Travel Merchants Face a $1 Billion Loyalty Fraud Problem. Most Are Not Prepared.
In February, Maggie, a retired college professor from Michigan, discovered that someone had stolen 356,000 Hilton Honors points worth approximately $2,000 from her late husband’s dormant account. The criminals had changed the email address on file, diverting all account alerts away from the family. The points were being used at two hotels, in real time, while she was on the phone with Hilton customer service.
“This young woman kept gasping with what she was uncovering,” Maggie told AARP.
Her story is not an outlier. Industry experts estimate that more than $1 billion in travel rewards points are stolen from consumers every year, according to Chris Staab, cofounder of the Loyalty Security Alliance, an anti-fraud coalition that includes representatives from major airlines. And unlike bank accounts, loyalty accounts are often left unguarded for months or years, making them especially attractive targets for organized fraud rings.
The Fraud Landscape Is Expanding Fast
Travel loyalty programs have grown into sprawling ecosystems. Airlines and hotel chains now offer co-branded credit cards, partner redemptions, status matching, and multi-program pooling. Each new feature designed to improve the customer experience also creates new attack surface for criminals.
According to Ravelin’s 2024 Global Fraud Trends report, fraud increased for 75.7% of travel-sector merchants in the prior year. Mastercard’s loyalty fraud research notes that a growing pool of points and airline miles, combined with what it describes as “perceived lack of strong security and controls,” makes loyalty programs an attractive target for hackers and cyber criminals.
The methods used to steal loyalty points have grown more sophisticated. Common attack vectors include:
- Account takeover: Fraudsters use stolen or leaked credentials to access existing loyalty accounts, often changing contact information to maintain control.
- Fake account creation: Criminals build synthetic accounts to accumulate points through promotional offers, referral abuse, and multi-account pooling.
- Agency pooling and mileage resale: Travel agencies or individuals harvest member accounts, with or without the travelers’ knowledge, and resell mileage redemption tickets on the secondary market.
- Program and status gaming: Fraudsters generate unearned elite status to access club lounges and other perks, then merge those accounts with legitimate profiles.
Why Travel Merchants Are on the Front Line
For travel merchants, loyalty fraud is not just a customer relations problem. It creates direct financial exposure through chargebacks, reactive security costs, and operational disruption. When fraudsters redeem stolen points at a hotel or book flights with hijacked frequent flyer accounts, the merchant often bears part of that loss.
As governments increase scrutiny of data protection across industries, loyalty programs that store passport images, payment details, and travel history are coming under greater compliance pressure. The Marriott Starwood breach, which exposed 350 million customer records in 2018, remains a reference point for how damaging a loyalty data incident can become.
Reputational risk is harder to quantify but just as real. When customers lose trust in a loyalty program, they shift spending, cancel co-branded cards, and tell others. For smaller travel operators who depend on loyalty program partnerships for distribution, a partner’s fraud problem can become their own.
What the Industry Is Starting to Do About It
Mastercard and other payment networks have begun offering loyalty fraud detection tools that use machine learning to identify anomalous redemption patterns, device-level signals, and pooling behavior that suggests coordinated fraud rings rather than individual account compromise.
The Loyalty Security Alliance, founded by Staab, has brought together airlines and hotels to share threat intelligence and develop common standards for program security. The group advocates for stronger authentication requirements at account creation and redemption, tokenization of loyalty currency, and cross-program watchlists for known fraud rings.
On the legislative side, the FTC has signaled increased interest in loyalty program regulation. Industry watchers expect forthcoming requirements around disclosure of loyalty program breach notification timelines and minimum security standards for programs above a certain size.
What Travel Merchants Can Do Now
Short of waiting for regulation, travel merchants have several practical options to reduce their exposure. These include reviewing redemption velocity limits on partner loyalty programs, enabling multi-factor authentication for high-value redemptions, and establishing monitoring rules that flag accounts showing dormant-to-active reactivation patterns, a common indicator of account takeover.
Merchants who accept loyalty points as payment should also review their chargeback and dispute resolution procedures for transactions where points were the original tender. Some payment processors now offer loyalty-specific fraud scoring that can be layered into existing transaction review workflows.
The bottom line: loyalty fraud is no longer a niche concern. With over $1 billion in annual losses and fraud increasing across the sector, travel merchants who treat loyalty program security as a backend IT issue rather than a core business risk are leaving themselves exposed.
For more on fraud trends affecting the travel industry, visit the AARP Fraud Watch Network or the Loyalty Security Alliance.
Sources: AARP Fraud Watch Network (April 2026), Ravelin Global Fraud Trends 2024, Mastercard Services loyalty fraud research, Loyalty Security Alliance.
