Table of Contents

The Rising Threat of Hospitality Fraud: How to Protect Your Customers

It’s 2023. Do you know where your loyalty membership points are? If you’re one of the 45% of consumers with an inactive loyalty program, the answer is likely no — and it’s opening the door to the growing threat of hospitality fraud.

Although fraud is often considered a banking problem, the reward and loyalty membership points offered by hospitality and travel businesses provide equally lucrative opportunities for fraudsters. But unlike banking and other financial accounts, loyalty programs are often not closely monitored and protected, with inactive and insecure reward accounts providing an easy and increasingly popular target for cybercriminals.

So how can hospitality companies prevent this growing threat? This blog will provide background on what’s driving hospitality fraud, the tactics fraudsters use to steal reward points and what businesses can do to protect their customers.

What’s driving the trend in hospitality fraud? 

The rewards points and loyalty program perks associated with hospitality and travel accounts can be redeemed for free hotel stays, discounted flights, upgrades or other valuable services. Additionally, fraudsters can use stolen credit card information linked to these accounts to make fraudulent purchases, often for expensive travel bookings or luxury accommodations.

But although the value of these ill-gotten gains can be substantial, customers may be less likely to tolerate security measures that add friction when accessing hospitality and travel accounts than banking accounts. This in turn causes businesses to prioritize user experience and view security as a compromise. 

In addition, studies of loyalty programs show that 72% of consumers use 50% or less of their traditional memberships, and 31% of consumers use only 25%. Because consumers return infrequently to their sites, they may not notice and report instances of fraud promptly — or ever.  For airlines, hotels and other businesses in the hospitality industry, this means fewer confirmed fraud cases, lowering the bar for fraudsters to wage successful attacks and enabling multiple attempts or even large-scale campaigns to go unnoticed. 

This was especially the case during the pandemic, when hospitality and airline fraud grew exponentially due to a higher rate of inactive accounts and businesses lifting expiration dates for using reward points.  

Examples and statistics for loyalty points fraud

As early as 2017, 60% of airlines reported instances of loyalty program fraud, and the trend has only grown since then. The success of these schemes has caused hospitality fraud to persist even after pandemic-related travel restrictions have lifted, with organized fraud rings and online marketplaces providing easy opportunities for fraudsters to buy and sell reward points online. Recent statistics on airline fraud show it accounts for 46% of fraudulent transactions.

Our Security Research Team found numerous examples of loyalty points fraud on the Internet where miles and points can be sold, as shown below.

Darkweb example of ad selling loyalty points on an online marketplace

And obtaining these loyalty points may be easier for hackers than you might think. In 2023, hacker Sam Curry discovered massive security flaws in, a platform that handles points transactions for many major airlines. Among other risks, these vulnerabilities allowed access to 22 million orders containing frequent flyer numbers, credit cards and other customer data, the ability to add, remove or transfer points and permissions to modify customer accounts.

Armed with a wealth of customer data and access to customer accounts, fraudsters can exploit a range of tactics that allow them to not only launch attacks, but scale them to large numbers. At this scale, fraudsters can profit even when selling the points at a substantial discount of their monetary value, making them even more attractive to the criminals who purchase them.

Darkweb example of loyalty points sold at deep discount

Fraud tactics targeting hospitality and travel businesses 

Since airlines and hospitality businesses provide not only a lucrative target for fraud but less opportunity to be detected, fraudsters can employ a range of tactics to steal customers’ reward points and payment credentials. 

Some of the tactics used for hospitality fraud include: 

  • Account takeover: Fraudsters can target individuals’ accounts by gaining unauthorized access to their login credentials through dark web marketplaces, brute force attacks, session hijacking or other methods. Once they have control, they can steal the users’ credit card information or reward points to use or sell. 
  • Fake travel websites: Fraudsters create fraudulent websites that imitate legitimate travel platforms with similar domain names and designs to trick users into entering their credentials onto the site’s fake login form, enabling them to access their victims’ accounts, including their rewards points or payment credentials. 
  • Phony offers: Fraudsters may use ads or phishing emails advertising fake travel deals or exclusive membership perks to entice users into providing payment details or membership information.
  • Ticket cancellations to win flight credits: Fraudsters may use synthetic identity fraud or automation frameworks to enact new account fraud, then exploit cancellation policies to manipulate the system and fraudulently obtain flight credits or other perks without actually completing the intended travel.
  • Mileage fraud: When legitimate users fail to submit their frequent flyer or rewards number on their trips, fraudsters can capitalize on this unclaimed value using brute force attacks applied to all passengers on a recent flight and retroactively claiming the miles to earn perks through digitals channels. 

How to deliver strong UX while reducing hospitality fraud  

To solve the problem of reward program fraud, hospitality and travel companies need to invest in solutions that leverage fraud detection to deliver better user experiences, rather than viewing UX and security as a necessary tradeoff. 

Some of the services that can be used to optimize both UX and security include:

  • strong authentication with non-phishable credentials, including passkeys, which replace cumbersome passwords and OTPs with biometric authentication 
  • fraud prevention that delivers a high level of assurance risk and trust signals, allowing businesses to reduce friction for trusted customers by extending sessions or reducing two-factor authentication 
  • identity verification that could be used to validate customers’ passports for pre-onboarding identity checks 
  • identity orchestration that allows for businesses to A/B test and optimize the order in which fraud detection solutions are invoked in order to maximize performance while strengthening security  
  • data validation that passively detects account opening fraud by running concurrent checks on email and phone reputation, names, and other data entered into registration forms without introducing additional friction 

Transmit Security provides a natively integrated platform purpose built for customer identity security, enabling businesses to not only protect their reward programs and member points from fraud, but simplify fraud analysis, consolidate vendors and strengthen the implementation of passkeys and other security measures. To find out more about how Transmit Security can help hospitality and travel companies from the growing threat of rewards program fraud, contact a sales representative or read our case study about the fraud detection with Transmit Security.


  • Danny Kadyshevitch, Senior Product Manager

    Danny Kadyshevitch is a Senior Product Manager at Transmit Security previously building and leading product management for the company's Passwordless and MFA Services and is now running PM for Account Protection Services. Prior to Transmit Security, Danny has an essential experience in the domain of cyber security, after serving in the 8200 intelligence unit of IDF and spending 7 years in Microsoft's Cloud Security division.

    View all posts
  • Rachel Kempf, Senior Technical Copywriter

    Rachel Kempf is a Senior Technical Copywriter at Transmit Security who works closely with the Product Management team to create highly technical, narratively compelling assets for customers and prospects. Prior to joining the team at Transmit Security, she worked as Senior Technical Copywriter and Editor-in-Chief for Azion Technologies, a global edge computing company, and wrote and edited blog posts and third-party research reports for Bizety, a research and consulting company in the CDN industry.

    View all posts