Loyalty Points Are Being Phished Like Cash: What Qantas Impersonation Scams Signal for Travel Merchants

Airline loyalty programs have quietly become one of the largest “shadow payment rails” in travel. Points and travel credits behave like stored value, they move across partners, and they can be redeemed into high-liquidity goods (gift cards, upgrades, flights) that are easy to resell. That combination makes loyalty accounts a natural target for fraudsters — and recent warnings about Qantas impersonation and “account protection” phishing lures are a timely reminder that loyalty security is now a merchant-operator problem, not just an airline IT problem.

In early February 2026, Qantas published an updated scam advisory noting an “account protection security” email scam identified this month, where scammers urge customers to quickly provide account and financial details (often using the subject line “Avoid Service Interruption”). The airline also reiterates that it will never ask customers for personal details, passwords, PINs, or similar secrets via unsolicited messages. Separately, industry coverage citing ACCC Scamwatch warnings describes a spike in reports of scammers impersonating Qantas via email and SMS, using urgency and brand look-alikes to push victims to click through to scam sites.

Why loyalty phishing is escalating (and why travel merchants should care)

Loyalty compromise used to be a niche fraud pattern: a handful of “points hackers” chasing weak PIN policies. That’s changed for three practical reasons:

Loyalty value is more liquid than ever. Points can be redeemed for flights, upgrades, lounge passes, and increasingly for retail gift cards or third-party rewards. Fraudsters don’t need to monetize a stolen card; they monetize stolen value.
Account takeover is industrialized. Credential stuffing, SIM-swap adjacent social engineering, and phishing kits have reduced the marginal cost of testing accounts. If MFA is inconsistent or optional, attackers simply route around it.
Travel customer data has a long “half-life.” Frequent flyer numbers, emails, and phone numbers are durable identifiers. Once exposed (through any breach, not necessarily the airline’s), they power more convincing phishing and support impersonation.

For travel merchants — airlines, OTAs, tour operators, hotel brands, and loyalty partners — the operational pain shows up quickly: higher contact-center volume, more disputes and goodwill refunds, partner friction, and reputational damage that hits conversion. Loyalty fraud also creates a backdoor into payments: if a compromised loyalty profile includes stored cards, travel credits, or saved traveler data, the attacker’s blast radius expands beyond points.

What the Qantas scam advisories tell us about attacker playbooks

There are two important signals in Qantas’ February 2026 update:

The pretext has shifted to “account protection.” The language is designed to feel like a service continuity issue (avoid interruption) rather than a “you won a prize” lure. That’s classic for higher-intent victims who already hold value in an account.
Attackers are harvesting both identity and payment details. Qantas explicitly notes that the scam aims to capture personal information and payment card data — meaning the attacker isn’t just trying to redeem points; they’re trying to expand into broader identity theft and card-not-present fraud.

MailGuard’s analysis of a Qantas-themed phishing campaign (observed in late 2025) illustrates the maturity of these kits: a multi-step flow that captures membership credentials and then attempts to harvest verification codes, ending with a redirect back to the legitimate Qantas site to reduce suspicion. Whether or not a given campaign succeeds at real-time MFA interception, the intent is clear: loyalty accounts are being treated like bank accounts.

Operator impact: where the losses actually land

In a loyalty takeover event, the direct “financial loss” may not always appear as a neat fraud line item. It spreads across multiple cost centers:

Make-good costs: points reinstatement, goodwill vouchers, status reinstatement, and manual rebooking.
Chargebacks and disputes: if stored payment instruments are abused, you inherit classic card-not-present disputes.
Contact-center load: spikes in inbound calls and chats when a scam wave hits, plus longer handle times due to identity verification.
Partner leakage: compromised points redeemed through partners can create reconciliation fights (who eats the redemption?) and can pressure partner risk teams to add friction.
Conversion and trust: customers who feel unsafe log in less, store fewer cards, and abandon loyalty engagement — a hidden but real revenue drag.

The merchant takeaway: loyalty security is revenue protection, not just risk hygiene.

A practical control stack for loyalty programs (and their partners)

If you operate a loyalty program or accept loyalty value as a tender-equivalent, the controls that matter look a lot like payments controls — plus a few loyalty-specific guardrails:

1) Strengthen authentication with modern defaults

Make MFA meaningful and consistent: require step-up authentication for high-risk events (new device, new IP/ASN, password reset, large redemption, profile changes) instead of treating MFA as a one-time setup checkbox.
Prefer phishing-resistant factors: passkeys (FIDO2/WebAuthn) reduce susceptibility to credential phishing and one-time-code interception.
Lock down recovery: account recovery is often the weakest link. Add friction (but not dead-ends) for recovery when the account has high stored value.

2) Treat redemptions like withdrawals

Redemption velocity limits: caps per day/week, plus “cooldown windows” after credential changes.
High-risk redemption review: manual or semi-automated review for outlier redemption patterns (new payee, gift cards, one-way premium cabin, rapid multiple bookings).
Beneficiary controls: for programs that allow transfers, enforce recipient “seasoning” periods or verified relationships.

3) Instrumentation and detection that’s loyalty-aware

Device and session intelligence: device binding, anomaly detection, and clear customer alerts when a new device signs in.
Bot and credential stuffing defense: rate limits, bot mitigation, and passwordless options where possible.
Fraud telemetry shared across channels: unify web, app, contact center, and partner redemption signals so you can see the whole attack chain.

4) Outbound communications that reduce scam conversion

Consistent “never ask” messaging: Qantas’ guidance is explicit (no PIN/password requests). Bake that into every legitimate security message and help-center flow.
Harden email and SMS sender trust: enforce DMARC/SPF/DKIM for email; use branded links carefully; reduce reliance on clickable links for sensitive actions.
In-product scam education: add lightweight in-app banners during known scam waves. Customers are more likely to believe security guidance inside the authenticated experience.

What to watch next: the convergence of loyalty and payments

The bigger story behind Qantas-themed scams is industry-wide: loyalty is converging with fintech mechanics. As programs expand into subscription bundles, co-brand cards, installment-like travel credits, and partner marketplaces, points increasingly behave like money. That means regulators, banks, and partners will apply the same expectations they apply to payments: strong customer authentication, clear dispute handling, and evidence-based risk controls.

For operators, the goal isn’t to eliminate scams overnight — it’s to reduce scam success rates, shrink attacker ROI, and prevent loyalty compromise from becoming a gateway into stored cards and identity fraud. Put simply: treat loyalty value like cash, because attackers already do.