Research company Flashpoint has revealed that fraudsters reap shocking discounts on holidays after stealing reward points from loyal airline customers.
Flashpoint’s Liv Rowley said: “One advantage for criminals of using reward points is that the legitimate owner might not notice for months that their points have gone.
“They’re confident enough to travel in their own names using the stolen points.”
The criminals use the reward points to enjoy cheap flights, hotels and car-hire – the deals are sold by travel agents present on “dark markets” on the internet.
Alan Woodward, from the University of Surrey, told The Times: “The whole area of crime as a service is common in the dark markets.
“The part that is unclear is why there isn’t more cross-checking: you would have thought that loyalty points would be usable only by those to whom the points belong.”
The online stores selling the fraudulent holidays use websites with designs reminiscent of leading airlines where customers reportedly post reviews and photos of their trips.
Flyer details are allegedly stolen from bank accounts that are linked to airline reward schemes – the fraudsters use tactics such as sending phoney emails disguised to phish for user information.
The criminals have found ways around reward systems that allow them to use other flyers points in their name.
Flashpoint also revealed that the cybercriminals only deal with flights over £380 ($500) and hotels over £150 ($200) in order to rake in high margins.
One of the companies reportedly involved, Avios, is owned by the same parent company as British Airways and Are Lingus.
Internet forums Reddit and Flyertalk detailed a couple that found their Avios reward points stolen and splashed on a hotel room in Spain under the names of Olga and Dmitry.
The fraudster’s dealings have become so prevalent that an undisclosed US bank with UK customers had dissolved the ability for Russian’s to use its reward points.
Flashpoint disclosed that English and Spanish speakers were increasingly involved in the cybercrime.
The company refused to name the exact details of the British companies being exploited by the fraudsters.