Thieves Are Out To Sell Your Stolen Miles For Cheap

Sep 19, 2018

This post contains references to products from one or more of our advertisers. We may receive compensation when you click on links to those products. Terms apply to the offers listed on this page. For an explanation of our Advertising Policy, visit this page.

The dark web is flooded with stolen airline miles pilfered following data breaches or through phishing operations — and the thieves are willing to sell the miles for about half their value.

In a study published Wednesday, technology and research firm Comparitech examined black markets on the web in search of miles for sale. It found rewards points available on the dark web from more than one dozen different frequent flyer programs. Delta SkyMiles and British Airways Avios were the mileage currency most commonly listed.

Although prices frequently fluctuate and are not uniform across different black markets, one of the sellers Comparitech examined was selling 100,000 points from various frequent flyer programs for as little as $884. Based on TPG’s latest valuations, those points are being sold at a huge discount. Some of the miles programs listed at this price included:

To be clear, stealing frequent flyer miles is a crime, one that could land a thief in prison for years. It’s also unwise to purchase stolen miles. Comparitech says if you get caught, the airline could take away all your miles (even the ones you earned legitimately) and leave you with nothing for violating its terms of service.

Still, the threat of incarceration isn’t deterring criminals from either taking over consumer accounts or emptying out those accounts and transferring miles into new ones. They first break in by obtaining login credentials taken during a data breach or by phishing individual account holders, Comparitech said.

A phishing scam might go like this: The consumer will get an email claiming to be from an airline asking the consumer to verify their account information — because there was a problem with the account, in order to claim a prize, cancel a reservation or any number of other excuses to get you to comply. When the consumer sends the information, the thief gets access to their account.

People who buy the stolen miles likely don’t use them to purchase airfare or book hotel rooms, Comparitech noted, because those transactions typically require proof of ID. Instead, stolen miles may be easily converted into gift cards or products available through partner retailers. Some resell the rewards to so-called “grey market mileage brokers” that abound on the web. Those brokers then may turn around and use the points to get flight upgrades for their clients.

How to Protect Yourself

If you discover you’re missing miles, report it immediately to the airline. As TPG himself pointed out several years ago, although the airlines aren’t liable for miles stolen from your account, the sooner you report the theft, the better the odds are they can catch the thief and get you your miles back.

Comparitech also cautions travelers to do the following to protect themselves against an account breach:

  • Shred boarding passes after a flight.
  • Don’t post pictures of boarding passes online.
  • Don’t put frequent flyer account numbers on baggage tags.
  • Avoid airport Wi-Fi when accessing your account.

You’ll also want to regularly check your account and frequently change your strong account password. Because of the volume of data breaches, you’ll also want to make sure your airline account password is unique from other passwords. If not, you’re making yourself vulnerable to attack.

Featured image by Bill Hinton / Getty Images.

Editorial Disclaimer: Opinions expressed here are the author’s alone, not those of any bank, credit card issuer, airlines or hotel chain, and have not been reviewed, approved or otherwise endorsed by any of these entities.

Disclaimer: The responses below are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser’s responsibility to ensure all posts and/or questions are answered.