Understanding the scale of Frequent Flyer Program (FFP) fraud in the airline industry is a first step toward a structured response

Fraudulent frequent flyer activity is a major challenge for the aviation industry. It is difficult to spot and the potential cost to airlines is huge.

“Many airlines are still unaware of the impact that mileage fraud can have on the airline,” says Sarah Rajkumar, Fraud Prevention Manager, Etihad Guest, Etihad Aviation Group and Vice-Chair of the IATA FFP Fraud Prevention Standards Governance Group. “Miles are money, which is what makes it so attractive and lucrative to fraudsters. Airlines have not yet realized the benefits of investing in a robust fraud prevention system and this has proved very costly to organizations.”

As Rajkumar points out, loyalty program credits are currency, similar to cash. With an Economist estimate of 23.8 trillion unredeemed miles in the industry and each mile valued at $0.01, $238 billion is at risk.

Already, Cambridge Intelligence has reported that fraudsters have exploited a majority of airline FFPs and that about 80% of frequent flyer fraud is only discovered by pure accident.

Miles are money, which is what makes it so attractive and lucrative to fraudsters

The schemes are popular with fraudsters because individual accounts are reasonably easy to hack. Moreover, the increase in partner numbers in loyalty programs means there are plenty of choice products for free that can be sold on to others. Compromised accounts can be used to launder money through the purchase of points.

How does it work?

In addition to hacking individual accounts, there are a number of methods used to trick FFPs. One travel agent, for example, stole 3.7 million airline miles from clients by telling them their cheap fares didn’t generate loyalty bonuses, instead adding the miles to her own account. Some 135 flights for herself and her family valued at well over $100,000 were booked before the scam was discovered.

3.7m airline miles - One travel agent, for example, stole 3.7 million airline miles from clients by telling them their cheap fares didn’t generate loyalty bonuses, instead adding the miles to her own account

Another method uses a phishing email that appears to come from the FFP. People are easily fooled by this as they take little notice of what the email address is and don’t suspect a scam asking them to log in to their account for a special offer. Emails about bank account details set off alarm bells but one from an FFP can fall below the personal radar. And one click is all it takes for login details to be stolen.

According to Barracuda Networks, it can be so effective that 90% of people are deceived.

“Methods that the fraudsters use are varied and innovative,” agrees Etihad’s Rajkumar. “If you put a stop to one type of fraud, they will come up with another kind. The methods used now are sophisticated and advanced. Social engineering, machine learning, and artificial intelligence are just a few examples. Different methods, tools and skills are used, and it is a constant game of one-upmanship going on between the fraudsters and those trying to prevent fraud.”

Paper exercise

Whatever the type of attack—other methods include infected shared computers and fake call center attendants—FFP fraud is hard to spot. From the user point of view, few people check their loyalty points daily. And from an airline standpoint, it may be that hackers get enough information to prove they are the real users.

It’s hard to determine what might constitute unusual activity. These days, people accumulate a mass of loyalty points through a variety of conduits and not just an airline booking. And the travel patterns of many FFP members are inconsistent, ebbing and flowing with business needs. Furthermore, FFP fraud might be seen by some as a paper exercise. According to some, since airlines are effectively giving away unsold seats to frequent flyers, the real cost to them is minimal. Points can be given back to the victim and the password to the account changed. Pursuing the fraudulent passenger can be more trouble than it is worth, especially if multiple jurisdictions are involved.

The reality is different, of course. Especially with so many partners offering potential purchases through FFPs, airlines could be forced to pay significant amounts of money.

It takes a network to defeat a network. This is what IATA is aiming to build to ensure the fraudsters get less and less efficient in attacking our industry

And there could be legal comebacks against the airline too if it is found to be negligent. Some have speculated that the data breach at British Airways could lead to a fine and potentially cost the airline a maximum of 4% of global revenues due to stringent new European data rules. Cathay Pacific is also embroiled in a data breach crisis.

How to respond

FFP fraud prevention is as much to do with the boardroom as it is with technical gurus. “Fraud is a management issue and should be treated as such,” says Rajkumar. Investing in solutions that improve over time will ensure that the airline is prepared for future fraud trends that are sure to come.”

Eyal Raab, Senior Vice President at fraud prevention solution provider, Riskified, agrees, though stresses that choosing the right technology also makes a difference. “It’s all about finding the right balance,” says Raab. “Fraud isn’t going away. What management has to decide is how they want to approach preventing fraud and approving orders.”

Raab suggests that while fraud is an issue, fear of fraud is worse. Airlines should first focus on maximizing revenue and then look to fraud rather than vice versa.


In 2016, the Industry Fraud Prevention (IFP) project was established by IATA. The IFP began laying the foundation for fraud detection and loss reduction, supporting airlines and establishing best practices and standards in all aspects of fraud prevention.

Crucially, the work has enabled benchmarking to improve industry performance. Although aviation is one of the most exposed to fraud by the nature of its transactions and loyalty schemes, it is difficult to measure performance because there are no globally-agreed metrics. The indications are that there is a huge disparity in fraud prevention performance between airlines, making the need for coordinated action obvious.

Airlines have been working through IATA to provide recommendations in card and FFP fraud prevention. These best practices were validated at the October 2018 Passenger Standards Conference as IATA Recommended Practices for the benefit of the entire industry.

IATA is also facilitating airline cooperation with international law enforcement agencies, particularly as fraudulent activities occasionally turn out to be related to other crimes, such as human trafficking, drug smuggling, and terrorism.

“We also cooperate with a range of Strategic Partners to ensure the best available tools and services are being promoted,” says Anca Dolocan, IATA’s Portfolio Manager, Card and Fraud Services. “It takes a network to defeat a network. This is what IATA is aiming to build to ensure the fraudsters get less and less efficient in attacking our industry.

“Each airline should plan their strategy individually and coordinate with peers and IATA for the best possible solutions. Only by working together, machines and humans, can sustainable progress be built.”

Card fraud

The cost of “card not present” fraud—where the buyer does not physically present a credit or debit card for inspection—is estimated to cost airlines close to $1 billion every year.

Airlines, unfortunately, have solid experience with this type of activity. IATA Resolution 890, for example, says a travel agent should not complete transactions with a CVV2 mismatch—the security number on the back of the card. Some card issuers will not send an approval with a CVV mismatch, but unfortunately this is not a policy card schemes endorse globally.

Technology, system checks, and the appropriate algorithms do much to make card fraud as difficult as possible but the battle to keep the hacker at bay is a constant one.

Red flags in FFP activity

  • Tickets purchased for people other than the account holder
  • Multiple accounts accessed from a single device
  • Access or changes to an account from an unrecognized device
  • Use of miles is significantly different from past activity
  • Large amounts of miles added after a previously consistent history