Are Your Points Safe? How to Protect Your Rewards (And What to Do if They’re Stolen)

Criminals are now going after credit card rewards. Here’s what to do if you become a victim — and how to keep yourself safe to begin with.
10/25/19 | By Matt Miczulski
My Points Were Stolen: What Do I Do Now

FinanceBuzz is reader-supported. We may receive compensation when you click links to products or services mentioned in this story. The opinions and recommendations are the author's own and have not been reviewed, endorsed, or approved by any of these entities. Learn more about how we make money.

With all the different redemption options out there, the fact that thieves have started targeting credit card and loyalty points is no surprise. Points and miles can be redeemed for travel, cash, gift cards — you name it. These rewards can be highly valuable. Depending on how many points or miles you have, their value can be in the thousands of dollars.

If you were unlucky enough to be the target of one of these criminals, it can be deflating to learn all your earnings have vanished. But hope isn’t lost until you’ve exhausted all your options to restore your points. Exactly what can be done will depend on your unique situation and the policies of the points issuer.

Since it’s best that you waste no time when handling this situation, let’s jump right into what to do if your points were stolen.

Jump To

How points and miles theft can happen

If you’re asking yourself, “How did my points get stolen?” that’s a good place to start. As much as we try to keep our lives secure, there’s always seems to be someone working just as hard to gain access to it.

There are several ways a criminal can break into your account, such as stealing your passwords, phishing, and taking advantage if you use an unsecured Wi-Fi network. Passwords can be stolen if the computer you’re using is compromised or even just from you using a weak password. Phishing, on the other hand, is the criminal practice of communicating by emails, texts, or even phone calls and claiming to be from a reputable company in order to convince you to reveal personal information, such as passwords, account numbers, etc.

Once a hacker has your login credentials, they can access your account as easily as you can. Often, they’ll change the email on file so that when they redeem your points, you aren’t notified. If they don’t change the email and you have notifications turned on, you should receive a confirmation message regarding the transaction. Hopefully, you do. That’s what happened to Albert H., a member of our FBZ Elite - Travel and Points Facebook group.

“I was checking my email when I saw a point redemption-email congratulating me on my recent redemption,” Albert said. “They redeemed my points for cash and sent it to a bank account I didn’t recognize.” Luckily, Chase zeroed out the transfer, and Albert got his points back. But this isn’t always the case.

There are numerous horror stories from people across the various credit card and airline discussion forums describing these types of incidents. Not all of them end with points being returned, either. One person even claimed their verbal password had been compromised. According to a Reddit user, a criminal spoofed his phone number, called Chase, and transferred his entire point balance to a different account. This means the caller somehow also knew this person’s verbal password, as Chase asked for it and then allowed the transfer to go through.

What to do if you discover your rewards have been stolen

The moment you find out your rewards have been stolen, report it. The issue will be tougher to resolve the longer you wait. Call the credit card company or loyalty program that issued your points and explain the situation as soon as you can.

If you find out your points were cashed out or used by a hacker for a free hotel stay, you might be wondering if you can get those points back. This will likely depend on how quickly you report the theft, the evidence provided, and the policies a given company has in place to deal with points fraud and theft.

While some companies may assume full responsibility, others may not. For instance, according to the Southwest Airlines Rapid Rewards terms and conditions, “Southwest Airlines is not responsible for unauthorized access to a Member’s Account and will not replace stolen points or awards.” But that doesn’t mean you shouldn’t report any fraudulent activity or theft of points. Southwest will still likely investigate the situation, and even though its policy states it isn’t responsible, you may see results in your favor. According to members of the Southwest Rapid Rewards discussion forum, some were lucky enough to have success dealing with the Customer Relations team.

Here’s a list of major credit card, airline, and hotel loyalty programs and their respective phone numbers should you need to contact them regarding points theft:

Issuer Contact info Department
American Express 1-800-528-4800 Customer Service
Barclays 1-866-928-8598 Customer Service
Capital One 1-800-427-9428 1-800-239-7054

1-800-227-4825

Fraud Protection

Customer Service

Chase 1–800–432–3117

1–888–262–4273 (Chase Sapphire customers)

Customer Service
Citi 1-800-950-5114 Customer Service
Discover 1-866-240-7938

1-800-347-2683

Fraud

Customer Service

Alaska Airlines 1-800-654-5669 Customer Care
Allegiant Air 1-702-800-2088 Member Services
American Airlines 1-800-882-8880 Customer Service
Delta Air Lines 1-800-221-1212 Customer Service
Frontier Airlines 1-801-401-9000 Customer Relations
Hawaiian Airlines 1-800-367-5320 Customer Service
JetBlue 1-800-538-2583 Customer Service
Southwest Airlines 1-800-445-5764 Customer Service
Spirit Airlines 1-801-401-2222 Customer Service
InterContinental Hotel Group 1-888-211-9874 Customer Care
Hilton Hotels 1-888-446-6677 Customer Service
Marriott Bonvoy 1-800-627-7468 Customer Service
World of Hyatt 1-888-344-9288 Customer Service
Wyndham Hotel Group 1-800-466-1589 Customer Care

What you can do to protect yourself against points theft

Many security systems are flawed, and hackers are too good. While long, complex passwords created by tools like Google Chrome’s built-in generator or third-party programs like LastPass are a great start, adding even more layers of protection is the best way to ensure your account is locked down.

To reduce the likelihood of having your points stolen, follow these tips:

  • Use strong passwords: I wasn’t knocking password generators before. Complex passwords are a must and are your baseline for protecting your information. Password generators are great way to produce unique, complex passwords. Emphasis on unique.
  • Enable two-factor authentication: Also known as 2FA, two-factor authentication grants a computer user access only after successfully presenting two or more pieces of evidence (factors) for authentication. You’ll often see this in the form of a passcode sent to your phone or having to answer a few security questions.
  • Don’t stockpile your rewards forever: Criminals can’t steal what you already redeemed. While you may want to save your rewards for something in the future, holding onto rewards indefinitely makes your account ripe for the pickings for criminals. And if you never use your rewards, what’s the point of earning them anyway?
  • Use a point-tracking service: AwardWallet is a service that allows you to track your rewards and loyalty points in one place. You can also set an alert for redemptions, so you always know when your rewards balances change. Membership is free, unless you go with its Plus plan for $30 a year. The Plus plan will give you more insight into your balances, such as historical transactions and unlimited reward expiration notifications.
  • Pay attention to alerts you receive: Don’t get in the habit of ignoring the redemption or spending alerts your card sends you, but also be careful that they’re not phishing messages. Use alerts for what they are. If you aren’t sure if the message is legit or not, don’t click any links or provide any sensitive information. If you’re in doubt about a message’s authenticity, log into your account by going straight to an official portal rather than clicking on a link in a text or email message.
  • Don’t join any old Wi-Fi willy-nilly: Don’t be too eager to connect to any public Wi-Fi you come across. Joining an unsecured network opens you up for attack. Consider purchasing a VPN (virtual private network) to ensure that your connection is secure. Pricing can be anywhere from $3 to $15 a month.

The bottom line when it comes to protecting your points

Loyalty program and credit card points are very valuable, especially in the eyes of criminals, so treat them as you would cash. Dealing with multiple layers of security might seem like a pain, but it’s hard to argue that the extra effort isn’t worthwhile. Always check your point balances frequently, and report any fraudulent activity you see as soon as possible.

If your points were stolen, we’re sorry to hear that happened. This is a real bummer, and we know you worked hard for those points. You can do everything in your power to protect yourself, but sometimes it’s out of your hands. But keeping the tips and information in mind that we provided in this article may keep you safe in the future.

Advertising Policy

FinanceBuzz.com is an independent, advertising-supported website. Some of the offers that appear on this page are from third party advertisers from which FinanceBuzz.com receives compensation. This compensation may impact how and where products appear on this site (including, for example, the order in which they appear).

FinanceBuzz.com does not include all financial or credit offers that might be available to consumers in the marketplace. FinanceBuzz.com does not include all companies or all available products.

FinanceBuzz has partnered with CardRatings for our coverage of credit card products. FinanceBuzz and CardRatings may receive a commission from card issuers.

Editorial Disclaimer

The editorial content on this page is not provided by any of the companies mentioned, and have not been reviewed, approved or otherwise endorsed by any of these entities. Opinions expressed here are the author's alone.