Scenario: A financial corporation’s customer service center is inundated with calls in a short period regarding customers receiving notifications that their email address and password had been changed. The customers insist they were not the ones to update their profiles, and upon checking the accounts, the service specialists determine the customers’ rewards balances have been depleted.

An emergency response services (ERS) team is called in to investigate, and they find that, fortunately, the integrity of the server was not compromised. Account credential misuse, however, is confirmed — mostly likely due to cybercriminals who compromised accounts with large loyalty card balances and sold them on the Dark Web. The ERS team found that the Web application allowed attackers to access account credentials by incrementing an ID in the URL, guessing simple passwords or exploiting account users’ reuse of passwords from other compromised sites.

This scenario is hypothetical, but cases like it are increasing in frequency. Many companies, including retailers, airlines, hotel chains and financial services, offer a loyalty or rewards program to provide an incentive to customers to make purchases from them and remain loyal to their brand. Loyalty or rewards points can be regarded by consumers as another form of currency. That makes these accounts an attractive target for cybercriminals and has led to several data breaches in the past year.

When a customer’s points are compromised, it’s viewed as a direct hit to finances. Therefore, it is important for organizations that offer these programs to identify the root causes of these compromises and, more importantly, determine what they can do to help minimize the chance of their customers’ hard-earned loyalty points being stolen.

What is the price of loyalty programs? Read the full research report

Susceptibility to Phishing and Spear Phishing

A very high percentage of attacks are facilitated via phishing and spear phishing. Loyalty programs are not immune to these tactics. With an abundance of personal data on the Internet, it is trivial for an attacker to build a pretty accurate profile of a target in a short period. Job title and shopping preferences could be used to craft the perfect phishing email that unsuspecting victims will assume is legitimate.


Figure 1: Illustration of a potential spear phishing email.

An attacker could further doctor up the email above by including a weaponized document designed to exploit application vulnerabilities and perform a drive-by download. This results in malware infection. The attacker can then activate keylogging functionality to capture the users’ login credentials, exfiltrate information or further map out the network and infect other endpoints. An alternative would be to include a link to a phishing page that mimics the look and feel of a legitimate website.

Protect the Billions of Loyalty Accounts at Stake

U.S. consumers hold 3.3 billion memberships in customer loyalty programs, according to one 2015 study. Rewards programs are widely used across numerous industries. Following a breach, the very thing that these programs aim to achieve — loyalty — is broken. Reputation is tarnished, which costs organizations money to restore. There is also a financial cost associated with reimbursing customers whose points have been stolen and spent. All of these are reasons for organizations to want to focus on applying data security protocols to these programs.

Read the complete research report: The price of loyalty programs

More from Advanced Threats

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today