Redemption-time fraud controls catch airline loyalty fraud too late. By the time a fraud team sees an award booking, the account has already been compromised, and the value has already moved. The place to catch this is earlier, at login when account takeover is happening, not at ticket purchase.
How the Fraud Actually Works
An attacker who takes over a high-balance loyalty account wants cash. The stolen miles pass through a broker or gray-market reseller and come out the other side as a real ticket in a real passenger’s name. That passenger is usually an ordinary traveler who found a good fare. This is triangulation fraud with miles standing in for a stolen card: value taken from one account, laundered through an intermediary, delivered to a paying stranger.
The booking that results is the cleanest-looking moment in the entire chain. The passenger’s ID matches their ticket. No card was charged. Everyone involved passes every check, because nothing about the transaction is actually wrong at that point. The compromise happened days or weeks earlier, at login.

What the Data Shows
We analyzed 90 days of credential-testing traffic aimed at major U.S. airlines and their login, account, and password-reset endpoints. Two findings hold up industry-wide.
Volume: Over 450,000 credential-testing attempts hit airline login and account pages in the sample window, a steady, ongoing baseline of automated attacks, not an occasional spike.
Origin: More than 1 in 5 of the credentials tested against airlines were also being tested somewhere with no connection to travel at all. Of those, roughly 9 in 10 showed up elsewhere first. The compromise started somewhere else and arrived at the airline already finished. The credential was stolen, tested broadly, and the airline was one stop on a longer list.
That points to a direct operational conclusion. An airline or hotel program does not need its own breach to justify defending against this attack vector. Because most of the credentials hitting an airline’s login page were already exposed and tested somewhere else first, a program that screens incoming logins against live, cross-industry credential compromise intelligence, rather than relying only on signals tied to its own systems, can stop a meaningful share of account takeover before it happens.
Value Keeps Moving After Login
Redemption is one of several ways value leaves a compromised account, and the paths are distinct enough to score separately.
Booking for someone else. American’s AAdvantage, like most major programs, lets a member redeem their own miles for a ticket issued in someone else’s name. No transfer is required, and the recipient does not need to be a member. That is a real convenience for anyone booking on behalf of family or a travel companion. It is also the simplest way to harvest a compromised account inline: an attacker with account access can convert the balance directly into a ticket for a paying stranger in a single booking, without ever touching a transfer or pooling feature that might draw separate scrutiny.
Pooling and transfers. Delta’s SkyMiles transfers and United’s MileagePlus pooling both move value out of an account and into other accounts, whether by sending miles directly to a recipient or by combining balances into a shared pool that another member can then redeem for anyone. Each exists for real customers who want to consolidate or share miles. Each also gives an attacker a way to scatter or aggregate stolen value across several accounts before the real member notices anything is missing.
Cross-program exposure. Loyalty value increasingly moves across company lines, not only across accounts inside one program. Airline alliance partners share award inventory, and credit card and hotel points convert into airline miles and back. That link cuts both ways. A program with weak account takeover controls can pass a stream of compromised value onto its partners for redemption on their sites, and a program with strong controls can still absorb losses caused by a partner’s weaker screening.
Pool changes, transfers out, cross program redemptions, and redemptions booked for someone other than the account holder are all value movement events. They deserve the same scrutiny as a high-value redemption, because they all serve the same function in the chain.
Where Detection Has to Move
If the fraud happens upstream, that is where detection has to reach:
- Screen credentials against real-time compromised-credential intelligence at every login, password reset, and account-recovery attempt, not just at signup.
- Score transfers, pooling changes, and redemption-permission changes with the same weight as a high-value redemption.
- Treat email identity as a security signal. Compromised inboxes are the quiet path most account recovery routes through.
- Pair upstream credential and email intelligence with the signals only the airline can see, such as device, booking pattern, and payment history.
myNetWatchman provides the upstream intelligence: what is known about the credentials and identities involved, alongside the airline’s own fraud stack. The airline still makes the call, with a full picture instead of a half one.
By the time the ticket exists, the fraud is already over.
Loyalty fraud is one symptom of a deeper problem: attackers build identity longitudinally while defenders still evaluate it at a single point in time. Go deeper on inbox aging, alias fanout, and why point-in-time checks are structurally outmatched in "The Architecture of Accumulation" from myNetWatchman.
Download the White Paper →