How do I spot a fake cashback or reward points email?
Fake cashback emails claim your points are about to expire and ask you to click a link to redeem them — real loyalty programmes show your balance in your account and do not expire points through email links.
Last reviewed: 10 June 2026
Explanation
Loyalty programme phishing exploits the wide participation in rewards schemes offered by supermarkets, airlines, credit cards, and retailers. The email claims you have a balance of points about to expire and must click to redeem them before a deadline. The urgency is designed to prompt rapid action.
The phishing link leads to a fake version of the loyalty programme's login page. Your credentials are harvested and used to redeem real points in your account or to access linked payment information. Some variants go further and ask you to verify your card details to 'unlock' the points.
Real loyalty programmes display your point balance in your account when you log in. They may send expiry reminders, but they direct you to log in at the official site — not to verify your account through a link by entering your card number. Most major schemes do not expire points on the timelines suggested by these emails.
Verify any claim by logging in to the loyalty programme's app or website directly. Check your actual balance and the real expiry policy. If your email's link destination differs from the official domain of the programme, delete the message.
Common red flags
- Link goes to a domain other than the loyalty programme's official site
- Email asks for card details or CVV to 'activate' or 'unlock' points
- Urgency: points will be lost in 24-48 hours
- Email arrives without you taking any action in the programme recently
- Sender email domain does not match the programme's official brand domain
- Point balance shown differs from what you see when you log in directly
What to do now
- Log in to the loyalty programme directly through the official app or typed address
- Check your real balance and expiry terms there
- Report the phishing email to the loyalty programme's fraud team
- Delete the email
- If you entered your credentials, change your password immediately and check for unauthorised redemptions
Frequently asked questions
Do loyalty points actually expire?
Some programmes do expire inactive points after a period without activity. The way to check is through the programme's official website, not by clicking an email link.
Can loyalty account details be used for financial fraud?
In some schemes, points can be exchanged for gift cards or cash. Fraudsters who access your loyalty account may redeem your points or use linked payment methods for purchases.
What if the email contains my real member number?
Member numbers are sometimes exposed in data breaches. A correct member number does not confirm that an email is from the genuine programme — verify through the official app.