When a rewards balance disappears, the loss becomes visible at redemption. Miles may be transferred to a partner program, points converted into gift cards, or award travel booked without the account owner’s knowledge. By the time that happens, however, the loyalty program fraud has already succeeded.

The real questions arise much earlier.

Was the person logging in actually the account holder? Did a password reset go to the legitimate email address or to an attacker’s? Was the caller contacting customer support who they claimed to be?

Each of those moments is an identity decision, and each presents an opportunity to detect an impersonator before identity fraud occurs.

Hospitality and travel points have become stored value

Frequent flyer miles and hotel loyalty points are now among the most valuable assets travel and hospitality companies manage. American Airlines’ AAdvantage program is the largest airline loyalty program in the United States and, by many analyses, generates more profit than the airline’s passenger operations. American Airlines continues to report record membership growth and increasing co-branded credit card spending, while carrying more than $10 billion in loyalty program liabilities on its balance sheet. The U.S. Department of Transportation has also opened an inquiry into the rewards practices of the four largest U.S. airlines, signaling that regulators increasingly view loyalty programs as critical travel infrastructure rather than simply marketing initiatives.

For attackers, the appeal is simple: liquidity. A rewards balance that can be transferred, converted into a gift card, or redeemed for high-value travel behaves much like cash. Yet it is often protected by weaker security controls than financial accounts.

Many loyalty fraud detection efforts focus on detecting suspicious redemptions or gift card conversions. By that point, however, the attacker already controls the account. TransUnion’s H2 2025 Fraud Report found that U.S. business leaders identified account takeover (ATO) as their largest source of fraud losses, accounting for 31% of total fraud losses. The report also found that digital ATO attempts increased 21% year over year and 141% since 2021. While these figures are not specific to loyalty programs, that is precisely the point. The same attack techniques used to drain bank accounts can just as easily empty loyalty accounts, which are often much softer targets.

The most common entry point is also the simplest: a password that was reused and previously exposed in a data breach. A 2025 federal indictment illustrates how automated these attacks have become. Prosecutors allege that the defendant used credential-stuffing scripts to test thousands of stolen username and password combinations against a major U.S. hotel chain before accessing victims’ airline, hotel, and banking accounts. A single compromised credential database, tested at scale, can expose every account where a customer reused the same password.

How to assess the security of a loyalty program

For identity fraud and security teams evaluating their organization’s exposure, prevention cannot stop with implementing multi-factor authentication (MFA). Identity controls must remain effective across every stage of the identity lifecycle that attackers exploit, including:

  • Login. Does the program support phishing-resistant authentication methods, or does it still rely primarily on SMS one-time passcodes? Does it actively detect credential stuffing, or simply count failed login attempts?
  • Account recovery. Does every password reset generate a notification to the account owner, as recommended by the National Institute of Standards and Technology (NIST)? Is recovery protected by stronger identity verification than knowledge-based questions that attackers can easily purchase or guess?
  • Customer support and interactive voice response. Before a call center agent changes an email address, replaces a phone number, or transfers loyalty points, how is the caller verified? Through strong identity verification, or merely a birthday and ZIP code?
  • Post-authentication monitoring. Can the organization detect anomalous transfers, redemptions from previously unseen devices, or points being funneled through suspicious accounts before they are redeemed?

How identity threat detection and risk mitigation defends against loyalty fraud

The common thread across login, recovery, customer support, and partner access is that each represents a trust decision. When these decisions are managed independently, attackers exploit the resulting gaps. Organizations often harden login while leaving recovery workflows exposed or deploy strong mobile authentication while relying on weak knowledge-based verification in the call center.

A more effective approach treats the entire customer journey as a single risk surface. Identity signals from devices, networks, phone numbers, behavioral patterns, and account history are evaluated together to produce a real-time risk assessment. Organizations can then apply the appropriate level of friction based on the actual risk of each transaction. Identity threats are detected where they emerge, and risk mitigation adapts dynamically instead of relying on static authentication rules.

ID Dataweb is built on this model. The ID Dataweb platform orchestrates identity verification methods and risk signals into adaptive workflows that operate consistently across Web, mobile, and call center channels. The same risk engine evaluates logins, password resets, account recovery, and call center agent-assisted account changes. For travel and hospitality organizations, this cross-channel consistency addresses the areas where traditional authentication programs are typically weakest: account recovery and customer support, which attackers often target after login protections have been strengthened. Regardless of the technology stack, the broader trend is clear. Loyalty points now represent stored value. They should be protected with identity controls that are every bit as robust as those safeguarding a bank account.