Cybercriminals are breaking into frequent flier accounts and selling the miles for cash. Here’s how travelers can arm themselves against attack.
For many travelers, airline miles and hotel points are extremely valuable—they are a type of currency that can be used to book flights and overnights around the world.
But for many people, the possibility of someone hacking into their frequent flier account has likely never crossed their mind. However, experts say travelers would be smart to monitor their frequent flier activity as closely as they do their bank and credit card accounts.
According to Kurt Long, founder of cybersecurity company Bunkr, theft of points and miles has been on the rise in recent years, in part because of major breaches at companies like Starwood/Marriott, MGM, Star Alliance, and OneWorld (where cybercriminals gained access to travelers’ information, including usernames and passwords) and in part because people weren’t traveling as much.
“Most people don’t frequently check their account balances, and during the pandemic, they also weren’t spending their points,” Long said. “At the same time, rewards programs doled out tons of points, so there are more out there to target.”
He added that the security laws around information held in the travel sector tend to be fairly lax compared to regulated industries, like banking, wealth management, and healthcare, and they face far fewer penalties in the case of breaches, so there aren’t as many safeguards for travelers.
According to Gary Leff, who writes about frequent flier points and miles on his blog, ViewFromTheWing.com, there’s “a general belief that points and miles theft is on the rise, but it’s difficult to get concrete data to back that up. Many loyalty programs keep their actual fraud levels close to the vest.”
Airlines don’t provide many details about the measures they’re taking to prevent theft of customers’ points and miles. When asked, a representative from Delta said simply, “Information security is certainly something our teams are working on improving for our customers.” Similarly, a representative from American Airlines said, “Data security is a top priority as our customers trust us with their personal information when booking travel and as part of our loyalty program, AAdvantage. We continue to enhance our security measures on aa.com for our members to further protect their personal information.”
Once hackers have access to your account, they may use your points and miles for actual hotel stays and flights or cash the points out at a participating retailer, like Amazon.
“Criminals also may redeem the points themselves and then sell the rewards,” said Steve Weisman, author of Identity Theft Alert and a professor at Bentley University, where he teaches about white-collar crime. He pointed to a case where Russian hackers did this in 2017 by using British Airways miles for flight upgrades, hotels, and rental cars, which they then sold to unsuspecting customers on websites that appeared to be legitimate, as one example.
“They’re very organized, which I don’t think the public fully understands,” Long said. “They’re well funded, they write software, they have all these tools. And when they get your personal information, they’re going to run it through automated systems and look for weak spots. Once they get into your accounts, they’ll scrape out everything they can. Travel is a big, lucrative market for them.”
Here’s what you need to know about protecting your points and miles accounts from being hacked.
How to protect your frequent flier accounts
Unlike bank accounts, where you get a statement every month, travelers typically need to log into their accounts to check their points and miles balance. It takes more effort for consumers to keep on top of their account.
Having good password management—using unique, complex passwords for each account—is critical to preventing hackers from getting into your account, Long said. If you reuse the same password for multiple accounts (be that for a newspaper subscription, your Starbucks account, your Netflix login, or whatever else) or make simple derivatives of the same one, and criminals get ahold of one, they’ll try to use it anywhere they can.
Getting access to your mileage plan account could open the door for them to wreak havoc in other areas of your life. Often, credit cards are associated with airline and hotel accounts, which hackers would also now have access to. And the more information they can find about you (your employer, address, phone number, et cetera), the more damage they can do (such as applying for a credit card or taking out a loan in your name).
Long said it’s a good idea to consider a password manager that can generate strong passwords and keep track of them. In addition, you can protect yourself with two-factor authentication (which involves using two knowledge factors, like a password and a one-time PIN number sent to an associated mobile phone via text) because it helps slow criminals down.
Another way that travelers can get duped, according to Justin Lavelle, a scams prevention expert with BeenVerified.com, an online background checking source, is they receive an email or text from a source pretending to be an airline, travel site, or travel agency. The letter notifies them that they’ve won additional miles or a flight and provides a number to call or a link to follow to claim their prize. According to Lavelle, when they call or follow the link, they’ve reached a scammer who will ask them several questions, including an airline account number and other personal information. The information is then sold to other scammers. It’s important to be critical of unexpected emails—if you don’t know the sender or if the message seems suspicious, don’t click on it.
“I find the single best thing to do in protecting your miles is to check your account regularly,” Leff said. “I’m never going to go to each and every airline website and log in daily. But I will go to AwardWallet.com, click one button, and update most (but not all) of my account balances. Then I see immediately if points have been deducted from my account that shouldn’t have been.”
What to do if your airline miles or hotel points are hacked?
Points are your property, and even though they may not be tangible, like cash or gold bars, they still have monetary value and the theft of them is a crime.
The first thing you’ll want to do is contact the airline or hotel company and let them know you didn’t authorize the use of those miles or points and ask that they return them.
“Companies are under no obligation to give the points or miles back to you,” said Ben Farrow, a LegalShield partner attorney. “There’s no statute that says they have to.”
He added that most airlines and hotels typically do give customers their points and miles back. That’s especially true if the company was negligent—such as if someone hacked its system, got users’ passwords, and stole their points. Customers could go through litigation, and if proven guilty, the company would be responsible for customers’ losses. However, Farrow said, it’s typically better company policy to give users their points and miles back.
“The people who have frequent flier miles, that are loyal, are the customers they want,” Farrow said. “So they’re going to make accommodations for you most of the time.”
Note that after your points or miles are stolen, the hotel or airline may give you a new account number, which could create headaches with any reservation you already have (for instance, with your airline’s partners) and require you to update your frequent flier number with car rental partners, gas station partners that you may earn miles with, and so on.
If the airline or hotel declines to refund the miles, Farrow said you could consider filing a criminal complaint with your local sheriff department. While law enforcement is unlikely to catch the criminal, as they may not have the resources to track them down, and the criminal may be in a country that doesn’t have extradition treaties with the United States, you’ll at least have a criminal report on record. From there, you could make a complaint to the Federal Trade Commission (FTC), saying the company was sloppy with your data, and it resulted in the loss of your points and miles. The FTC won’t launch an investigation into your individual complaint, but it will build a database, and if your complaint is the one that breaks the camel’s back, the FTC will can suggest regulations to address the problem.
“Remember those auto warranty calls that were all over the place? They all got shut down because enough people complained to the FTC,” Farrow said. “Until enough people squawk about how we’re treated with stuff like this, it’s not going to change.”