Notifications
Clear all
Topic starter
07/06/2026 11:28 am
TL;DR: Loyalty reward fraud is rising through fake sign-ups, account takeovers, and abusive redemptions, with the Loyalty Security Association estimating $3.1 billion in fraudulent points redeemed and about $1 billion in annual losses. The real weakness is not rewards economics alone, but customer identity flows that still let compromised credentials and synthetic accounts pass too far.
NHIMG editorial — based on content published by Strivacity: loyalty reward fraud and the identity controls used to stop it
Questions worth separating out
Q: How should security teams stop fake sign-ups in loyalty programmes?
A: Use layered registration checks that combine identity proofing, breach password screening, phone and email validation, and bot detection.
Q: Why do loyalty accounts remain vulnerable after customers pass login?
A: Because many attacks are designed to move from valid login to rapid redemption before risk is noticed.
Q: What do teams get wrong about fraud detection in loyalty programmes?
A: They often use fraud data only for reporting instead of action.
Practitioner guidance
- Harden sign-up with layered identity proofing Combine breach password checks, phone and email risk scoring, and address verification so bot-created or synthetic accounts are blocked before bonuses are issued.
- Apply adaptive authentication to high-risk logins Use device recognition, anonymous proxy detection, geolocation history, and improbable travel rules to challenge account takeovers before balances are visible.
- Put redemption policies behind step-up controls Require re-authentication for high-value redemptions and flag foreign or unexpected redemption locations so points cannot be cashed out in one burst.
What's in the full article
Strivacity's full article covers the operational detail this post intentionally leaves for the source:
- Layer-by-layer sign-up checks for identity proofing, breached password detection, and phone risk evaluation
- Adaptive login controls that use device history, proxy detection, geolocation, and behaviour analytics
- Redemption policies for high-value rewards, including step-up authentication and automatic suspension logic
- Dashboard metrics that help fraud, support, and marketing teams correlate blocked attempts and ATO trends
👉 Read Strivacity's analysis of loyalty reward fraud and customer identity controls →
Loyalty reward fraud in CIAM: where customer controls break down?
Explore further
07/06/2026 11:30 am
Customer identity is now a financial control surface, not just an access layer. Loyalty programmes turn account access into redeemable value, which means CIAM failures can create direct economic loss, not only bad user experience. When sign-up, sign-in, and redemption are treated as separate events, fraudsters can move through the programme faster than governance can correlate the signals. Practitioners should treat loyalty flows as high-value identity pathways.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how quickly identity blind spots become operational risk.
A question worth separating out:
Q: Who is accountable when loyalty reward fraud spikes?
A: Accountability sits across CIAM, fraud operations, customer support, and programme owners because the issue spans identity proofing, login risk, and redemption governance. A loyalty programme that cannot answer where the control failed is already operating with divided ownership. NIST-CSF-style response and recovery should be assigned before fraud escalates.
👉 Read our full editorial: Loyalty reward fraud exposes customer identity controls at sign-up
