CYBER criminals are stealing loyalty card points in a black market worth £300million, the Sun on Sunday can reveal.
So-called “points bandits” are targeting the likes of the Nectar and Boots Advantage schemes — with up to five per cent of Brits affected.
7
7
7
Gangs use artificial intelligence to spew out multitudes of random card numbers, until they land on a valid one by chance.
Then they are able to generate barcodes and steal the points from loyal customers.
Cyber crime expert Frank Teruel, the chief operating officer at anti- cyber crime platform Arkose Labs, told The Sun on Sunday: “This is loyalty card cyber warfare.
“It’s the same as taking cash. But here’s the difference.
“If you walk into a Lloyds branch in London and steal some money, you’ll probably be caught and go to prison.
“If you steal someone’s points online and you are potentially miles away, it’s a really difficult problem.
‘Despicable thing to do’
“Loyalty cards, right now, are the point of least resistance.
“It’s probably the least protected digital currency you have.”
Last year the Competition and Markets Authority found 97 per cent of shoppers are members of at least one supermarket loyalty scheme, and on average consumers belong to three.
And, according to the latest research, Brits have an estimated £6billion of unclaimed loyalty points stacked up on cards.
Now a new global survey from the Loyalty Security Alliance and Arkose Labs reveals up to five per cent of loyalty cards have been compromised.
The alliance says that the figure “reflects the UK market”, meaning £300million of points are at risk of being drained.
Julie Dowling, 50, from Crayford, Kent, was horrified when 46,000 Nectar points worth £230 were taken from her account in June.
Julie, a cleaner, and her builder husband Keith, 54, had been saving up the points to spend on their Christmas food shop in Sainsbury’s.
She said: “Nectar thieves stole my family’s Christmas money.
“It’s a despicable thing to do.”
The message she was sent revealed 46,000 points had been deducted in St Albans, Herts.
She was left with 1,159 points worth £5.79.
Julie, who got her points refunded, warned: “People need to know as it’s just like stealing money out of your wallet or purse.”
5 WAYS TO PROTECT YOURSELF
HERE are Loyalty Security Alliance co-founder Michael Smith’s five steps to protect loyalty card cash.
- Your online loyalty program has real money sitting behind the points. Treat it like your bank account – you’ve earned it.
- Don’t use the same password across your accounts. There are lots of free password managers – Apple and Google both offer that service and companies like LastPass have free services.
- If your loyalty scheme offers two-factor authentication, use it because it makes it a bit harder to have your account taken over.
- Check your balances from time to time (and take advantage of your points!) so you know they are still there.
- Be careful in replying to texts or emails asking you to log into your account. These could be phishing attempts to access your personal data.
Community midwife Gail Birch had 15,800 Nectar points, worth £79, stolen in February.
They were used to make a purchase in London’s Finsbury Park — 150 miles away from her home in Bridgnorth, Shrops.
Gail, 69, said: “I feel quite sick to think that someone targeted me.
“It’s awful.”
While in April retired Metropolitan Police support staff worker Helen Maitland had almost all of her Nectar card balance drained.
Helen, 61, of Bexley, Kent, had 3,500 Nectar points, worth £17.50, pinched when her card was drained leaving just £2 worth behind.
She said: “Cyber crooks must be raking it in.”
Sainsbury’s was forced to issue a warning in June after it was reported 12million Nectar points — worth £63,000 — had been stolen in 2024.
The spate of thefts saw the retailer add a ‘Spend Lock’ feature to its Nectar loyalty app that prevents your points from being redeemed without your knowledge.
Points a hot target
Jennifer Bruton, a cyber crime consultant at Bores, said: “The problem is that to spend points with something like a Nectar card all you need is the barcode — and the card numbers which are used to create the barcode are predictable.
“Nectar is aware of the issue, and in most cases, they’ll refund the stolen points.”
But some loyalty card hacks are more sophisticated.
Organised crime gangs based in China, Russia and Africa use industrial scale phishing enterprises — sending scam emails or other messages purporting to be from reputable firms, to steal logins and take over loyalty accounts.
7
7
In 2020, Boots was forced to suspend its Advantage Card payments after hackers attempted to access 150,000 customer accounts using a tactic called “password stuffing” — where criminals use leaked usernames and passwords to break into other sites.
Tesco Clubcard suffered a similar attack in the same year, affecting more than 600,000 users.
The Loyalty Security Alliance and Arkose Labs’ report The Silent Threat — shared exclusively with The Sun on Sunday — found that airlines and holiday loyalty schemes are a hot target for cyber criminals.
Their survey found 68 per cent of hotels are concerned about points theft, with travel booking sites facing “persistent threats from cybercriminals”.
Rhys Jones had 500,000 Avios points — worth at least £2,500 — swiped from his British Airways Executive Club household account this year.
BA’s fraud team restored the accounts, reset the email details and said the stolen points would be returned.
Rhys, 29, a travel writer with frequent flyer website Head Of Points, warned that Avios points were increasingly being targeted.
7
7
He said: “With an ever-growing number of partners, Avios is becoming a target for hackers who know it is a versatile currency with many opportunities for attack.”
Customers are urged to check their balance regularly and cash in their points to protect against theft.
But those who find themselves victims of points fraud can face difficulties in seeking justice.
Under the Home Office’s Counting Rules for fraud, loyalty scheme fraud is not covered.
It means there is confusion over how to best prosecute the crime.
Consumer champion Martyn James said: “Even though the points aren’t cash, they can be converted into virtual money — so we vitally need to change the fraud rules so the theft of these points is treated just as seriously as any other type of fraud.
“Leaving customers at the mercy of scammers is unacceptable, particularly given that there’s no ombudsman scheme or regulator for the retail industry.”
A Sainsbury’s spokesperson said that the security of Nectar accounts was a “highest priority” and insisted that the number affected by points theft was “small”.
A British Airways spokesperson said: “We always investigate any alleged instances of fraud against our members.”
