My Credit Card Rewards Were Stolen. What Should I Do?
Prevent credit card loyalty fraud with these steps.
March 11, 2022
Teri Calandra did everything right. The Chicago-based business owner regularly changed her passwords and used virus scan programs to keep her computer clean. Yet, in September 2020, she logged into her Chase Bank account — only to find that more than $600 in rewards points had been stolen.
Unfortunately, Calandra fell victim to a type of fraud that’s becoming more and more common. Called “credit card loyalty fraud” or “credit card rewards fraud,” attacks are often carried out by cybercriminals who’ve gained access to lists of login and password credential combinations and “stuff” them into accounts to see what they can unlock.
Between July 2018 and June 2020, more than 100 billion of these credential stuffing attacks occurred. Of these, more than 60% occurred in the retail, travel and hospitality space, according to data from Akamai’s “Loyalty for Sale: Retail and Hospitality Fraud” report.
When it comes to stolen credit cards, the good news is that most credit card companies offer fraud protection. As a result, you won't be held liable for any spending that occurs once you've reported your credit card stolen.
On the downside, fraud protection doesn't always cover the loss of credit card rewards or rewards points. So what should you do if your credit card points are stolen? Let’s take a closer look.
How are credit card points stolen?
Credit card fraud isn't new, but it’s certainly gained traction during the COVID-19 pandemic.The increase in loyalty fraud, in particular, can be partly attributed to the fact that most people aren't paying as much attention to their rewards accounts since travel opportunities have declined. Decisions by loyalty programs to extend premium benefits throughout the pandemic have also made rewards points a more lucrative target for criminals.
Yet, stealing credit card rewards points takes a bit more finesse than stealing a physical card or a set of card numbers and going on a shopping spree. For starters, the criminals involved must have the right login information to access your account. Once they’re inside, they can transfer or redeem your rewards directly, and if you use the same username and password on multiple loyalty program accounts, they can repeat the process until all of your accounts are emptied.
What happens to your rewards after they’re stolen?
Once hackers get into your accounts, they have several options for using your loyalty points:
Some points can be redeemed directly for cash; others can be disposed of on the dark web
Points can also be used — directly from your account — to book travel for others
In some cases, if criminals have access to your credit card information as well, they can associate your card with a new Amazon account and use the “Pay with Points” feature to drain your rewards balance
Interestingly, some cybercriminals also have their own travel agencies where they’re able to use their illegally acquired rewards to book discounted travel for clients. According to the Akamai report cited above, “Many of the travel listings on the darknet charge a percentage of the overall trip cost, anywhere from 25% to 35% — meaning a $2,000 booking on a well-known travel comparison/booking website would cost about $700 on the darknet.”
What should you do if your credit card points are stolen?
If you notice that some credit card points are missing, there are several steps you’ll want to take.
Contact your credit card issuer immediately to have your account frozen. The phone number for your issuer should be found on the back of your credit card. If a non-credit card loyalty account has been breached — such as an airline, hotel or restaurant account — consult the company’s “Contact Us” page for ideas on who to contact.
Ask your issuer to replace your card if they don’t automatically send one out when you freeze your account.
Ask to speak with the fraud department associated with your rewards program. While, in most cases, they aren’t obligated to refund your points, there are reports that some programs have done so as a courtesy.
Depending on the circumstances of the theft, it may also be appropriate to file a report with law enforcement or with the FBI’s Internet Crime Complaint Center (IC3).
It’s a good idea to reset your password at this point if you haven’t already. If possible, use a random password generator to create a secure password that’s unique to the program.
How to protect your points
Although CBS Chicago reports that Chase is restoring the points that were stolen from Teri Calandra, prevention is better than cure when it comes to credit card loyalty rewards. Here are several steps you’ll want to take:
Not only is it a good idea to regularly audit your loyalty accounts — especially the ones where you hold a large points balance — it’s important to be able to identify the warning signs that an account has been accessed improperly. For example, one red flag is receiving more spam emails than usual.
Use a password manager
Password managers such as 1Password and LastPass generate random, secure passwords for each of your accounts. As a result, if one of your accounts is compromised, criminals won’t be able to access any of your other accounts. All you’ll need to do is create a stronger password for the hacked account and move on.
Enable multi-factor authentication
Another step to take to protect your loyalty rewards is to enable two-factor authentication (2FA) or multi-factor authentication (MFA). Once enabled, these programs require you to enter a one-time login code — typically sent to you via text or accessed through an authenticator app like Google Authenticator — whenever you want to log in to your account. As a result, even if hackers have your login information, they likely won’t be able to receive the additional code needed to log in.
Ultimately, it’s important to remember that most cybercriminals are opportunistic. They want to go after targets that represent the lowest risk and the highest possible reward. Make it difficult for your credit card points to be stolen by taking these steps, and they’ll most likely try their luck elsewhere.
Interested in paying off your credit card debt? Tally† may be able to help. Tally is an app that can help qualifying applicants manage their credit card payments more efficiently or consolidate loans to pay less in interest.
†To get the benefits of a Tally line of credit, you must qualify for and accept a Tally line of credit. Based on your credit history, the APR (which is the same as your interest rate) will be between 7.90% - 29.99% per year. The APR will vary with the market based on the Prime Rate. Annual fees range from $0 - $300.