Cybercriminals are breaking into frequent flyer accounts and selling the miles for cash. Here’s how travelers can arm themselves against attack.
It seems like every other week there’s news of yet another data breach or a Fortune 500 company that has been hit with a cyberattack, but frequent travelers have something cybercriminals want too: their miles.
Most travelers probably don’t think much about their miles until they’re ready to hit the road. And for many, the possibility of someone hacking into their frequent flyer account has likely never crossed their mind. But according to experts, travelers would be smart to monitor their frequent flyer activity as close as they do their bank and credit card accounts.
“The black market for frequent flyer accounts is consistently growing. At least half a dozen online markets have listings created by criminals who have stolen frequent flyer miles . . . and are attempting to resell the miles,” said Justin Lavelle, scams prevention expert with BeenVerified.com, an online background checking source.
Paul Bischoff, a privacy advocate at Comparitech.com, has researched frequent flyer mile theft. He said that Delta SkyMiles and British Airways miles were the most commonly listed on online darknet sites such as Dream Market, Olympus, and Berlusconi Market. Bischoff found that 100,000 British Air miles could be purchased online for around $124.
Travelers are relatively easy targets for scammers, according to Steve Weisman, author of Identity Theft Alert and a professor at Bentley University, where he teaches about white-collar crime. For instance, he noted that frequent flyer accounts are often easy to hack because they don’t use dual factor authentication, which is an extra layer of security beyond just the username, password and PIN. “This kind of theft is easy to accomplish, [it’s] easy to avoid detection and [is] profitable,” Weisman said.
According to Bischoff, that proftitability varies widely by vendor, frequent flyer program, and the manner in which the buyer receives the points. On average, points are sold for about half their legitimate worth, he said.
How it works
People use the same usernames and passwords for multiple accounts and with so many data breaches, a cybercriminal can attempt to access a frequent flyer account by using information obtained from databases that contain those hijacked logins, explained Weisman. Passwords and user names have been stolen from Netflix, LinkedIn, and dating site Zoosk, among others. The thieves then sell the stolen information on black market websites where data and technology are hawked.
Another way that travelers can get duped, according to Lavelle, is they receive a letter via email or a fax from a source they trust like an airline, travel site, or a travel agency. The letter notifies them that they’ve won additional miles or a flight and provides a number to call or a link to follow in order to claim their prize. According to Lavelle, when they call or follow the link, they’ve reached a scammer who will ask them several questions, including for an airline account number and other personal information. The information is then sold to other scammers.
Why target miles?
Many frequent flyer programs allow users to redeem their points for products offered by participating retailers, so identity thieves will often sell or buy miles as a way to cash in on the redeemable points. “Criminals also may redeem the points themselves and then sell the rewards. Russian hackers [reportedly] did this in 2017 by using British Airways miles for flight upgrades, hotels, and rental cars which they then sold to unsuspecting customers on websites that appeared to be legitimate. They also may transfer the miles to a new account that they create and use or sell them,” said Weisman.
- Don’t store or send your frequent flyer account numbers and passwords in email. Email is often hacked, so it’s not a secure place to store sensitive information, including frequent flyer numbers and passwords. If you must have your spouse or partner access your frequent flyer account, it’s better to call him or her instead to provide the credentials, according to Hilary Stockton, CEO of luxury travel company TravelSort.
- Earn and burn. Unlike financial investments and retirement accounts, frequent flyer miles almost never increase in value — rather, they depreciate over time. “For this reason alone, you should be ‘burning’ or redeeming miles regularly from your accounts, not hoarding them only to see them devalued. The side benefit is that you’ll also have fewer miles and points available to steal,” said Stockton.
- Use AwardWallet. This app lets you track your miles and update balances with a single click. You can instantly see changes in your account balance and quickly be alerted to potential fraud. “Monitor airline frequent flyer accounts as close as you would monitor credit card and bank statements,” advised Robert Siciliano, a security analyst with Hotspot Shield, a provider of virtual private network (VPN) technology.
- Shred your boarding pass. Don’t merely throw it away. According to Weisman, the barcode on your boarding pass contains much information, including your frequent flyer account number, that can be used by identity thieves to access your account.
- Don’t use the same password for different accounts. While it’s tempting to use the same password for simplicity’s sake, it means that several accounts become vulnerable if a hacker obtains the login information for one account that is applicable to others. Stockton recommends using longer passwords that include upper-and lowercase letters and numbers, and if needed, using a password manager like LastPass.