Uncovering Bots in eCommerce: Loyalty Points
Published: 06/05/2020

Uncovering Bots in eCommerce: Loyalty Points

  • Netacea, Agentless Bot Management

4 minutes read

On Thursday 14th May, we’re bringing together guest speakers from leading eCommerce organizations to discuss what bots mean for them in 2020, the challenges facing technology leaders and their approaches to managing bot traffic. Ahead of the webinar, we’re giving you a first look at what you need to know about the threat of carding and loyalty points fraud.

What do eCommerce businesses need to know about loyalty points fraud?

Loyalty schemes operated by the eCommerce industry have become so popular that they now represent a billion-dollar industry, with customers earning loyalty points when purchasing goods or services from their favourite brands. Yet financial losses from loyalty card fraud are equally significant — with an estimated $1 billion being stolen every year.

Loyalty programs tend to rely on points or rewards instead of financial transactions and therefore, most loyalty programs don’t benefit from strong data security, nor do customers don’t track their points in the same way that they do their bank balance. Loyalty programs have become an attractive target for cybercriminals and thieves who seek to steal points, that are as good as cash when redeemed where they were earnt.

Loyalty scheme fraud in eCommerce

Retailers must be particularly vigilant to the threat of loyalty points theft. In 2019 alone, there was an 89% increase in loyalty program fraud and a 44% increase in fraud against online apparel and accessories retailers.

Andy Still, CTO at Netacea said:

“People don’t treat loyalty points in the same way as they treat other financial products. When our wallet or purse is stolen or lost, we immediately cancel our credit and debit cards. Our loyalty cards can wait.

“Retailers tend to treat loyalty points in the same way—logging into an account doesn’t have the same level of security, and two-factor authentication is rare.”

Many customers use the same login details to accounts holding loyalty points as their other accounts. It takes just one of these accounts to be breached for the rest to become vulnerable to attack. And it could take months for the customer to discover their points have been swiped, with most paying less attention to protecting their card or account. The question is, where does responsibility lie; with the customer or the business?

Andy stated:

“Retailers can’t be blamed for lower levels of security. After all, the point of loyalty schemes is to keep the customer engaged and to encourage repeat business. If logging into an account becomes difficult or requires extra steps, people are far less likely to use it.”

Fraudsters steal thousands of Nectar Card points

In 2019, frustrated users of the Nectar Card loyalty scheme found their points stolen and spent. In some cases, customers had lost points to the value of more than £100

It has been reported that fraudsters managed to illegally acquire a customer’s Nectar card number, change the address in the account, report the card as lost and then get a new card sent to the ‘new’ address and spend the points.

A Nectar spokesperson said:

“We ask customers to report any points they believe are missing from their account so that we can investigate and refund points where the loss is genuine.

“We regularly review our security measures to ensure customers are protected and advise customers to regularly update their passwords and be mindful of increasingly sophisticated phishing attempts from fraudsters.”

Stopping the bots to stop loyalty points fraud

To successfully acquire loyalty points, attackers must gain access to a customer’s account. Typically, this is achieved with a credential stuffing attack, in which hackers utilize automated bots to carry out thousands of login attempts across a site in a matter of minutes, using credentials acquired in legacy data breaches.

Putting a stop to loyalty points fraud, therefore, requires a sophisticated approach to stopping credential stuffing attacks in their tracks. Your credential stuffing protection must secure login forms on your website, mobile apps and APIs, by detecting and mitigating attacks before they escalate, to prevent the risk of future fraud.

At Netacea, we provide a smarter approach to bot management with a solution that solves the complex problem of credential stuffing in a scalable, agile and intelligent manner, across websites, mobile apps and APIs.

Our technology monitors all site visits to a specified path and analyses them in context relative to each of the visitors to the enterprise estate. The technology then automatically learns from the business’ web estate, according to the specified priorities it faces.

As the threat of loyalty point fraud increases, retailers must protect their customer accounts and treat their loyalty point schemes more like bank accounts. It is vital that eCommerce businesses strive to understand bots to protect their customers. To find out why are bots a threat to eCommerce in 2020, join us for the LIVE webinar:

Uncovering Bots in eCommerce

4pm, Thursday 14th May

Register now

Schedule Your Demo

Tired of your website being exploited by malicious malware and bots?

We can help

Subscribe and stay updated

Insightful articles, data-driven research, and more cyber security focussed content to your inbox every week.


By registering, you confirm that you agree to Netacea's privacy policy.