How fraudsters are using social engineering to steal points and miles

Imagine logging in to your credit card account and seeing that your hard-earned points balance has been drained to zero. This is exactly what happened to TPG reader Tyler from St. Louis recently when he opened his Chase app.

Tyler (who prefers to use his first name only) is a self-described “award travel hobbyist.” While waiting for his car to be serviced, he was killing time by planning out award travel to see if he could meet or beat the point value based on TPG valuations (which is better than mindlessly scrolling social media, in our humble opinion).

CATHERINE FALLS COMMERCIAL/GETTY IMAGES

Knowing he hadn’t recently redeemed any points, he assumed the zero balance was a glitch. “I quit the app and tried again, and it was still zero,” he recalled. “I then decided to look through the transaction history and saw two attempts to cash out the points a couple of weeks prior. The first was for an even number and was canceled. The second was for the specific amount of points I had in my account, and that attempt was successful,” he continued.

That was when he called Chase to try and find out why his points had disappeared and who was behind it.

After talking to Chase, it didn’t appear the fraudsters could log in to his account. “I have two-factor authentication turned on and never received a one-time code to my phone or any emails suggesting odd activity,” he said.

GUIDO MIETH/GETTY IMAGES

Rather, it appears the fraudsters redeemed the points by phone. “The security representative confirmed that the transaction was conducted over the phone by someone impersonating me,” he said. Even without having his username or password, he assumes his credit card number, name, phone number and possibly his mother’s maiden name had been compromised.

Related: How to identify and prevent credit card fraud

In the end, Tyler recovered his points and secured his account. “First, they submitted a ticket for the return of my fraudulently transferred points. Then, they forced a username update and reset my password,” he shared.

How fraudsters use social engineering to steal your points

While this story has a mostly happy ending, it left Tyler frazzled, frustrated and questioning whether he should continue his relationship with his current credit card company. And he isn’t alone. There are dozens of posts on Reddit and points and miles message boards recounting similar stories of identity fraud.

Daily Newsletter

Reward your inbox with the TPG Daily newsletter

Join over 700,000 readers for breaking news, in-depth guides and exclusive deals from TPG’s experts

THOMAS TRUTSCHEL/PHOTOTHEK/GETTY IMAGES

In some instances, fraudsters can gain access to your online account login information. They can change your email address and password so that you would be none the wiser when they begin making fraudulent transactions.

Related: Credit card fraud vs. identity theft — how to know the difference

There are a multitude of ways that scammers can leverage bits and pieces of your personal information that are either publicly available or become compromised as part of a data breach. They can then use this information to access your points, miles, credit cards and bank accounts.

We asked around in our TPG Lounge Facebook group to see if anyone had fallen victim to similar scams and found similar stories.

A reader named James was alerted by email that all of his Chase Ultimate Rewards points had been transferred from his account to a bank in another state. He immediately called the bank to report that he hadn’t authorized the transaction, and it reversed the transfer. It was obvious his information had been compromised for the fraudster to successfully transfer the points.

Another reader named Christie shared a story about her sister who just recently received a call from American Airlines alerting her that someone had fraudulently redeemed 150,000 AAdvantage miles from her account. Luckily, it immediately flagged it as fraud, issued her a new AAdvantage number and reinstated her miles.

How to protect your points, and your identity

Though this type of identity fraud is on the rise, there are ways to protect yourself … and your points. TPG spoke with Michael Jabbara — vice president and global head of fraud services at Visa — and Jeff Reich, executive director at Identity Defined Security Alliance — a nonprofit that helps organizations with cybersecurity education. We also contacted a Chase spokesperson who shared advice on how individuals can stay safe from scams.

Here are their tips:

Regularly monitor your account activity

Reich recommends checking your accounts regularly. “I pretty much do this on a daily basis or at least five days a week,” he said. When doing this, you want to check your account balances, recent transactions, and points and miles balances. If you see anything out of the ordinary, contact customer service immediately.

Set up account notifications

When life gets busy, daily account checks may slip your mind. “If you set up transactional alerts, you can receive a notification every time you use your card or make changes to your loyalty program or account profile,” Jabbara said. “I recommend people manage their notification settings so that they are aware when any of those events occur, and they can be proactive rather than reactive,” he added.

The exact steps for this will vary by company, but you will typically sign in to your account and go to your profile settings; there, you should see an option for “alerts” or “notifications” that you can customize.

Keep your contact information up to date

Most loyalty programs will send a confirmation email when you redeem points or change your account profile, so verifying that your email and phone number are up to date on your accounts is also important.

“Keep your contact information up to date. We need to be able to reach you quickly if we notice something amiss in your accounts. Review the contact information we have on file for you to make sure it’s correct and your preferred method of communication,” the Chase spokesperson told TPG. Chase has additional security tips on its website.

Never give out sensitive information over the phone

Jabbara’s advice here is plain and simple: “If you get a phone call asking for secure information [like your account information, credit card number, username, password or Social Security number], don’t give it away,” he said. “No reputable institution would ever ask for your password, for instance, over the phone. If somebody is soliciting that level of detail from you, that is a red flag, and you should have your fraud radar on,” he added.

The Chase spokesperson reinforced Jabbara’s recommendations. “Always protect your personal account information, ATM pins, passwords and one-time passcodes. If someone contacts you and asks for this information — especially if it’s someone claiming to be from your bank — do not share it with them,” they said.

This extends to giving information out over text or email, as well. If you get a call from your bank telling you they need to confirm certain information, thank them and tell them you will call them back. Then, either log in to your banking app or find the number on the back of your credit card and call them directly.

Never use the same password on multiple accounts

We get it. Keeping up with a different password for every account is hard. However, dealing with compromised accounts is harder. “Never, ever reuse passwords,” Reich advised. “Once one is compromised, they’re all compromised.”

If you have multiple logins that use the same password, a data breach on one account could help a fraudster access any other account that uses the same password.

Reich recommends using a password manager so that you can have all unique passwords while only having to remember one “master password.” Find a way to remember that one password without writing it down or storing it on your phone or computer. Reich uses a combination of numbers, letters and special characters to create a phrase that is easy for him to remember but hard for someone else to guess.

It’s also important to change your passwords regularly as an additional layer of security.

Set up 2-factor authentication on your accounts

Two-factor authentication and multifactor authentication require you to present at least two types of authentication to gain access to your account. Two-factor authentication and multifactor authentication ensure that nobody (including you) can access your account with only your username or password. This could be a text sent to your phone, an email, an authenticator app or a physical token that you can plug in or tap on your phone or computer.

You can enable 2FA or MFA through your online account or mobile app for most accounts. You will usually see options to add or update 2FA and MFA in your profile’s “security” section. If you can’t find these settings, contact your institution for instructions.

Set up phone passphrases for your credit card accounts and your phone carrier

Some institutions will ask you to confirm your mother’s maiden name as a security measure, but this information is easy for a scammer to find.

Instead of using this easy-to-find detail, call and set up a unique passphrase that you can give over the phone to further secure your accounts. “This is something you can also put in your password manager,” Reich advised.

Another important step that Jabbara suggested is to set up a phone passphrase with your phone company.

“Even after you’ve set up two-factor authentication, a fraudster can carry out what we call a ‘SIM swap attack,’ where they will call into your telecom provider, pretend to be you and request your number transferred to a new phone,” he explained. “Then, if they have the username and password for any of your accounts, the one-time 2FA password will be sent to them, and they have access to your account,” he added.

If you have a passphrase set up, when someone calls your telecom provider, they’ll ask for your passphrase before they would enable any changes to your account.

Subscribe to a credit monitoring service

If you have a credit card account, you are likely eligible for free credit reports that include information on your credit score, credit history and accounts that have been opened or closed. Some also offer identity monitoring services that can alert you if your personal information is compromised.

If you don’t have access to any of these through your credit card account, there are ways to check your credit score for free. You can also sign up for an identity monitoring service like Credit Karma (free) or LifeLock (starting at $7.50 per month).

Most credit and identity monitoring services also allow you to set up alerts so you can receive a text or email if they identify any breaches or changes.

Avoid using public Wi-Fi servers

Last but not least, Reich advises people to use a virtual private network on their phone and computer when using public Wi-Fi.

Public Wi-Fi networks are more vulnerable to attacks, making it easier for hackers to access any information you send, including usernames and passwords, credit card information and more. If the website you are accessing doesn’t encrypt the information, a VPN will encrypt it for you, making it much more difficult for a hacker to access.

“I can’t emphasize enough that free Wi-Fi is unprotected,” Reich said. “A VPN essentially creates a ‘tunnel’ between your device and the server you send information to. Anyone who looks at that information will just see encrypted garbage.”

Some security companies that offer antivirus software — like McAfee — can also offer you a VPN as part of your protection package. Or, you can purchase one through a company like NordVPN or Surfshark.

Bottom line

Knowing there are fraudsters out there trying to access your points, miles and money can be scary, but according to the experts we spoke with, there is no reason to live in fear. “Fraudsters are relying on people to have not-so-great security habits,” Jabarra said.

If you take these steps, you can make your information less valuable to fraudsters. It may seem like a headache, but it’s not as painful as losing money or points and miles.

Related reading:

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *