Loyalty Fraud: The Hidden Risk of Online Shopping This Christmas

If you're looking to do some online shopping this holiday season, you may want to consider changing your password before putting anything in your cart.

According to Akamai's recently published State of the Internet / Security report: Loyalty for Sale – Retail and Hospitality Fraud, 2020 has seen a significant uptick in a very specific type of cybercrime known as loyalty fraud, which should be cause for alarm given the fact that most of us will be doing their Christmas shopping online this month.


What is loyalty fraud?

Loyalty fraud is essentially a subset of account takeovers, where an account is compromised and hijacked through credential stuffing, except the focus is on accounts that benefit from loyalty programs.

These accounts are typically in the retail, travel, and hospitality sectors, and their credentials are sold on the Dark Web, allowing the buyer to use up the loyalty points themselves; loyalty points that you may have been saving up for years and making countless purchases to earn.

But it's not just loyalty points that are at risk. Considering all the personal information you might typically be asked to provide in order to take part in such programs, like your full name and phone number, these accounts can also be very useful for committing identity fraud or conducting phishing attacks.



'Tis the season

The pandemic hit a lot of businesses hard this year, especially those in the retail, travel, and hospitality sectors. Many of these companies reacted by augmenting or creating programs to support customers, like loyalty point extensions and bonus rewards.

But for cybercriminals, this was a new opportunity for profit. In Q1 of 2020, just as the first COVID-19 lockdowns were beginning, lists of compromised credentials had started circulating and fueling a wave of credential stuffing attacks targeted towards businesses in these sectors.

Fast forward to this month: it's the holiday season, Christmas shopping will be done almost exclusively online this year, and that means new opportunities to drum up business by rewarding loyal customers with points, perks, and discounts. It may also mean a new wave of credential stuffing attacks going after your accounts, loyalty points, and private data.


Credential stuffing only works when passwords are reused, so if you're reusing the same password across all your accounts, we'd highly recommend you change that ASAP. The MYKI Password Manager & Authenticator app allows you to generate strong and unique passwords for all of your accounts, which it can also securely store and autofill for you, saving you the hassle of memorizing them all.

Download the MYKI app on mobile or desktop today, and reach out to your IT provider to set you up with MYKI Password Management.

Loyalty Fraud: The Hidden Risk of Online Shopping This Christmas
Share this