#584: You Can’t Avoid Loyalty Fraud, But You Can Attempt to Manage It

Michael Smith, from AI Events is co-Founder of the Loyalty Security Alliance.

He talks through the definition of fraud and the difference between traditional fraud and account take overs. He also explains the different stages of fraud: prevention, detection & post fraud recovery for customers. Fascinatingly, we discuss who are the fraudsters from customers o staff, bots and criminal gangs.

Hosted by Amanda Cromhout

Show notes:

1) Michael Smith

2) Loyalty Security Alliance.

3) The Paypers

Audio Transcript

Paula:  Hello and welcome to Let’s Talk Loyalty, an industry podcast for loyalty marketing professionals. I’m Paula Thomas, the founder and CEO of Let’s Talk Loyalty, and also now, Loyalty TV. Today’s episode is hosted by Amanda Kromhausch, the founder of Truth, an international loyalty consultancy, and the author of the book Blind Loyalty, Blind Loyalty.

101 loyalty concepts, radically simplified. If you work in loyalty marketing, you can watch our latest video interviews every Thursday on www. loyalty. tv. And of course, you can also listen to Let’s Talk Loyalty every Tuesday, every Wednesday, and every Thursday to learn the latest ideas from loyalty experts around the [00:01:00] world.

Amanda: Hi, I’m Amanda Cromhope from Truth. And today I have the absolute pleasure of talking with Michael Smith. Michael works at AI Events and is the co founder of the Loyalty Security Alliance. He’s also affectionately known as the Chief Fraud Officer. I would like to add, I think he’s affectionately known as the Chief Fraud Officer for the world of loyalty, not just the company he works in.

What Michael shares with us in today’s Let’s Talk Loyalty podcast is that covers the different types of fraud, traditional fraud through to account takeover, much more prominent in our digital world. He also talks through the different stages of fraud, whether it’s prevention, detection, or recovery in customer experience post fraudulent activity.

And Michael also explains who are the main fraudsters. Are they staff? Are they customers? Are they bots? Are they criminal groups? Or are they? All of [00:02:00] the above. So today’s Let’s Talk loyalty show is extra special. And am I allowed to say that? Well, I’m gonna say it anyway. You’re not supposed to have favorites, but I’ve been wanting to have this discussion for a very long time.

So today I introduced to you Michael Smith. He works at AI events and AI standing for airline information, not the AI we normally all talk about. And he is the co founder of the Loyalty Security Alliance. And Michael admitted to me he’s also named the Chief Fraud Officer, which is exactly why we’re talking today.

So bit of a long introduction there, Michael, but welcome to Let’s Talk Loyalty.

Michael: But I’m absolutely delighted to be here and Chief Fraud Officer doesn’t mean I’m the person who’s chiefly doing fraud.

Amanda: I love it. Great. Well, that frames the conversation beautifully, I think. So we’ll go straight into it, Michael.

So as I think you know, because you’re [00:03:00] an avid fan of Let’s Talk Loyalty, there’s always a first question. So I’m going to go straight into it. What is your favorite loyalty program? And actually, I will just let the audience know that you trying to get me to second guess based on some clues you’d given me on a previous discussion, but I still haven’t got there.

So please share with us what’s your favorite loyalty program.

Michael: You know, it’s one of those bits where I think it’s a really interesting question. Uh, and the, the one I’ve selected is probably going to be a bit of a surprise. Uh, so, uh, here in the UK, uh, and in some other, uh, parts of the world, uh, there are a number of, uh, discount supermarkets.

So the, one of the German ones is Lidl, uh, and, uh, they launched their loyalty program, I think maybe about 18 months ago. Uh, and I’m going to say that one. And my reason is twofold, uh, uh, one, uh, is it’s really well designed, [00:04:00] uh, and in engaging. So it’s, uh, it’s very easy to get the rewards. It’s not points based, it’s spend based.

So once you hit a number of, uh, spend thresholds, it triggers rewards and they really engage you, uh, with things like, uh, scratch cards after you’ve been, uh, shopping. And, uh, they also have, uh, kinda like their, their months where it’s bakery items or it’s, uh, fruit and veg, uh, uh, where you are guaranteed to win something.

Uh, and my seven and 5-year-old nieces, uh, love. Playing with those particular bits in the app. So it, uh, it hits everything, I think, in good program design.

Amanda: Stunning, and I think that’s probably why you’re asking me to try and guess it, because, you know, I’m passionate about customer engagement, so I love that.

I’m actually not, obviously, I’m, I have a British accent, but I’m not in the UK, so I’m not a user of it, so it’s great to hear about it. Thank you for sharing. So. [00:05:00] So we realized as our paths have crossed over the last couple of years that we were both at British Airways at the same time, which seems to happen with quite a few people I speak to in the loyalty world.

Um, but I think it’d be really interesting, Michael, if you can just share with the audience of Let’s Talk Loyalty, who are obviously a global audience. What, what is, how has your career sort of weaved its way around the world for you to end up with this wonderful title we’ve just announced, Chief Fraud Officer.

And that’s not Chief Fraud Officer, I think it’s AI events. I’m going to say almost Chief Fraud Officer for the World of Loyalty. So take us through your career and let us get a sense of how you come about, you know, in this situation as you are now.

Michael: Well, all those years ago when we were a pretty sure race.

Uh, it, uh, uh, BA really was ahead of its, uh, time, uh, uh, in those days. And they were looking to get more into financial services and retailing and to make, [00:06:00] uh, better use of, uh, the executive club, uh, which is their loyalty program. And, uh, I, I ended up through all of that, uh, looking after, uh, everything that wasn’t a non-air partner, uh, for the frequent flyer program.

which was a very interesting place to be. And post British Airways, I ended up doing a bit of consulting and that bit of consulting led me into a running event. So it was initially payments and fraud, which is how I ended up doing this kind of fraud. fraud gig. Um, I came across a Qantas frequent flyer, uh, in about 2011, 2012, uh, who’d had his, uh, account totally cleared out, uh, and the points all turned into a flat screen TV, which wasn’t delivered to his house.

And I, I suggested to my business partner because my day job is [00:07:00] running payments and fraud events and running loyalty events and salaries focused on airlines and travel. And of course, I’ve been blogging about it. So my name was the first on the first page of Google. So I did that first presentation, which led to about 30 workshops around the world with airlines, hotels, bank programs, anybody that had a substantial program and was seeing some of these loyalty fraud issues.

And, and that has come to fruition. It’s kind of led us to myself and my business partner on AI events to set up the loyalty security alliance and our aim here is really just to be able to share best practice. Uh, and help people, uh, out, uh, whenever they come across, uh, the fraudsters, uh, uh, operating on their program.

Amanda: Yeah. Amazing. Amazing. It is incredible that just a good few blogs on a [00:08:00] subject can get, get that, uh, Google rating up, but fantastic. And I, I mean, I, I was half joking, but not joking at all, really, Michael, when I said I’m so looking forward to this discussion because it’s a passionate subject, I think, um, for any.

loyalty individual, but it is great to see how your career started off back in the traditional, you know, loyalty FFP environment and ancillary partners and so forth. So you’ve really got a sense of how important this is and how, how super dangerous that can be, whether it’s for the brand itself or their partners.

So, yeah, so let’s, let’s, I think go straight into the discussion. I mean, this is, this is going to go. really into some of the detail that I think so many loyalty professionals struggle with on a day to day basis. That’s definitely the conversations I have with professionals out there all over the globe.

So, you know, I, I know for a fact, there’s not just a single type of fraud. So please, [00:09:00] could you take us through your view of the different types of fraud and how they differ and, you know, what, what are the things that practitioners need to look out for?

Michael: I think the, the first thing, uh, uh, practitioners need to, uh, get their head around is kind of what is broad.

Uh, you know, if, uh, you know, if I was a lawyer, uh, they would, uh, you know, start pointing to all sorts of statutes and, uh, this and that, the different types of, uh, fraud, uh, that exists. And, uh, uh, you know, uh, when I Googled that to try and get a definition, uh, uh, boy, does that go on for, uh, uh, thousands of pages.

I, and I think. With my loyalty security alliance hat on, we’ve kind of come up with a working definition of fraud, which is where someone’s getting a benefit from your program that the program isn’t designed to deliver. [00:10:00] And if program managers, you know, take a moment or two, whenever they’re thinking about a new benefits.

Uh, when they’re thinking of adding, uh, you know, changes to, uh, you know, what they’re offering, uh, or when they’re launching a new program, uh, to think that, well, perhaps not everybody is honest, uh, and, uh, you know, might perhaps game the system, you know, so you get into some interesting bits about what’s gaming and what’s fraud.

But if you take that kind of broad definition of someone getting a benefit That you didn’t design the program for. So I’ll give you, you know, a good, uh, uh, interesting bit of this. So since the program started, uh, I’m fairly sure, uh, that way back in the day, someone was trying to, uh, you know, print green, green shield stamps, uh, to try and defraud that program 60 years ago, whenever it was [00:11:00] popular here in the UK.

Uh, and, uh, You know, so when the programs first started, uh, you know, the good old double dipping, uh, and, you know, that’s what we kind of refer to the LSA as traditional fraud. So the, the, the things that have been here since, uh, uh, the time, uh, immemorial, uh, so think of the cashier, uh, in the supermarket using their, uh, loyalty card, uh, to, uh, you know, swipe, uh, whenever the customer doesn’t, uh, uh, you know, uh, use their card.

So it’s that type of thing. So those traditional frauds have been around for quite a long while. And, uh, The, you know, and if I take that double dipping as one example, so, uh, for people who are not familiar, uh, with that airline programs, that’s them trying to claim miles, uh, for one flight, but in two different loyalty programs, uh, those are relatively easy to spot if you’ve set up your reporting, uh, [00:12:00] systems, correct.

Same with the, uh, the supermarket cashier, uh, you know, one person can’t have that many transactions in one day. So, uh, those are all, uh, uh, you know, ways that you can start to detect that. But what happened, uh, with the kind of proliferation of our digital world, uh, is this account takeover. And it doesn’t just apply to, uh, loyalty, uh, programs, uh, it applies to anywhere where there’s a, a digital account that’s got any value in it.

But what’s interesting, uh, is the broadsters. realized that it was easier to get into a loyalty account and cash those out than it was to get into a bank account. So security wasn’t something that, uh, you know, if you take many of, uh, you know, the U. S. hotel or loyalty or airline loyalty programs, for many years, uh, they had a four digit pin.[00:13:00]

Uh, you know, that was very simple to get in, uh, and it wasn’t something, you know, if you’re running a loyalty program, uh, the vast majority of the time, you’re more interested in what are the features and the benefits, what’s the take up, uh, uh, to your, you know, what’s the engagement with the consumer, uh, you’re not thinking about fraud.

Uh, and, uh, you know, people stealing all of these things, uh, so you’re not necessarily thinking the way someone who would be running, uh, you know, uh, a bank program might be. And, uh, this, with our move to smartphones and everything digital, uh, the fraudsters realized that, uh, this was easy pickings and, uh, they, through a number, a vast number of ways, uh, were able to get in and take these accounts and cash out, uh, the, uh, type of people who are behind some [00:14:00] of this, you can probably split them into two broad groups.

First is, uh, what, uh, in the cardinal presence, uh, you know, so in the e commerce world where you’re paying, uh, they refer to it as friendly fraud, uh, but it’s, uh, it’s nothing friendly about it, but it’s where the customer’s in on the fraud. Uh, probably a better way of describing it is first party fraud, uh, and that happens in loyalty too.

So the customer says, I didn’t make this redemption and, uh, uh, you know, it’s, uh, it’s quite a difficult one for people to actually track and to see because generally everything logging into the account, uh, all looks valid. But the account takeover on the other side is where it’s organized. So it’s organized crime that’s behind it.

Uh, and, uh, you know, uh, one of my, uh, you know, favorite examples, uh, in, in terms of, uh, you know, taking over, uh, [00:15:00] accounts, uh, is in a hotel program. And, uh, in that particular hotel program, Uh, you know, the accounts were being taken over and the points cashed out immediately for three nights. Now, you probably might think, uh, you know, nothing unusual about why they would choose to cash out for three nights.

Uh, but, uh, the organized crime syndicate that was behind it Uh, we’re using the free rooms for the prostitution service that they were running.

Amanda: Oh, heavens. And,

Michael: uh, one of the reasons that the likes of, uh, uh, Europol or the FBI, uh, get interested in these types of things, uh, is that there’s usually other criminality associated with it.

So the account takeover has you know, mushrooms beyond the leaf, uh, and a huge amount of it is driven by bots. [00:16:00] And, you know, whenever you hear that phrase, bots, you know, lots of people just go, oh, I don’t understand. Uh, you know, what those are. And essentially I, I, you know, uh, what indexes from Google? Uh, uh, the Surface web, so the, the bit that everybody can see is a bot just crawls over.

Uh, and, uh, it reads everything that’s there. And you can go into the dark web and you can get someone to write you a bot. Uh, that will crawl over, uh, every account, uh, and look for where the vulnerabilities are, uh, and they just keep pushing until they get in. Uh, and then take those accounts over, uh, they are now appearing, uh, for sale, uh, on the surface web and on the dark web, uh, it’s, um, you know, that’s a big issue.

And the other part in terms of program managers is. That’s not necessarily [00:17:00] something they see, uh, generally the fraud teams are picking it up. And it doesn’t generally become an issue for program managers until it’s, uh, you know, the partner or the CEO or the CFO who has their accounts compromised. And then it gets everyone’s

Amanda: attention,

Michael: right?

Yeah. Uh, and. To be honest with you, I, you know, what would you rather be doing, uh, uh, you know, working out, uh, uh, you know, new features and benefits or, or thinking about fraud. Uh, and I think one of the bits that is interesting about that thinking of things is. We are trying to give value to consumers. Uh, we’re trying to drive that engagement.

And with that driving engagement, we’ve created all this value for people and ways that they can cash it out. And one of [00:18:00] my favorite ones is we’ve created all this bit to let people transfer miles. So, you know, from a hotel program into, say, an airline program. Well, the fraudsters love that. They absolutely love that ability to be able to transfer miles.

And invariably what they’re doing is, uh, let’s just say it’s a hotel program. Uh, they will compromise the account in the hotel program and then transfer that out into say, uh, uh, airline miles. So when it turns up in the airline miles account, it all looks good.

Amanda: Yeah. Yeah.

Michael: Uh, and they cash out from, uh, the airline program.

Uh, and, uh, you know, and they’re doing this at pace, right? So it’s not one person sitting in a basement, uh, uh, you know, uh, lock, you know, logging into Amanda’s account and transferring a few mails to my account. [00:19:00] This is a bot that is, uh, uh, you know, driving in, seeing where all the value is, transferring them out into a number of, uh, accounts in, uh, another program, amalgamating them all into one account.

So there’s this whole ghost account, uh, where there isn’t someone. actually isn’t a real person that owns the account. Uh, so there’s someone in the loyalty program going, look at how many members we’ve got. We’ve signed all these people up, uh, but they’re not real people. And, uh, and they amalgamate all of those.

So they funnel them all together and then cash out. uh, as quickly as they can, uh, to the thing that is as near cash, uh, like the Pirozzi guy with that flat screen TV.

Amanda: Yeah. Yeah. It’s just utterly fascinating, Michael. It really is. Like you mentioned a few things here, like, um, one of my very first consultancy programs in South Africa as a loyalty consultant was [00:20:00] working with a big grocery retailer.

And exactly the simplest of experiences you’ve just said is, you know, when the new customers come along, they’re not swiping their card because they don’t have it yet. Rather than sign the customer up, they just, the cashier swiped her card and, you know, simple things, frequency was sort of 20 times a day, or she was spending more in a day according to her card than her monthly salary, you know, that kind of thing.

But this That’s one level of fraud, but what you’re describing now with this account takeover and this, these millions and millions of bots and currencies flying all over the place. And I loved what you said. I had the privilege of listening to you at the Asia Pacific conference last month when, um, I was also there when you were on the stage with Luke Dynum from a certify.

I loved your comment where you said these fraudsters are not brand loyal. They just keep pushing and pushing until they come to an open door of any brand. Um, they’re not going to stick to one brand. So it’s, [00:21:00] it’s an incredibly difficult environment. So let’s see how we can help the audience of Let’s Talk Loyalty.

make this a little bit easier for themselves. So how would you, you know, we talked about when we just met prior to this call, um, there were different stages of fraud. So can you talk us through that? We talked about prevention and detection and, you know, post events, you know, retaining the customer after a potentially bad experience.

So talk us through that. You’ve got a lot of experience across different brands.

Michael: Uh, so I, you know, I, it really is quite interesting. Uh, I just, on, I, I’ve not got, uh, an up to date, uh, um, uh, example in terms of loyalty, but I have got a, a, a great example on that not being brand loyal, uh, from the airline world.

Uh, so it’s, uh, it was from an airline, uh, alliance. [00:22:00] And, uh, um, the, the people running the card not present, uh, ran three of the brands. Uh, so they literally saw the same person, uh, with the same stolen credit card, uh, come on to one airline brand, get rejected. then come on to another airline brand, get rejected.

And then they went to the, you know, the third part of the airline that flew the same route and get rejected, uh, all with the same stolen card. So they, they, they don’t care. Um, they’ll go to, they’ll go to where the weakest link is in the chain. Um, and I think, you know, one of the bits, it is worth, You know, if, if people go away from listening to this with this bit of prevention, so you’ve got to stop people by the design of your program at hopefully having the opportunity to defraud you.

Then the next bit is if they get past [00:23:00] that, you need to be able to detect it. You need to be able to know that that cashier. Uh, is, uh, you know, swiping and earning more points than, uh, they’re earning a salary. You need to be able to understand how to detect that. And then you need to have your terms and conditions set up in such a way, uh, that, you know, the remediation, you know, how do you decide if you put someone, uh, uh, right?

And how do you put them back home? So that’s kind of those three stages. And if you then overlay that with, you know, that’s kind of the, you know, the, what you need to do to try and, uh, you know, keep on top of all this, but then the next bit is who’s doing that. All right, so, uh, you know, and that broadly splits into, uh, you know, your own customers.

Believe it or not, sometimes, uh, you know, what appear to be your best customers are also the ones that have figured out [00:24:00] how to, uh, you know, defraud your program. Uh, they are stories around, uh, especially on status match, uh, where, um, you know, for example, on the British Airways program, uh, if you’re, uh, the absolute top tier, if you go guest car list, uh, you get given to, uh, uh, you know, Uh, silver cards, uh, and a gold card.

So those are valuable cards to have. Uh, there’s stories of people selling them on, uh, and, uh, you know, so sometimes it can be your customers. They elevate your staff. Uh, uh, you know, it’s well known that, uh, uh, in some parts of the world, uh, you know, the check-in staff. Uh, you know, see there’s no frequent flyer number in there.

And we’ll then swap, uh, their, uh, uh, own created number into there. Uh, I once did, uh, a session with, uh, a group of airlines, uh, and I couldn’t see them. Uh, it was, uh, uh, you  know, I was not able to physically be present, uh, but I could almost hear the person who asked me the question, but the names have to match.

Amanda: Yeah.

Michael: And, uh, and when I pointed out, well, you can create an account with any name you like. Yeah, yeah. And, uh, I could almost hear the person’s jaw hit the table when they spotted, you know, kind of like the immediate flaw in their thinking. And the reason, the reason I use that is because as program managers, We generally think the best of people, especially of our customers, uh, we hope our staff are honest too.

And, uh, uh, you know, but trying to, you know, just have kind of like almost that checklist that sadly not everybody is honest. Uh, and, you know, especially when it comes to the criminal gangs and this account takeover. There is a  tendency, uh, to think, well, that’s IT, that’s the cyber team, uh, you know, we’ve got firewalls and all those other things, uh, so we should be okay, uh, uh, it’s their job to prevent and detect, uh, but sometimes it’s the design of the program.

That can make it very easy for people to defraud it. And, you know, my favorite example of this, I was with some airlines fairly recently at a closed tour meeting, and it was the fraud people, not the program managers. And, uh, classic bit of signing up partners for a coalition scheme, and, uh, this was a coffee chain, and, uh, on that, uh, coffee chain, uh, uh, they were giving 1, 000 bonus miles, uh, for every sign up.

Uh, so what the, the savvy customers had realized that if, if I do Michael one  today, Uh, and then Michael two tomorrow, and then Michael three, so they weren’t doing basic things like, uh, you know, making sure that the, the email was valid, um, but the customers are putting in the same frequent flyer number each day.

Uh, and, uh, so a whole load of savvy customers, uh, got a whole load of miles, and this is back to the definition. I would say the program wasn’t designed to do that. Now,

Amanda: back to the original definition,

Michael: you know, and, uh, you know, so you, you, you’ve got those bits where you, you, you, you do need to think, how do you design the program?

Now, you obviously don’t want, uh, you know, the 3 million tons of, uh, uh, customer friction. I, you know, because there’s a balance here. I often say that when I’m presenting on this, if, if you want to know that, you know, the silver bullet that will stop all your fraud. Uh, you know, wait to the end of the session and I’ll tell you, um, I won’t do that here.

I’ll tell you now, you don’t have a loyalty program.

Amanda: I’m loving what you’re saying. I mean, I sit, I have the privilege of sitting in front of so many incredible companies talking through loyalty. And I’ve, I often say something similar, like if you were to design your loyalty program so that it is fraud proof. you wouldn’t have a program. It’s, it’s impossible, right?

To get, cause there’s all the nuts and bolts and the tricks and the, I mean, it would be so dreadful from a customer experience point of view and no one would be able to be, it’d be like getting into your international bank account every second, every time you swiped, you know? So yeah, I feel the same. I feel passionately about this, but it’s actually a really difficult thing for program managers to hear.

Like, but you may. What do you mean? You’re going to help us design a loyalty program, but it’s going to, there’s going to be [00:29:00] fraudulent activity on day one.

Michael: You know, exactly. I think, um, you know, but if you go in with your eyes open,

Amanda: yeah.

Michael: All right. And, uh, you know, I, I think one thing that, uh, you know, perhaps as a loyalty industry, uh, you know, Collectively, we’ve all created this huge amount of value for our customers.

Uh, and we’re all very keen for them to redeem for, uh, all the reasons this particular audience will know. Uh, and, you know, so we create all these ways, uh, to let people redeem. Uh, uh, but we just have to, you know, uh, a share bit of that message with customers that, Hey, look at all this value that you’ve got.

You know, uh, you treat your bank account, uh, uh, one way, uh, you know. This is a bank account. There’s a huge amount of value here. Uh, and, uh, uh, you know, so  you, uh, you know, when we introduce things like, uh, you know, two factor authentication, uh, we’re doing it ’cause we’re trying to protect, uh, uh, your, the value in your account, uh, uh, and the one bit.

Uh, and I’m not trying to scare or I, I, you know, put people off. But, uh, everything like, uh, you know, multifactor authentication, uh, um, those can all be spoofed. And, um, I, I, I’ve seen more than a few faces drop, uh, when I’ve, uh, explained about, uh, what, what are called fraud farms. So if you think that, uh, capture, uh, is going to, you know, protect you, uh, what happens with the fraud stores, uh, is, uh, uh, they are switching, uh, the screen where the capture appears.

Uh, to someone who’s sitting in the middle of nowhere in a very, uh, uh, poor part of the world. Uh, and that person is counting where the doughnuts are, where the traffic lights are, or, uh, the [00:31:00]cars are, and they’re getting paid. Uh, I think it’s, uh, uh, something like, uh, 0. 07 of a cent, a U. S. cent. Oh goodness.

Um, you know, to, you know, I, I do that now. Um, wow. It’s just as well, it’s not me doing it ’cause I can never get the traffic lights one. Right. It’s, um, ,

Amanda: I can never get any of them. Right.

Michael: Um, so I think, you know, I, I am, it it, it’s one of these bits where. Uh, I think as an industry, we have a great message, you know, we, you know, we are generating, uh, you know, value, uh, you know, coming off the back of people’s loyalty, uh, and, uh, you know, and it’s just about finding where that balance is.

Amanda: Yeah, yeah, totally. I mean, I’ve mentioned to you before that we run a fraud group in South Africa and listening to you talk now, like some of the stories around the staff, you know, so you’ve talked to who are the fraud, fraudsters,  staff, customers, bots, criminal groups, and so on. And, um, one of the most fascinating stories, and I won’t name the brand because we’ve promised ourselves within that fraud group that it stays within the group, but examples can be shared, but the.

It was a franchisee setup and the actual staff that the way, you know, it needed managerial authentication for experts. type of transaction to take place. But the manager of the branch was also included, you know, was involved in the fraudulent activity. So there was just all the safety layers that you think are quite sensible for the authentication and to try and stop this fraud taking place.

We’re being skipped around and, you know, until they managed to kick into the detection process, which is how they stopped it in the end. But it is, it is utterly fascinating around. the different examples. Um, you mentioned as well, you know, like simple things like the, the number being kept and then  used on different accounts for redemptions and so forth.

It’s just so simple, but it’s so obvious, but it happens. It’s, um, I see it happen every day.

Michael: One, uh, public example, uh, uh, you know, I, I’m not the easiest person because of my surname to find on LinkedIn. Uh, but if, uh, if you do follow me on LinkedIn, I, I, you’ll, you’ll see, I publish as soon as I find them examples of where people have been convicted.

Uh, and, uh, one, uh, particular person in the uk uh, was convicted, uh, fairly recently. Uh, and so there was a signup bonus in the restaurant. To, uh, uh, for about 20 pounds, so about, you know, 25, 30 US dollars, um, to, uh, uh, uh, you know, come and eat. Uh, and the staff and the manager were all in on it. So they were all signing up for this, uh, and collecting the cash.

And so I think it amounted, I think the, the, he was prosecuted for about 30,000, uh, pounds. Uh, that, uh, the restaurant had lost, uh, so, you know, and the, you know, that’s not bought and that’s not on the dark web.

Amanda: That’s full frontal in the store with managerial approval. Yeah, exactly. It’s exactly the same.

Great example. I’m not seeing cases of fraud like that be taken to the criminal court, actually, in the past. Yeah. Certainly not in the African market. So it’s great to see that and hear that. So good encouragement for everybody in the listening to this to follow Michael on LinkedIn. We’ll make sure Michael’s LinkedIn profiles in the show notes.

Um, given I’ve mentioned the South African fraud group, um, I’m not going to pick on South African examples. I think some of the things Um, we did ask the group to come up with some questions to ask you today. Um, so one of the questions is, what have you seen to be the financial impact of some of ] this?

It’s loyalty fraud.

Michael: So I think this is where we get back to, as I said, that definition, uh, you know, kind of what is fraud and, uh, we all know that what gets measured gets done and it’s a huge challenge to actually, uh, you know, uh, get some of the programs to talk about it. And really the only current figure, I’m hoping that we’re going to have an up to date one in the next few months.

But the only current published figure is from Australia. And 3 percent of Australian consumers said their account had been compromised. Now, it doesn’t say all of their account was cleared out. But, uh, if you take, uh, Qantas, uh, their figures are published. So there’s about 3 billion, uh, uh, Aussie dollars, uh, on Qantas balance sheet for redemptions.

So, uh, if it’s all cleared out [00:36:00] 3 percent of, you know, 3 billion is a big sum of money. And, uh, you know, and there are other impacts. So, you know, the time and the effort. Uh, to, uh, you know, uh, you know, put people whole if they have been compromised, uh, you know, the, you know, the whole brand, uh, part, um, you know, there was an interesting example, uh, and it’s, it’s 10 years ago now, uh, and it’s public knowledge, uh, that, uh, you know, Hilton suffered a massive, massive data breach, uh, on Hilton Honours.

And, uh, so they swung from it being a four digit pin, uh, to, you had to deposit a kidney to, uh, log on to the account. Uh, and, uh, you know, the upshot of that was, you know, like the customer, uh, blow back from, uh, all of that. Uh, you know, whilst they went from, uh, one end of the spectrum to the other, uh, you know,  I’m, I’m, I’m sure that caused them, uh, some day to day issues, uh, uh, because they’ve kind of, uh, uh, you know, you only have to go onto their site and see that, uh, they’ve made it, uh, just a little bit easier to, uh, to, to get in.

So, uh, the financial impact is, you know, it’s one of these bits where I can’t point to one particular number, uh, you know. But Uh, the the law enforcement that so the law hasn’t caught up with our digital world full stop. Uh, and it certainly hasn’t caught up with the value related to loyalty points. Uh, so that gets you into some interesting areas.

There have been several prosecutions in the US, uh, including for a small amount, small 3, 000 worth. Um, and again, generally, there’s some muck up. Uh, underlying, uh, uh, you know, criminality associated with that. Uh, there’s [00:38:00] a great, uh, gift example fraud from the U. S., um, where the, uh, Department of Justice, uh, uh, spoke at, uh, one of our webinars, uh, and it was almost 30 million U.

S. dollars. And that particular, uh, guy, uh, who happened to be a Canadian, uh, but the, the, the U. S. people eventually caught him, and, uh, with that one, he was doing everything. So he was taking over the accounts where people had registered the account and had value in it. He had a fake site for, uh, uh, you know, selling the gift cards.

He was going into stores and, uh, amending the gift cards so that, you know, he could, uh, fraudulently get the value that other people loaded onto it. He was doing everything. Um, so, uh, you know, that was a huge impact for each of the brands that, uh, on the cards that, uh, he was defrauding, uh, as well as the individual consumers.

But it is very  hard to get a specific number. Uh, you know, again, you know, uh, uh, you know, if you’re a program, uh, and this happens to you, uh, do you really want to be talking about it? Uh, so it’s, it’s very hard.

Amanda: Yeah, very, uh, yeah, I mean, it’d be impossible, as you say, to identify actual numbers, unless you’ve got examples, as you said, you just made up, not made up, but drew a sort of calculation on a, on a liability sitting on a balance sheet.

But, um, how do you think, a couple of other questions, just to sort of close us out now, Michael, because this, we really could work, we could talk forever, but we’re almost out of time already. Do you think companies are managing to communicate any of this in a customer friendly way to their customers?

Because as you say, the minute they try to do something, To stop fraud, which is to protect the customer, they make it utterly impossible  and then customers complain and they have a drop off. So what would you say has best practice of being able to communicate this well?

Michael: So I think, uh, probably the, the, the first bit of best practice, uh, is internally.

Uh, so we know from talking to lots of different people, uh, and lots of different programs, uh, that the internal setup. Uh, is, is very different. So, for example, uh, in some programs, uh, the fraud teams, uh, sit in the cyber team, uh, in other teams, the fraud people sit within the loyalty program, uh, and, uh, there’s pros and cons to everything.

But the main bit is everybody needs to be talking to one another. Uh, and I’m, you know, I’ll give you a great example. So, uh, I won’t name the program, um, but it’s public knowledge. Uh,  they, they combined two programs. to create one new one. And, uh, the resulting chaos, uh, with people having, uh, uh, you know, their, you know, their accounts compromised and, you know, and the loss of value, uh, you know, kept the papers busy for days, including the TV.

Uh, et cetera. Uh, and I strongly suspect, uh, and clearly I don’t know, but I strongly suspect that if they’d actually sat down and had fraud on the agenda, uh, when they were sitting with, uh, you know, the cyber teams and the fraud people, uh, someone would have flagged that up as a potential issue. Uh, and they might not have had that problem, uh, had they done that.

So I think that’s the first bit’s internal, um, you know, if you’re running a program, uh, and I’m, you know, I, you know, I certainly know when I was doing the, you know, the, you know, the various, uh, uh,  non EU partners, uh, for BA, it certainly wasn’t high on our radar screen, um, uh, you know, in terms of kind of like day to day, because the other bit isn’t.

Not particularly interesting, uh, uh, until it happens. So that’s, that’s the first part. The second bit is, uh, uh, you know, we are creating, as in we as an industry, are creating huge amounts of value for people, uh, and we want them to take advantage of it. So it is, uh, you know, about saying, hey, we’re doing this because Uh, you know, so it’s things like, uh, if you go on to, uh, Etihad’s, uh, website, uh, you’ll find there’s a huge amount.

Uh, of, uh, information on there about what customers can do to, uh, protect themselves. Uh, although I think one of the sad bits is, uh, uh, you know, uh, we can do all of that. Uh, but,] um, he who is, uh, you know, not recycling their passwords. You know, raise their hand. Uh, and, uh, you know, until we’ve cracked some of those things, probably at a bigger level than just loyalty, uh, you know, we might be on to something.

But I think it’s about communicating a positive message to people. Hey, look, protect this. Here’s how you can protect it. We’ve done two factor authentication. Uh, you know, we’re making you change your password occasionally. Um, and there’s, there’s a very interesting, uh, um, uh, initiative by, uh, the Dutch police.

Uh, and please don’t laugh when I, I say this. They’re policemen, uh, so they might not be brand marketeers, but the. Initiative is called No More Leaks. Uh, , uh, yeah, exactly. Uh, I don’t, I lost, it’s okay. I don’t need to say anymore, but it’s no more leaks. nl uh, and uh, and they have, uh, four free, uh, uh, north of, uh, 550 million.

Uh, accounts that are, uh, compromised, uh, along with the passwords. And, uh, they will give that information to you in a hash format so you don’t actually get to see it. But it then allows you to, I, I do things like, for example, when the customer creates account, an account, you can go, right, okay, well you’ve already used that password.

So you can then either force them to, uh, change the password or you, you can decide that you’re not going to open that account because you know it’s fraudulent elsewhere. So that, that’s an interesting thing for some people to consider. But it does come back to what I’m saying. It’s, it’s, it’s not number one, uh, on a program manager’s to do list.

It just needs to be on the list. I need to be aware that not everybody’s [00:45:00] honest. Uh, I need to be aware that the minute I’m digital, I, I’m, you know, I, I, you know, I’m open to all these bots. Uh, uh, there are plenty of, uh, vendors out there that will help with prevention and detection. Uh, but it’s a lot easier, uh, if the program managers are at least having some consideration that, hey, do you know what, I’m, you know, uh, it’s going to happen to my program eventually.

Amanda: Yeah, and to not be ostriches, I guess, not bury their head in the sand about it. Michael, I’m going to close our discussion with asking you to share an example you shared in Australia at the events last month in the Gold Coast around And I loved it. I thought it was really incredible, but really brought to life what brands can do if they are set up effectively to do so.

And it was the Qantas example. I know you’ve [00:46:00] mentioned Qantas already today, but the Qantas example of how they stopped a redemption by joining all the dots. Because of the passenger. So rather than me give the example, can you share that with us?

Michael: Yeah. I, I, I think, you know, sometimes, uh, it’s, uh, you know, uh, you know, as loyalty, uh, uh, you know, professionals, we’re all keen on this single view of the customer.

Amanda: Yeah.

Michael: Uh, and, uh, and I think this is an absolute classic example and, uh, you know, uh, it, it, it really is, uh, um, impressive. What Qantas, uh, did, and again, this is. But, you know, publicly available information. It’s not something that Qantas have told me. I, I, they, I saw a redemption, uh, coming in for, uh, one of their customers.

I, and they knew it couldn’t possibly be the customer, uh, because they were sitting on board an A380 that didn’t have Wi Fi that was sat out over the Pacific. Uh, and, uh, there was absolutely no way it could be that customer, uh, and,  uh, you know, that I think is, uh, is pretty impressive, uh, and that, you know, that’s on, uh, one scale and, uh, you know, which is impressive at the other level of not impressive.

Uh, is, uh, the marketing agency in Singapore, uh, that had, uh, uh, was running, uh, the loyalty program for Starbucks. And again, this is publicly available, uh, uh, it’s, um, and they had something of north of 300, 000, uh, accounts, uh, uh, details, uh, including the passwords, uh, on a Google sheet, uh, that they had on a server and, uh, that all got, uh, compromised.

Amanda: Terrifying, terrifying. Well, thanks for sharing the good, the bad, and the ugly. That’s, that’s powerful to see. So Michael, we could carry on forever, but I know for a fact that so many loyalty, loyalty professionals listening to this will have hung on every word. So from all of us at Let’s Talk Loyalty, thank you so much for sharing so much.

And I think you’re going to have some follow ups. Um. Follow up conversations with individuals, but we will put your LinkedIn profile, uh, link into the show notes and so grateful. Thank you very, very much.

Michael: It’s well, thank you for the opportunity. And, uh, you know, there is hope, uh, cause I think it’s, uh, uh, again, the huge amount of value that as an industry we’re creating for people, uh, and it’s just attracted, uh, you know, the fraudsters, uh, but there are things that, Uh, we as an industry can do, uh, an individual programs can do, uh, to at least, uh, uh, you know, prevent the worst of it.

Amanda: Yeah, absolutely. And by sharing like this, it’s one step in the right direction. So thanks again, Michael.

Michael: You’re very welcome.

Paula: Thank you so much for listening to this episode of Let’s Talk Loyalty. If you’d like us to send you the latest shows each week,  simply sign up for the Let’s Talk Loyalty newsletter on letstalkloyalty.

com and we’ll send our best episodes straight to your inbox. And don’t forget that you can follow Let’s Talk Loyalty on any of your favorite podcast platforms. And of course, we’d love for you to share your feedback and reviews. Thanks again for supporting the show.

Publisher’s Note:

This transcript was generated with the help of AI and podcast publishing tools such as Apple Podcast’s transcription service.

In the interests of efficiency and minimising our costs as a small business, it has not been checked by a human.

If you have any comments or concerns about the accuracy of this content, please do contact us for changes or corrections.