Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Loyalty fraud detection: are identity controls keeping up?


(@lalit)
Member Admin
Joined: 1 year ago
Posts: 235
Topic starter  

TL;DR: Loyalty accounts are being hacked, traded, and exploited because points now behave like transferable digital currency, while weak passwords, low customer vigilance, and delayed detection let fraud persist for weeks, according to Comarch. The real governance issue is that loyalty programmes were built for engagement, not identity assurance, so fraud controls now have to operate without destroying the user experience.

NHIMG editorial — based on content published by Comarch: LLMjacking and AI-powered fraud detection in loyalty programmes

Questions worth separating out

Q: How should loyalty programmes reduce account takeover risk without hurting the customer experience?

A: Use a risk-based model that adds friction only when behaviour changes.

Q: Why do loyalty accounts need stronger controls than most consumer profiles?

A: Because they hold transferable value, not just personal data.

Q: What do security teams get wrong about loyalty fraud detection?

A: They often assume the customer will notice the problem first.

Practitioner guidance

  • Apply risk-based step-up to redemption flows Require additional authentication for point transfers, high-value redemptions, profile changes, and account recovery so attackers cannot monetise a compromised login in a single session.
  • Segment loyalty accounts by fraud value Prioritise stronger controls for accounts with high balances, frequent transfers, or premium reward access, because those are the profiles most likely to attract abuse.
  • Tune detection around abnormal redemption patterns Monitor for rapid point depletion, login geography shifts, device changes, and repeated failed access attempts, then route those cases to manual review before payout.

What's in the full article

Comarch's full article covers the operational detail this post intentionally leaves for the source:

  • Specific examples of loyalty fraud patterns that MAIA is designed to detect in live programme data.
  • The decision flow for blocking an account, storing transactions, or escalating a case to the Contact Center.
  • How contextual signals and historical behaviour reduce false positives in day-to-day fraud operations.
  • The practical role of AI in supporting fraud teams without replacing human approval.

👉 Read Comarch's analysis of AI-driven loyalty fraud detection and account abuse →

Loyalty fraud detection: are identity controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9696
 

Loyalty fraud is an identity problem disguised as a customer engagement problem. Once points can be traded, transferred, or redeemed for real-world value, the account behaves like a financial asset. That means password hygiene, login monitoring, and step-up controls matter in the same way they do for other value-bearing identities. The governance mistake is treating loyalty accounts as low-risk simply because they are not bank accounts. Practitioners should align controls to asset value, not brand category.

A question worth separating out:

Q: How do teams decide when to block a loyalty account versus investigate first?

A: Use a threshold based on value at risk, behavioural confidence, and redemption speed. If there is evidence of unusual access plus immediate point transfer or voucher use, containment should happen before further value leaves the account. If the signal is weaker, isolate the account and route it into rapid review.

👉 Read our full editorial: AI-driven loyalty fraud exposes identity and access gaps



   
ReplyQuote
Share: