Fake Travel Points and Miles Scams via Email
How phishing emails impersonate airline and hotel loyalty programmes to harvest account credentials and steal accumulated points or miles.
Part of: Fake Travel Points & Miles Scams
Last reviewed: 8 June 2026
Frequent flyer miles and hotel points represent real value — flights, hotel nights, and upgrades — which makes loyalty programme accounts a target for credential phishing. Scammers send emails designed to look exactly like communications from major airlines, hotel chains, or card rewards programmes, warning about expiring points, security alerts, or exclusive redemption offers.
Victims who log in through the email link are directed to a replica login page. Credentials captured are used to access the real account, redeem points for gift cards or flights in the attacker's name, and sometimes change the account's email address to lock the victim out.
How this scam works on email
An email arrives mimicking the exact branding of an airline or hotel loyalty programme. The subject line references points expiring, a security lock, or a limited-time redemption offer. The link leads to a convincing replica of the programme's login page. After login, the victim is redirected to the real site or shown an error, while the attacker accesses the account and redeems or transfers points.
Some campaigns specifically target high-value accounts — those with premium elite status — whose details may have been exposed in a data breach.
Common red flags
- Email about expiring points creates urgency to act immediately
- Login link domain differs from the programme's official website
- Email references an account activity (recent flight, stay) that does not match your recent travel
- After clicking, the login page requests your full password and security question answers
- Points balance drops unexpectedly without a redemption you made
How to protect yourself
- Always log into loyalty accounts directly by typing the URL — never through email links
- Enable two-factor authentication on all loyalty programme accounts
- Set an email alert for any redemption activity on your account
- Use a unique password for each loyalty account, managed through a password manager
- Regularly check your points balance through the official app to detect unexpected redemptions
How to report it
- Report the phishing email to the impersonated airline or hotel programme
- Report to the FTC at reportfraud.ftc.gov (US) or Action Fraud (UK)
- Contact the loyalty programme's customer service immediately if your account was accessed
Frequently asked questions
Can stolen loyalty points be recovered?
Airline and hotel programmes have fraud teams that handle account compromise. Contact them immediately with details of unauthorised redemptions. Recovery is possible, especially if the redemption was recent, but acting quickly is critical.