The reward for signing up for a premium credit card and paying hundreds of dollars in annual fees is supposed to be a stash of points that you can convert into high-end travel experiences, but a longstanding attack can divert them to a scammer’s spending spree.
Even people well-versed in the world of frequent-traveler miles and points can miss this attack in action, because it exploits an Amazon “Shop with Points” option in a way that leaves the cardholder unaware of the theft until afterwards.
Jason Rabinowitz, an aviation journalist with Flightradar24, learned about this the hard way in December when he realized that his Chase Ultimate Rewards points had seen a six-figure drop.
“My points balance was almost entirely drained in a series of extremely suspicious incremental Amazon transactions that even the most basic of fraud detection algorithms should have spotted,” he wrote in an email. “I only discovered the fraud well after the fact when I spotted my points balance was missing a digit in the Chase app.”
Looking up recent activity on his account revealed dozens of Amazon purchases made with the points he’d earned on a Chase Sapphire Reserve card.
How? The attacker would have needed Rabinowitz’s credit card details—something that could easily have happened through a data breach in a retailer’s systems, one reason we recommend not saving your payment details at online stores. Then the attacker would have added the card as a payment method to their own Amazon account, activated Shop with Points, and used the points for those purchases.
This is neither a new trick nor unique to Chase. Reddit forums for American Express and Capital One cards—among the 20 different rewards programs that support Shop with Points—have threads recounting the same kind of fraud that Chase users have reported there.
But Shop with Points doesn’t require customer notification of a card enrollment.
“When customers use Shop with Points to link their credit card rewards account to Amazon, we send a notification to the rewards partner for every enrollment attempt, allowing banks to monitor for suspicious activity and alert cardholders if they detect potential fraud,” Amazon spokesperson Josh Pflug said in an email.
His statement included a link to Amazon’s scam-reporting page, which has a category for losses in which the customer never shared any information with the fraudster. Amazon does not notify the cardholder directly because the company doesn’t necessarily know who the primary cardholder is on an account.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy
Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Individual card issuers, meanwhile, can set their own notification policies, which, in Rabinowitz’s case, meant he received no notice. When I added my own Chase Sapphire Reserve card to my Amazon account and activated Shop with Points, I didn’t get an email about it either.
The fraudulent Shop with Points transactions also didn’t trigger any notifications, nor did they appear to set off Chase’s own fraud-detection mechanisms.
“Chase has been good over the years at detecting and protecting my account from fraudulent charges when it involves actual cash transactions, but there appears to be literally nothing in place to prevent fraud on the points side,” Rabinowitz griped.
He commended Chase for its quick recovery after he notified the bank, however. Less than a week later, he had the entire points balance restored.
Recommended by Our Editors
Chase’s description of its account protection measures doesn’t specifically cover points transactions, but a spokesperson confirmed that the policy protects them as well. “In confirmed cases of fraud, customers are not held responsible for unauthorized redemptions and are reimbursed for any lost points,” Heather Caufield wrote in an email. “Helping keep customers safe is our top priority.”
How to Avoid Shop-With-Points Scams
The best way for you to stay on top of your own points balance is to have it readily available on your phone. Yes, you might actually need one more personal-finance app on your device.
Any major credit card issuer’s app should prominently display your points balance, sometimes right on the home screen. As I realized years ago, these apps also make it easy to sign up for the merchant-specific cash-back deals many issuers regularly offer.
You may, however, have to wander a little further in the app to see what’s happened with your points lately. In Chase’s app, for example, you need to tap your rewards balance, scroll down on the next screen, and then tap Rewards Activity.
You may not want to have yet another financial chore to tackle, but you definitely don’t want to find out your points have been taking flight without your knowledge for weeks or longer.
Said Rabinowitz: “The entire experience was upsetting because there was absolutely no notification that the fraud had happened, let alone anything I could do to stop it in the first place.”
About Our Expert
Experience
Rob Pegoraro writes about interesting problems and possibilities in computers, gadgets, apps, services, telecom, and other things that beep or blink. He’s covered such developments as the evolution of the cell phone from 1G to 5G, the fall and rise of Apple, Google’s growth from obscure Yahoo rival to verb status, and the transformation of social media from CompuServe forums to Facebook’s billions of users. Pegoraro has met most of the founders of the internet and once received a single-word email reply from Steve Jobs.
Read Full Bio
