, look up the company’s phone number, give them a call, and ask if they just emailed you offering to give you some free stuff,” said Earls. “They will likely tell you ‘no’ and you’ll realize that it wasn’t legitimate.”
Getting your stolen points back
Taking steps to protect your travel loyalty points is critical because you might not be able to get them back if they’re stolen—at least not easily.
Lamourie spent hours on the phone with her hotel loyalty program before finally getting her points reinstated weeks later. In some cases, those points might be gone for good.
“There’s no legal obligation for a hotel or airline to reimburse loyalty points unless they had some negligence [on their end] in letting someone access the points,” explained Ben Farrow, attorney at The Anderson Law Firm, a LegalShield provider law firm. “Your recourse would lie against the person who stole them, but knowing who it was and where they are is hard.”
If you notice an unexpected dip in your frequent flier miles or hotel points, get in touch with the loyalty program’s customer service right away.
“It’s possible that it’s a keystroke error and that someone accidentally took your points. They can fix that. You’ll also want to make sure the points didn’t expire or were never generated,” said Farrow.
Once you’ve ruled out other possibilities and believe a hacker is to blame, tell the company you need to file a fraud report. It will probably open an investigation to see what happened to your points, which could take weeks.
In the meantime, you might want to obtain a police report to document the situation. While it’s unlikely that the police have the resources to track down the thief, the report may be required if you want your hacked miles or points restored. It shows the company that you’re serious about your claims, said Farrow.
Then, stay in communication with the loyalty program and hope for the best. Even though they aren’t usually legally required to reimburse your stolen loyalty points, airlines and hotels may do so anyway, so don’t write it off as a lost cause.
