Fake Travel Points & Miles Scams
Phishing attacks and fake platforms that steal loyalty account credentials to drain hard-earned travel miles and points.
Last reviewed: 1 June 2026
What this scam is
Fake travel points and miles scams target the loyalty accounts of frequent flyers and hotel rewards members. The objective is straightforward: gain access to the victim's airline miles, hotel points, or travel credit card rewards balance and convert those points into flights, hotel stays, gift cards, or cash-equivalent transfers before the owner notices.
These scams operate through several routes. Phishing emails impersonating airlines or loyalty programmes are the most common, tricking recipients into entering their account credentials on a fake login page. Account takeover through credential stuffing — using login details exposed in unrelated data breaches — is a significant background threat. Less commonly, fraudulent third-party 'points exchange' or 'miles purchase' platforms collect payment or account access in exchange for points transfers that never materialise.
The harm is both financial and logistical. Miles and points represent real monetary value — frequent travellers may accumulate balances worth hundreds or thousands of pounds across programmes. Recovering stolen points requires time-consuming contact with the loyalty programme and is not always possible. In the meantime, planned redemptions such as award flights or hotel bookings may be disrupted.
Because loyalty accounts are often treated as lower-priority security targets — many people use weaker passwords for them than for banking — they can be among the easiest accounts for criminals to access, while containing balances that are very usable for fraudulent transactions.
How it works
Phishing is the primary route. The victim receives an email that closely mimics the branding of their loyalty programme, often citing an account activity alert, an expiry notice, a bonus points offer, or a suspicious activity warning. The message creates urgency — 'your miles expire in 5 days' or 'unusual activity detected, verify your account now' — and includes a link to a fake login page.
The fake page reproduces the loyalty programme's login design precisely. When the victim enters their username and password, these are captured immediately. The attacker then logs into the genuine loyalty programme, changes the email address and password, and redeems the points for award flights, e-gift cards, or transfers to other accounts before the victim realises the account has been accessed.
In credential-stuffing attacks, the attacker uses automated tools to test combinations of email addresses and passwords from previous data breaches against loyalty programme login systems. Accounts where the victim has reused a password from a breached site are at risk even if the victim has never clicked a phishing link.
Fraudulent points-buying or exchange platforms advertise on social media and forums, promising to sell or exchange miles at discounted rates. They collect payment or account details and either deliver nothing or harvest the credentials provided.
Why this scam works
Loyalty accounts feel less financially critical than banking accounts, which means people are less vigilant about them. Password reuse is common in this category. Phishing emails about expiring miles or suspicious account activity are effective because they mirror the kind of notifications the real loyalty programmes do send.
The redemption window can be very short — experienced fraudsters redeem accumulated points within minutes of gaining access, making early detection difficult. Programmes with instant digital redemption options — gift cards, airline credits, hotel points conversions — are especially exploitable.
Many people are unaware that their points can be redeemed for cash-equivalent products or transferred to other accounts with real monetary value. This gap in awareness means they are also less likely to have set up account security measures like two-factor authentication.
A typical pattern
A frequent flyer receives an email in their airline's branding warning that their miles will expire in five days unless they log in to confirm account activity. The link leads to a convincing replica of the airline's login page. After entering their credentials, they receive no further response. The following day they find their balance has been emptied via several gift card redemptions made in quick succession. Their account email address and password have been changed.
Common red flags
- Urgent email about expiring miles or suspicious activity with a link to log in
- Login page reached via a link whose URL is not the official loyalty programme domain
- Email addresses or domains that differ slightly from the genuine programme's communications
- Third-party platforms claiming to sell or exchange miles at rates far below or above market value
- Account activity notifications for transactions you did not make
- Inability to log into your account following a click on an email link
- Changes to your account email address or password that you did not initiate
- Redemptions appearing in your account activity that you did not authorise
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
Urgent: your [loyalty programme] miles expire in 5 days. Log in to save them: [fake link]
Suspicious activity detected on your [programme] account. Verify your identity now to secure your balance: [fake link]
Congratulations — you have qualified for a double miles bonus. Claim it within 48 hours: [fake link]
Buy [airline] miles at 40% discount. Limited availability. Transfer to any account: [fake link]
Your [programme] account has been flagged. To restore full access, log in and confirm your details: [fake link]
We are offering [amount] miles for your account details. Instant transfer, no risk. Contact us here: [fake link]
Common variations
- Phishing emails citing expiring miles, suspicious activity, or bonus offers requiring login via a link
- Credential-stuffing attacks using passwords from unrelated data breaches
- Fraudulent third-party miles-purchase or exchange platforms
- Social media posts offering discounted miles requiring account login or payment
- Fake customer service calls to loyalty programme members seeking account 'verification'
- SIM-swap attacks targeting the phone number linked to a loyalty account to intercept two-factor codes
How to verify before you act
Enable two-factor authentication on all your loyalty programme accounts. Use a unique, strong password for each programme — a password manager makes this practical. Set up account activity notifications where available, so that redemptions or changes to your account trigger an immediate alert.
Never log into a loyalty programme by following a link in an email. Navigate directly to the programme's official website or use the official app. If an email cites account activity, go to your account directly and check there, not via the link in the message.
Be sceptical of any third-party platform offering to buy, sell, or exchange miles outside the official programme's own transfer partners. Official partner transfers are listed on the programme's own website.
Payment methods used
- Account credentials harvested
- Payment for fraudulent points purchases
Who is usually targeted
- Frequent flyers
- Hotel rewards members
- Travel credit card holders
- People with large accumulated balances
What to do immediately
- If you clicked a phishing link and entered credentials, go to the official programme website immediately and change your password
- Enable two-factor authentication on the account if not already active
- Contact the loyalty programme's official fraud or security team to report unauthorised access and request account review
- Check recent account activity for unauthorised redemptions and request reversal from the programme
- Change passwords on any other accounts where you used the same credentials
- Report the phishing email to your national cybercrime or fraud reporting service
- Check whether other loyalty accounts use the same password and change those too
How to prevent it
- Use a unique, strong password for every loyalty programme account
- Enable two-factor authentication on all loyalty accounts where the option exists
- Set up account activity alerts so any redemption or change triggers an immediate notification
- Never follow login links from emails — navigate to loyalty programme sites directly
- Review your accounts periodically to check for activity you don't recognise
- Be cautious of any third-party platform not listed as an official transfer partner on the programme's website
- Check whether your email address appears in known data breaches and change passwords accordingly
Evidence to preserve
- The phishing email including full headers
- The URL of the fake login page
- Screenshots of your account activity showing unauthorised redemptions
- Correspondence with the loyalty programme's fraud team
- Any confirmation of transactions you did not make
- Records of when you first noticed the account had been compromised
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
Can I get stolen miles or points returned?
Sometimes. Many programmes have fraud teams who investigate unauthorised redemptions, and reversals are possible — particularly if reported promptly. Contact the programme's official fraud or security team immediately. The sooner you report, the better the chance of recovery.
How can I tell if an email about my loyalty account is genuine?
Don't follow any link in the email. Go directly to the programme's official website or app and log in from there. If the action described in the email is required, it will appear in your account. If no action appears, the email was fraudulent.
What is credential stuffing?
Credential stuffing is when attackers take username and password combinations leaked from previous data breaches and test them automatically on other platforms. If you use the same password across multiple sites, a breach on one site can expose accounts on others.
Are third-party miles-buying platforms safe?
Only platforms listed as official transfer partners on your programme's own website can be considered legitimate for points exchange. Other third-party platforms are unverified and carry significant risk of fraud or terms-of-service violations that could result in account closure.
How quickly can stolen miles be redeemed?
Very quickly — experienced fraudsters can redeem points for digital rewards within minutes of gaining access. Speed of response is important: change your password and contact the fraud team as soon as you suspect access.
Should I set different passwords for loyalty accounts than for banking?
Every account should have a unique password. Loyalty accounts hold real monetary value and are worthwhile targets. Using a password manager makes it practical to maintain unique, strong passwords across many accounts.
What should I do if I can no longer log into my loyalty account?
This may indicate the account email and password have been changed by a fraudster. Use the programme's official 'forgot password' or account recovery process, or contact their fraud line directly. Act quickly — the faster you regain access, the more likely you are to limit the damage.