Fake Loyalty Points Redemption Scams
Fraudsters send fake alerts claiming your retail or shopping loyalty points are about to expire, directing you to phishing pages that harvest account credentials or card details.
Last reviewed: 1 June 2026
What this scam is
Fake loyalty points redemption scams target members of retail loyalty and reward programmes — supermarket points schemes, cashback cards, retail reward apps, and similar. The scammer sends a message, typically by email or SMS, claiming that a significant points balance is about to expire and offering a simple link to redeem the points before they are lost.
The link leads to a page designed to look like the official loyalty scheme login. When the victim enters their credentials, those details are captured by the scammer. In some variants, the fake page offers to convert points to cash or vouchers and requests payment card details to 'process the transfer' — a straightforward card harvesting operation.
Because loyalty points can represent genuine value — discounts, free products, or cashback — and because expiry warnings are a legitimate feature of many loyalty schemes, the messages are highly persuasive.
How it works
The scammer obtains a list of email addresses or phone numbers, either from a data breach or from a purchased marketing list. They send bulk messages impersonating a well-known loyalty programme — usually one with very large membership, ensuring a proportion of recipients are actual members.
The message warns that a specific quantity of points (sometimes a genuine-sounding number) will expire within 48 to 72 hours unless redeemed immediately. A link is provided to a cloned version of the loyalty scheme's website, complete with the correct logo, colour scheme, and layout.
Victims who log in have their credentials recorded. If the scheme has no two-factor authentication, the scammer immediately accesses the real account and drains the points balance by redeeming vouchers or transferring points. If the fake page requests card details for a points-to-cash conversion, those details are also harvested.
Why this scam works
Expiry warnings are a genuine, routine feature of loyalty schemes, making the premise entirely believable. The risk of losing value that was already earned creates a sense of urgency that overrides careful checking. Many loyalty programme pages look similar enough to clones that visual inspection alone is insufficient. Members may not regularly check their balance, so they cannot immediately tell whether the claimed expiring amount is accurate.
A typical pattern
A shopper receives a text message claiming their supermarket loyalty points worth [a significant redemption value] expire in 48 hours. The link takes them to a page that looks exactly like the supermarket's loyalty app login. They enter their email and password. The page thanks them and redirects to the real supermarket site. Shortly after, they receive a genuine notification that their points balance has been redeemed for gift cards they did not order.
Common red flags
- Urgency — points expiring within 24 to 72 hours requiring immediate action
- Link in email or SMS rather than instruction to log in via the official app
- URL in the message does not match the official scheme domain exactly
- Offer to convert points to cash requiring card details to complete the transfer
- Message arrives at an unusual time or contains spelling errors inconsistent with professional communications
- The claimed expiring balance seems very large or does not match what you know you have
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
[Retail programme]: your [amount] reward points expire in 48 hours. Tap here to redeem before they are lost: [fake link]
URGENT: [supermarket] Reward Points Expiry Notice. [amount] points due to expire [date]. Click to save your balance now.
Convert your [retail] points to [amount] cash today. Enter your account and payment details to receive your transfer: [fake link]
Common variations
- Cash conversion variant — fake page offers to convert points to cash, collecting card details to 'deposit' the proceeds
- App download variant — link downloads a fake loyalty app that harvests credentials
- Survey completion variant — victim is asked to complete a survey to release their points, with card details collected at the end
- Retail cashback scheme impersonation — targeting cashback app users rather than traditional points holders
How to verify before you act
Never follow a link in a loyalty points expiry email. Instead, open your browser and type the scheme's official web address directly, or use the official app. Log in through the genuine site and check your actual balance and expiry dates. If the email claimed points were expiring and your genuine account shows no such expiry, the message was fake. Report the phishing email to the loyalty programme using contact details from their official website.
Payment methods used
- Cryptocurrency
- Bank/wire transfer
- Gift cards
- Money transfer services
- Payment apps to 'friends & family'
Who is usually targeted
- Members of large retail loyalty programmes
- Supermarket loyalty card holders
- People with large accumulated but unspent points balances
- Older shoppers who may not recognise phishing page signs
What to do immediately
- Change your loyalty programme password immediately if you entered it on the fake page
- Enable two-factor authentication on your loyalty account
- Contact the loyalty programme's official fraud team to flag the compromise
- Monitor your points account for unauthorised redemptions
- If card details were entered, contact your bank to cancel and reissue the card
How to prevent it
- Never follow links in points expiry emails — go directly to the official site via browser or app
- Enable two-factor authentication on loyalty accounts where available
- Check your real loyalty balance periodically so you know what to expect
- Report suspicious loyalty programme emails to the real programme using official contact details
- Never enter card details on a page reached from a loyalty points link
Evidence to preserve
- The original phishing email or SMS
- Screenshots of the fake login page if accessible
- Any confirmation emails received from the real scheme after the compromise
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
Do real loyalty programmes send expiry warnings?
Yes, genuine loyalty schemes do send expiry warnings. This is exactly what makes fake ones convincing. The key distinction is that a real programme will never ask you to log in via a link in the message itself. Go directly to the official site by typing the address in your browser, or open the official app, rather than following any link.
My points were drained — can I get them back?
Contact the loyalty programme's official support team immediately and explain that your account was compromised. Some schemes can reverse fraudulent redemptions, especially if reported promptly. They will also be able to tell you what the points were redeemed for, which may help with further investigation.