Loyalty programs collectively hold over $500 billion in unredeemed value. Fraudsters treat that balance sheet like a target. The Loyalty Research Center and Javelin Strategy jointly estimate that loyalty fraud costs the industry $3.2 billion annually — and that number is growing faster than the programs themselves.

Airlines don't advertise when a fraud ring drains 2 million miles from a batch of customer accounts. Hotels don't issue press releases when scripted account takeovers redeem entire point balances for gift cards. The losses are absorbed quietly, often written off as "program costs," and the customers who lose years of hard-earned miles are left fighting customer service queues for weeks.

Loyalty fraud is the biggest fraud category that tech security teams systematically underinvest in. It lives in the gap between payment security (well-funded) and account security (modestly funded), and because the stolen commodity is points rather than dollars, the urgency rarely matches the scale.

It's time to talk about it properly.

Why Loyalty Points Are a Tier-1 Target

Three properties make loyalty currencies uniquely attractive to fraudsters, and collectively they explain why the problem keeps growing.

Liquidity. Airline miles and hotel points can be converted to real economic value in dozens of ways: flight bookings, hotel stays, gift cards, merchandise, and increasingly, cash equivalents through partner networks. Delta SkyMiles can be used to buy Amazon products. Marriott Bonvoy points convert to gift cards for hundreds of retailers. The route from stolen points to untraceable cash is well-established, with brokers on dark-web forums offering immediate liquidity for points balances at 40–70% of face value.

Reversibility asymmetry. When a credit card is stolen, the bank reverses the transaction and the fraudster gets nothing. When loyalty points are redeemed by a fraudster, the airline has already issued a ticket or the hotel has already been occupied. Clawback is technically possible but operationally painful — it requires coordinating with redemption partners, cancelling issued tickets, and absorbing the liability. Many programs cap reversals at a few incidents per year per account, which means fraudsters who work below that threshold keep their gains.

Global transferability. A stolen credit card number is useful only until it's cancelled. A stolen loyalty account remains valid until the rightful owner notices — often weeks or months. During that window, points can be transferred to "family sharing" accounts, redeemed for e-vouchers, or converted to partner currencies in other programs. The fraudster can monetize across jurisdictions with no single transaction large enough to trigger an alert.

The dark-web market is explicit about valuations. In underground markets analyzed by threat intelligence firms in 2025, airline miles sold for $0.004–$0.012 per mile depending on program and redeemability. A United MileagePlus account with 200,000 miles has a dark-market liquidation value of $800–$2,400. Hotel points sell at similar rates per point-dollar of face value.

The Four Attack Vectors Driving Most Losses

1. Credential stuffing at scale. This is the dominant vector, accounting for an estimated 60–70% of loyalty account takeovers. Fraudsters acquire credential databases from unrelated breaches — the kind that exposed billions of email/password combinations from services like LinkedIn, Adobe, or any of the hundreds of mid-tier breaches — and run them against loyalty app login endpoints using automated tools.

Password reuse rates among loyalty program members are higher than average for the broader consumer population, partly because loyalty accounts feel "low stakes" — members don't treat their airline miles account with the same password hygiene as their bank. A single credential stuffing campaign targeting a major airline's loyalty portal can yield thousands of valid account takeovers from a database of 10 million credential pairs, simply because the airline's members overwhelmingly reuse passwords they've used elsewhere.

2. SIM swapping to bypass 2FA. Many loyalty programs added SMS-based two-factor authentication after credential stuffing became widely known. SIM swapping — convincing a mobile carrier to transfer a victim's phone number to a fraudster-controlled SIM — bypasses SMS-based 2FA entirely. The attacker requests a password reset, receives the OTP on their spoofed SIM, resets the password, and gains full account access.

SIM swapping attacks against loyalty program members have been documented at American Airlines, Delta, and multiple hotel chains. The attack is particularly effective because loyalty program customer service teams are often trained to be helpful rather than skeptical — a social engineering call requesting "I lost my phone, please reset my account" can bypass security protocols that would stop automated attacks cold.

3. Synthetic account creation and promo abuse. Many loyalty programs offer significant signup bonuses — 50,000–100,000 miles for new credit card signups, double points on first stays, referral bonuses of 5,000–10,000 miles per referral. Fraudsters create synthetic accounts at scale using fake identities (generated names, addresses from data enrichment APIs, virtual debit cards for credit card signups) and systematically harvest these bonuses.

A single operator creating 1,000 synthetic accounts with a 60,000-mile signup bonus harvests 60 million miles — worth $240,000–$720,000 at dark-market rates, for an investment of perhaps $10,000 in infrastructure and fraudulent card applications. Referral programs are especially vulnerable: an account that refers 200 synthetic sub-accounts at 10,000 miles each earns 2 million miles before the fraud is detected.

4. Point reselling through grey-market brokers. A grey economy of point brokers operates semi-openly online, offering to "buy miles" or "sell miles" at below-face-value rates. While some of this activity is technically program-violating but not criminal (members selling their own miles), a substantial portion involves monetizing stolen points through these brokers. The broker doesn't ask questions about provenance; they issue PayPal or crypto payments and relist the miles to budget travelers at a markup. Tracing the chain back to the original fraud is difficult once the points have passed through a broker.

How Residential Proxies Make Account Takeover Invisible to Traditional Defenses

The standard defense against credential stuffing — IP-based rate limiting — fails against modern attack infrastructure for the same reason it fails against card testing bots. Attackers route each login attempt through a different residential IP address, making each attempt look like a distinct household.

A credential stuffing campaign against a loyalty portal using a residential proxy network generates a traffic pattern that looks, at the IP level, like slightly elevated organic traffic from home broadband subscribers across the country. No single IP exceeds the rate threshold. Geographic distribution looks normal. The only anomaly is that login success rates are unusually high — but that anomaly requires cross-session analysis to detect, which most IP-based defenses don't do.

This creates a detection gap that only closes when you move from IP-level analysis to device-level and behavioral analysis.

The Signals That Betray Loyalty Fraud Bots

Device intelligence and behavioral analysis reveal the attack patterns that IP analysis misses entirely.

Impossible travel. A legitimate account holder logs in from Chicago one day and London the next — that's normal travel. A fraudster logs into 47 accounts in 90 minutes from 47 different "residential" IPs spanning 12 US states is not travel — it's a proxy network. Cross-account velocity on a persistent device identifier exposes this pattern even when each individual login appears geographically plausible.

Device fingerprint mismatch. If an account was established over 3 years with logins consistently from an iPhone 15 on T-Mobile in Seattle, a login attempt from a Windows browser using a freshly-generated fingerprint with Ukrainian system locale settings should raise immediate flags. Antidetect browsers trying to spoof a "normal" desktop device leave forensic traces — inconsistent sub-surface signals between the declared browser environment and what the rendering engine actually reports.

Automation timing signatures. Human login flows have characteristic timing distributions: time-to-first-keystroke, inter-keystroke intervals, form submission latency, scroll behavior on the post-login page. Bots submit forms with sub-100ms field completion times and zero mouse movement. Even bots designed to inject timing delays produce distributions that deviate from organic human input when analyzed at the cohort level.

Session graph anomalies. Synthetic accounts created for promo abuse often share infrastructure — the same device fingerprint used to create 300 accounts, the same email-domain pattern, the same billing address format (procedurally generated). Graph-based analysis of account relationships surfaces these clusters even when surface-level signals have been carefully spoofed.

How Sentinel's API Catches Loyalty Fraud in Real Time

Sentinel integrates into loyalty platform login, account creation, and redemption endpoints via a frontend SDK and a backend evaluate call. On every sensitive action — login, password reset, points redemption, transfer initiation — the platform evaluates the session before executing the action.

Here's an example integration at the loyalty account login endpoint:

// Python / Flask — loyalty portal login handler

import requests

def check_sentinel(sentinel_token, user_id=None):
    response = requests.post(
        'https://sntlhq.com/v1/evaluate',
        headers={
            'Authorization': 'Bearer sk_live_YOUR_SENTINEL_KEY',
            'Content-Type': 'application/json'
        },
        json={
            'token': sentinel_token,        # from frontend SDK
            'event': 'account.login',
            'userId': user_id               # optional: link to your user ID
        },
        timeout=2
    )
    return response.json()

@app.route('/login', methods=['POST'])
def login():
    sentinel = check_sentinel(
        request.json.get('sentinelToken'),
        user_id=request.json.get('email')
    )

    # Block obvious automation
    if sentinel['signals']['isBot']:
        return jsonify({'error': 'access_denied'}), 403

    # Flag high-risk sessions for step-up auth
    if (sentinel['signals']['isResidentialProxy'] and
        sentinel['signals']['browserTamperingScore'] > 0.6):
        # Require email OTP instead of proceeding directly
        return jsonify({
            'status': 'step_up_required',
            'challenge': 'email_otp'
        }), 200

    # Check cross-account velocity on this device
    visitor_id = sentinel['visitorData']['visitorId']
    recent_logins = get_login_count_for_visitor(visitor_id, minutes=60)
    if recent_logins > 15:
        # This device has hit 15+ accounts in an hour — credential stuffing
        return jsonify({'error': 'too_many_attempts'}), 429

    # Normal flow — proceed with credential check
    user = authenticate_user(
        request.json['email'],
        request.json['password']
    )
    # ...

The persistent visitorId is the key signal for cross-account velocity. It survives IP rotation, incognito mode, and device fingerprint spoofing well enough to reliably link sessions from the same underlying device — so even if a credential stuffing bot rotates through 50 residential IPs, the visitor ID reveals that the same device is behind all 50 login attempts.

Loyalty platforms integrating Sentinel at login and redemption endpoints typically report a 75–90% reduction in account takeover incidents and a significant reduction in promo abuse, as synthetic account clusters sharing device infrastructure are flagged during account creation.

"We were absorbing roughly $180,000 per quarter in loyalty point reversals before we started blocking at the device level. Within 60 days of integration, that number dropped to under $20,000. The attacks didn't go away — they just stopped succeeding." — Head of Fraud, mid-size hotel loyalty program (name withheld)

The Broader Cost: Why Loyalty Fraud Is Harder to Quantify Than It Looks

The $3.2B annual estimate from the Loyalty Research Center captures direct fraud losses — stolen points, promo abuse, unauthorized redemptions. It doesn't fully capture the indirect costs that fraud teams rarely attribute to fraud: the customer service burden of account recovery requests, the churn caused by members who had bad fraud experiences and stopped engaging with the program, the brand damage when loyalty fraud makes headlines, or the cost of the increasingly restrictive policies (blackout dates, transfer limits, expiration acceleration) that programs introduce to limit fraud exposure, which also limit member satisfaction.

The right frame for loyalty fraud is not "fraud loss as a percentage of program liability" — it's "what is this costing us in member trust, and what would it cost to fix it properly?" The answer to the latter question is almost always a fraction of the ongoing fraud loss.