Criminals Are Stealing Customers’ Loyalty and Rewards Points

Protect your hard-earned airline, hotel and credit card rewards from theft

Jessica McMaster,

AARP

Comments

Published March 31, 2026

Elena Lacey

In February, Maggie, a 71-year-old retired college professor from Michigan, was mourning the recent loss of her husband, Roy, when she logged in to his email account and stumbled upon an unpleasant surprise.

It was a message confirming his hotel stay in Kentucky for the next week.

Maggie (whose last name we’re withholding to protect her privacy) says she knew that Roy, a retired quality and environmental systems auditor, couldn’t have made the reservation because he had long been too sick to travel. When she explored further, she discovered that his 356,000 Hilton Honors rewards points, held in an account that had been dormant for months, had begun to dwindle on Jan. 20, five days after his death.

Stunned by the apparent theft, she spoke with a representative in the Hilton Honors customer service department who confirmed that most of Roy’s points — equivalent to roughly $2,000 — had been stolen, and in fact, two criminals were using the points at that very moment, in two separate hotels.

The representative was shocked too, Maggie says: “This young woman kept gasping with what she was uncovering.”

If you spot or have experienced a scam

Scams can be reported to local law enforcement or the FBI’s Internet Crime Complaint Center at IC3.gov.

The AARP Fraud Watch Network also offers free and confidential online group support sessions for fraud victims.

The criminals who hacked her husband’s account had changed the email address, presumably diverting Hilton’s account alerts to themselves. Maggie only discovered the fraud because some hotels, including the one in Kentucky, were still using her husband’s original contact method.

The representative added the points back to her husband’s account, but they disappeared almost instantly. “Within a minute or two, they were gone,” she says. At that point, the representative told her the fraud department would take over the case. Maggie’s still waiting for the issue to be resolved.

When AARP reached out to Hilton to ask about the incident and how the company handles loyalty rewards theft in general, Mina Radman, senior manager for corporate communications, offered the following statement:

“At Hilton, the security of Hilton Honors members’ information is of paramount importance, and we regularly review and update our systems with the latest safeguards in accordance with industry practices and applicable laws. We are committed to protecting account information and working with guests to address concerns on a case-by-case basis according to the individual circumstances.”

More than $1 billion is lost annually

What happened to Maggie isn’t an anomaly. Nobody appears to have reliable statistics on these types of crimes because companies define loyalty fraud differently, says Chris Staab, cofounder of Loyalty Security Alliance, an anti-fraud coalition of representatives from the airline industry, among others. But many industry experts estimate that more than $1 billion in rewards points is stolen from consumers every year.

One problem: Unlike bank accounts, rewards accounts are often overlooked.

Most Popular

Kim Sutherland, global head of fraud and identity at LexisNexis Risk Solutions, notes that nearly half of all loyalty accounts are infrequently used and/or go unmonitored for months or even years — resulting in what industry experts estimate is $48 trillion in unspent points currently lingering in consumers’ accounts.

Some people don’t even know they have points, yet they “are sitting on gold mines,” Sutherland says. “There is an entire black market for these points. [Criminals] can convert them into dollars.”

How the scam works

Loyalty program fraud happens when cybercriminals illegally access customer accounts, often through phishing schemes (fraudulent emails, texts or websites designed to trick users into revealing their login credentials) or credential-stuffing attacks, where criminals use automated tools to test millions of stolen username/password combinations from previous data breaches on other sites.

Once inside, the criminals steal points, transfer balances, or redeem points for cash, gift cards or high-value merchandise. Many use bots or scripts to instantly convert points into gift cards or transfer them to other accounts before the victim even notices.

Staab calls account takeovers “a growing problem,” with incidents increasing exponentially over the past two years. He explains that criminals often gain access to loyalty rewards accounts through data breaches.

Join Our Fight Against Fraud

Here’s what you can do to help protect people 50 and older from scams and fraud:

Tell lawmakers to stop criminals from using crypto kiosks to steal from us.
Sign up to become a digital fraud fighter to help raise awareness about the latest scams.
Read more about how we’re fighting for you every day in Congress and across the country.
AARP is your fierce defender on the issues that matter to people 50-plus. Become a member or renew your membership today.

Victims make it particularly easy for criminals by using the same password across accounts (don’t do that!).

Another reason criminals target rewards accounts: They are often less secure than traditional financial accounts (bank accounts, for instance), which are likely to include multi-factor authentication (MFA), although Staab says more companies (such as Delta) are beginning to implement MFA for rewards accounts.

Relentless criminals

One Las Vegas family is well aware of how valuable rewards points are. Jody, who lives in Las Vegas with her husband and two kids, loves to travel and often uses points to do so.

“That’s one of the things we really like to spend our extra money on,” Jody said in an episode of AARP’s The Perfect Scam podcast. “I think it’s a great opportunity to spend time together as a family.”

She explained that they’re able to afford their vacations in part because her husband maximizes their travel rewards points through various loyalty programs with hotels, airlines and credit cards: “He has become a real master of using those to pay for a lot of these trips.”

But in 2023, a criminal hacked into her husband’s credit card account, stole his loyalty rewards points and used them for unauthorized transactions, starting with the purchase of an Apple gift card. Jody’s husband reported the theft to his bank, Chase, which sent him a new credit card, but that didn’t stop the criminals. The points kept decreasing as the hackers again gained access to his account, this time by sending him legitimate-looking messages that appeared to be from Chase (allowing them to bypass the two-factor authentication protecting his account). They somehow managed to do so again, even with a third credit card, until the couple finally transferred the rewards account to Jody.

Meanwhile, their balance had gone from 100,000 points to zero.

The good news: Chase reimbursed them for everything they’d lost.

How to protect your points

Sign up for alerts. Ashwin Raghu, head of scam policy and innovation for Citi, said the best way to protect rewards accounts is to monitor them regularly. He notes that criminals will often log in to people’s email accounts and change their passwords. If you sign up for alerts, you’ll be notified when changes are made. If you notice something isn’t right with your account, contact the loyalty program as soon as possible.

Use different passwords across accounts.

Sign up for multi-factor authentication wherever possible. MFA adds a second layer of protection, such as a one-time code sent to your phone or email.

Avoid linking loyalty programs to retailers. While convenient, these links can make it easier for criminals to quickly spend your points if they gain access.

Watch for social engineering. Scammers may pose as customer support to get your personal information. Don’t provide details in response to unsolicited messages.

%{postComment}%