No Room for Hotel Loyalty Fraud

December 07, 2017


With data breaches involving millions of accounts hitting scores of organizations, account takeover has emerged as a new fraud challenge for hotels.

Fraudsters use the data acquired on the dark web and through sophisticated phishing schemes to take over accounts, steal loyalty points, and book rooms. Your hotel suffers from loss of revenues, reputation, and possibly customers, even if you’re not responsible for the original breach.

Here’s what you need to know about account takeover—and how you can protect against it.

Takeovers are surging along with your costs

Email addresses have moved from a means of communication to a means of authentication. Due to data breaches, the fraudster marketplace contains an abundance of email addresses and passwords—the credentials needed to log into accounts. Consumers frequently use the same user name and password again and again, so the account breached often isn’t the one taken over. And automation enables fraudsters to test large numbers of credentials quickly. When they find credentials that work, they can take over several of a customer’s accounts.

And given that they’re using legitimate credentials, it’s tough to tell fraudulent from legitimate use. You may see that a customer logging in is a silver elite member who has stayed at your property many times and spent large sums of money. You certainly don’t want to hassle them during an activity that should be fun—booking a room, maybe for a pleasure trip. So hotels normally do less fraud screening of customers who log into their website or belong to their loyalty program.

If fraudsters act quickly enough, it’s possible for them to book a hotel stay and enjoy it without your knowledge. But the potential damage to your reputation may be worse. Even if their data was breached at a restaurant, customers will blame your hotel if that’s where their account was taken over—and they’ll lose trust.

Customers who participate in your loyalty program and engage via mobile apps or online accounts may be among your most loyal and high-spending visitors. If your reputation suffers enough, your customers may go to your competition. Although the cost of negative brand impact among this select group and lookalikes is difficult to quantify, substantial losses could result.

Passive aggression lets you fight back

When customers or fraudsters log into your hotel’s loyalty account, they provide only two pieces of active data: a user name and password. That’s their authentication. If you ask for more information, you risk damaging the customer experience. Instead, leverage passive tools to monitor and establish normal profiles for account sign-up and login screening. You can use passive data—such as device ID, IP address, and behavior analytics—for velocity checks and machine learning. Velocity checks highlight how often a specific data element appears in transactions; machine learning uses data to draw statistical correlations that could point to fraud.

You may also want to build a table or list of known elements for each customer. When a customer logs into an account and performs an activity, it’s useful to understand how the device ID and IP address relate to the account. If you see the same element later and you know it proved legitimate, you can use that information to screen for risk.

In addition, customer profiles can help you understand and identify normal and out-of-pattern spending and incorporate data to help score transactions. By compiling information on each customer—address, email, phone number, bookings, and frequency—you can aggregate historical data to make better fraud decisions while keeping risk in check. You can reduce the need to step up authentication, providing better experiences for your top customers and letting you sleep better at night too.

You can also lower risk with consortium data. To you, a first-time customer may be a collection of data points: credit card number, email, IP address. But if you leverage the insights and experience of the travel/hotel community, you can be better equipped to discern a legitimate customer from a fraudster.

Verify that your platform can manage fraud dynamics

Fraud changes continually—so your fraud platform should be flexible and configurable enough to validate customer data in both current and emerging fraud schemes. For example, you want the ability to screen and link all customer activities to account login and transactions, even if those activities aren’t part of a card transaction. And you also need the ability to incorporate and synthesize data from multiple internal and external sources.

Don’t get locked into fraud software that doesn’t let you adjust based on sales channel, brand, property, and geography. All fraud is not created equal. You need a platform flexible enough to let you adjust to strategies and rules on the fly, based on your unique circumstances, with a support team’s help only when necessary. With that, you can make in-the-minute decisions best for your brand’s revenue and reputation.