Donna was alarmed when she received an email from Capital One thanking her for redeeming about 171,000 credit card reward miles, worth $1,710, for more than a week's worth of hotel stays in New York. The reservation was under a name she didn't recognize.
“I thought, ‘I didn’t do that,’” says Donna, a Wilmington, Delaware, resident who asked that her last name be withheld because of the security issues raised by the theft. “I looked at last month’s statement, and sure enough, we had 171,000 more miles than we had now.”
After calling Capital One, she and her husband, with whom she shares the account, spent about two-and-a-half hours reporting the theft. Capital One contacted the hotel where the pilfered miles had been redeemed, and Donna was told that the hotel sent a representative to the room, though she doesn't know what happened next. A few days later, Capital One reinstated the couple's miles and sent them new cards.
As strange and upsetting as Donna's experience was, it's hardly unprecedented. A handful of credit card points or miles thefts have made headlines during the past few years. In 2013, hackers poached miles from about 7,700 U.S. Airways loyalty accounts in a security breach, Bloomberg reported. And in 2015, The Dallas Morning News reported that miles had been stolen from 10,000 loyalty accounts at American Airlines, and as many as 36 loyalty accounts at United Airlines, both using stolen login data from other sources.
Points and miles thefts can easily go unnoticed. Unless fraudulent transactions are connected to a larger breach, airline and hotel loyalty programs probably won't flag them for you. Even credit card issuers' more advanced security systems aren't always able to sniff out a shady rewards redemption. For the most part, keeping an eye on your points and miles is up to you.
How miles and points get stolen
Capital One wouldn't comment on Donna's case specifically. But “protecting customer and account information is a top priority at Capital One and we take it very seriously,” says Amanda Landers, a spokesperson for the company.
"Rewards fraud can occur when a fraudster obtains customer information and is able to authenticate as the customer, such as by successfully answering security questions either on the phone or online," she adds.
This often doesn't require much effort on the crooks' part. Following recent data breaches, millions of consumer login credentials have been either published in data dumps or sold on the "deep web," corners of the internet you can’t reach via a search engine. Some are sold for as little as $1 each, a 2015 report by security software company Trend Micro found. And consumers frequently reuse usernames and passwords, which works to criminals' advantage.
“Thieves then take that data and try the credentials at a slew of online merchants, knowing that a non-trivial number of them will work,” says Brian Krebs, who reports on security matters on the blog KrebsOnSecurity.
Other criminals get information through “phishing” emails, messages that appear to be from a familiar company and try to trick you into providing your login information.
Why your card issuer might not catch theft
Points and miles are an easy target for theft. For one thing, many airline and hotel loyalty programs — the kind associated with co-branded credit cards — lack robust security systems. Hackers might be able to try out several variations on your password without being locked out of your account. And the program might not notify you when your rewards are redeemed.
Major banks tend to have much stronger security and protect credit card rewards through multifactor authentication and email account alerts, says Al Pascual, research director and head of fraud and security at Javelin, a consulting firm for banks. Multifactor authentication requires users to verify their identity in more than one way. They may have to enter a password and answer a personal question, for example, or provide a code received via text message. And the account holder receives email alerts whenever points and miles are redeemed or certain transactions are made. That's how Donna was alerted to her theft. But thefts can occur even when these security measures are in place.
“The fact that you haven’t looked at [your rewards] forever is a very useful thing for criminals,” Pascual says.
No one collects comprehensive data on the cost of points and miles theft to consumers and companies. But it’s likely a relatively small number compared with total cost of identity fraud in the U.S., which totaled $15 billion in 2015, according to Javelin.
How to report stolen rewards
Points and miles aren’t the same as cash, but they can have significant value. Americans accumulate about $48 billion in rewards each year, one 2011 study by loyalty firm Colloquy found. In a recent survey, NerdWallet found that the average redemption value of a point or mile could range from 0.4 cent to 2.3 cents, depending on the loyalty program. That means that your credit card's points and miles could be worth thousands if you've been saving up — so treat your rewards like money.
“If a customer notices rewards missing, he/she should report it to the credit card company, just as one would with any fraudulent purchase,” says Landers, the Capital One spokesperson. “After investigating, the company will credit back to the account any rewards stolen.”
If your credit card is co-branded — meaning it's tied to a specific airline or hotel loyalty program — you might have to speak with the loyalty program, rather than the bank that issued the card, to get your rewards back.
After contacting your issuer, you can choose to report the crime to your local law enforcement agency. With enough information, the local authorities might be able to help you. Police say a Miami man confessed to stealing more than $260,000 worth of miles from American Airlines AAdvantage accounts, the Miami Herald reported in late April.
How to safeguard your points and miles
Protecting your points and miles falls mostly to you.
“Half of all fraud in any one year is detected by the consumer,” says Pascual, the Javelin executive, citing data collected by the firm.
To prevent points-hacking headaches, take the following steps:
Keep different passwords for different accounts. “Don't use easy-to-guess passwords. Don't reuse your passwords across multiple sites, particularly those that handle your financial or personal data,” Krebs writes. This can help you mitigate the potential impact of a future data breach.
Know your rewards balance. Consumers have long been advised to track credit card spending, but you should also track how much you’re earning in your rewards programs at least once per month. If you see any unfamiliar transactions, contact your issuer.
Beware of phishy emails. If you receive an email asking you to verify your login credentials for a certain website "as soon as possible," just delete it. A reputable company wouldn't make such a request by email.
Donna's surprising theft has been resolved. Capital One was good about following up, she says, and everything is back to normal. But now she’s more cautious with her rewards.
“I always check my account, but I don’t always check my miles,” Donna says. “Now I will.”