How bonus programs can make fraudsters more loyal to your business
September 2019 by Claire Hatcher, Global Lead, Kaspersky Fraud Prevention
As companies strive to become more successful than their competition, they can find it a struggle to secure new clients and retain their current customers. Loyalty programs are often seen as an answer to solving these difficulties and have become one of the most popular ways to improve customer engagement and retention. To put it simply, these programs give either a welcome bonus or a reward for constantly buying something from the same retailer. Such campaigns are well received amongst consumers and, according to a Kaspersky survey, 53% of customers have purchased something with their bonus points. Loyalty programs first appeared at the end of the 19th century in the form of copper tokens and special stamps, which could be exchanged for bonus points.
By the 1990s loyalty cards were become familiar amongst consumers – these plastic cards with a barcode or magnetic line helped customers top up their loyalty points quickly and stored them in one place. However, today, these cards are becoming redundant as people prefer to shop online, with 70% of consumers worldwide purchasing goods via the internet.
Bonus points takeover
There are different ways malefactors can gain access to the accounts of reward program participants. They can brute force the password for a certain email. The task can be even simpler as an attacker can try to use credentials which were previously compromised in a breach or data leak. It increases the chances of success, as people tend to use the same passwords for different accounts. Malicious programs that covertly collect passwords and usernames (password stealers) can also help an attacker attain valid credentials.
Welcome gifts for fraudsters
Accounts of existing users are not the only target for cybercriminals. It’s even easier for fraudsters to jeopardise and take advantage of welcome points given to new customers. They can register multiple fake accounts to accumulate points. On one occasion, Kaspersky’s fraud analytics team discovered a case in which fraudsters had created almost 3,000 accounts registered with just a single email address. It was possible because Gmail and the e-commerce platform involved have a different approach on how to identify emails. Gmail doesn’t distinguish dots in emails making firstname.lastname@example.org and email@example.com the same address for an email service, which guarantees that addressee will receive a message even if someone used a dot by mistake.
A loyalty program can be an effective marketing tool, but fraud can turn it from a benefit to a burden. If a company’s loyalty scheme is exploited, the business will not only lose potential clients and profit, but also face the negative reaction of those who it is trying to attract if one day bonuses suddenly start to disappear.