Courtesy of Qatar Airways
Courtesy of Shutterstock
Frequent flyer accounts are vulnerable to attack and should be monitored as closely as bank accounts, experts say.
Cybercriminals are breaking into frequent flyer accounts and selling the miles for cash. Here’s how travelers can arm themselves against attack.
It seems like every other week there’s news of yet another data breach or a Fortune 500 company that has been hit with a cyberattack, but frequent travelers have something cybercriminals want too: their miles.
Most travelers probably don’t think much about their miles until they’re ready to hit the road. And for many, the possibility of someone hacking into their frequent flyer account has likely never crossed their mind. But according to experts, travelers would be smart to monitor their frequent flyer activity as close as they do their bank and credit card accounts.
“The black market for frequent flyer accounts is consistently growing. At least half a dozen online markets have listings created by criminals who have stolen frequent flyer miles . . . and are attempting to resell the miles,” said Justin Lavelle, scams prevention expert with BeenVerified.com, an online background checking source.
Paul Bischoff, a privacy advocate at Comparitech.com, has researched frequent flyer mile theft. He said that Delta SkyMiles and British Airways miles were the most commonly listed on online darknet sites such as Dream Market, Olympus, and Berlusconi Market. Bischoff found that 100,000 British Air miles could be purchased online for around $124.
Travelers are relatively easy targets for scammers, according to Steve Weisman, author of Identity Theft Alert and a professor at Bentley University, where he teaches about white-collar crime. For instance, he noted that frequent flyer accounts are often easy to hack because they don’t use dual factor authentication, which is an extra layer of security beyond just the username, password and PIN. “This kind of theft is easy to accomplish, [it’s] easy to avoid detection and [is] profitable,” Weisman said.
According to Bischoff, that proftitability varies widely by vendor, frequent flyer program, and the manner in which the buyer receives the points. On average, points are sold for about half their legitimate worth, he said.
People use the same usernames and passwords for multiple accounts and with so many data breaches, a cybercriminal can attempt to access a frequent flyer account by using information obtained from databases that contain those hijacked logins, explained Weisman. Passwords and user names have been stolen from Netflix, LinkedIn, and dating site Zoosk, among others. The thieves then sell the stolen information on black market websites where data and technology are hawked.
Another way that travelers can get duped, according to Lavelle, is they receive a letter via email or a fax from a source they trust like an airline, travel site, or a travel agency. The letter notifies them that they’ve won additional miles or a flight and provides a number to call or a link to follow in order to claim their prize. According to Lavelle, when they call or follow the link, they’ve reached a scammer who will ask them several questions, including for an airline account number and other personal information. The information is then sold to other scammers.
Many frequent flyer programs allow users to redeem their points for products offered by participating retailers, so identity thieves will often sell or buy miles as a way to cash in on the redeemable points. “Criminals also may redeem the points themselves and then sell the rewards. Russian hackers [reportedly] did this in 2017 by using British Airways miles for flight upgrades, hotels, and rental cars which they then sold to unsuspecting customers on websites that appeared to be legitimate. They also may transfer the miles to a new account that they create and use or sell them,” said Weisman.
Sign up for the Daily Wander newsletter for expert travel inspiration and tips
Please enter a valid email address.