Travel fraud surges as criminals loot airline rewards points

Travel fraud surges as criminals loot airline rewards points


Jason Lane-Sellers

Travel fraud and related crime is on the rise worldwide as criminals take aim at the security vulnerabilities of rewards programmes offered by airlines, among other loopholes.

According to Jason Lane-Sellers, director of fraud and identity for Europe, Middle East and Africa at LexisNexis Risk Solutions, criminals are hacking into multiple rewards programme user accounts, consolidating the rewards points into a single account, and cashing these out for big ticket items such as smart TVs and other household and electronic goods.

However, smart technological interventions are coming to the rescue.

“Fraud has been present in various forms in the travel industry for decades, but the biggest thing that has changed is digitisation,” Lane-Sellers said in an interview with TechCentral.

“The other side is the growth of loyalty programmes – there is value there – especially since these programmes can be interrelated. People aren’t as secure about their loyalty programmes and travel information as much as they are about their banking information and those kind of things, making it an easier target.”

According to Lane-Sellers, impersonation scams are among the most popular modus operandi employed by travel scammers. Hotel and flight deals are advertised on social media where the URL being linked to is deceptively similar to the legitimate entity being impersonated. Users are then tricked into entering their login information on the fake site where the data is harvested and used by hackers to enter the legitimate website and clean out their rewards points.

‘Too good to be true’

In other scenarios, users are tricked into making payments for flight or hotel deals on the fake website and the funds are directed into the criminal’s bank accounts.

Despite being more digital savvy, younger cohorts aged between 18 to 25 are more susceptible to impersonation scams with “too good to be true” offers like half price flight deals used to lure them in.

Older, more seasoned travellers – usually business travellers with lots of loyalty points – are more susceptible to a different form of impersonation. Lane-Sellers said a typical example of this is where a traveller’s flight is delayed and they want to engage customer service for help. When they search the web for the airlines website, the first link turns out to be a fake where their login details are copied.

Read: Cyber crooks cashing in as ATM attacks decline

“They copy the webpage using AI and screen scraping technology to make a convincing copy of the website. There are multiple ways of attacking, but the core is how easy it is to get access to that data,” said Lane-Sellers.

The challenge for companies offering loyalty programmes is that standard ways of making their systems more secure also add an administrative burden that diminishes the quality of the experience users have on their websites. An example of this is two-factor authentication which can be used at login as well as for critical functions such as when points are being redeemed or when important data like user contact information is changed.

Companies are now using a combination of behavioural biometrics and digital identity to improve security without disrupting the user experience, said Lane-Sellers.

Behavioural biometrics is a form of fraud detection that uses cues from how a user interacts with a computer to identify suspicious behaviour and take corrective action without disrupting those user sessions that fall within an acceptable risk profile. These queues include typing rhythm, swipe gestures and mouse movements.

“Does this person swipe with two fingers or one, do they prefer landscape or portrait orientation? If they type in their e-mail address in a fraction of a second then that might be a bot, or if they type slowly as though they are one- or two-finger typing then it might be someone reading the password from somewhere. There is commonality between how typical users interact versus how fraudsters interact,” said Lane-Sellers.

Read: Hackers target Ingonyama Trust in ransomware attack

Behavioural data is combined with other data such as a user’s frequently used devices, location, time zone and even the level of their batteries. When a number of these factors change, an alert is sent to the service provider – such as an airline loyalty points programme – and the transaction performed can be intercepted or even blocked.

“This technology makes it easy to realise when there is a problem and then put in controls that are user friendly because, let’s be honest, we all like that easy digital experience and we don’t want to be interrupted all the time,” said Lane-Sellers.—© 2025 NewsCentral Media

Get breaking news from TechCentral on WhatsApp. Sign up here.

Don’t miss:

Hackers target Ingonyama Trust in ransomware attack