Thieves stole $1,000 in Optimum points from this woman. Here's how to safeguard your points | CBC Radio - Action News
Home WebMail Thursday, November 14, 2024, 02:10 AM | Calgary | 6.0°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
Cost of Living

Thieves stole $1,000 in Optimum points from this woman. Here's how to safeguard your points

As more people have their online account credentials leaked thanks to data breaches, the theft of reward points has become a challenging issue to solve, according to one expert. Because they have real cash value, loyalty points offer a potentially lucrative stream for thieves.

Using complex passwords, enabling 2-step verification can help protect loyalty account balances

A woman in a grey toque and black-framed glasses sits inside a vehicle.
In December 2023, April Canavan was defrauded of $1,000 worth of PC Optimum points that she'd been saving to pay for Christmas presents. (Submitted by April Canavan)

When April Canavan's inbox was suddenly flooded with emails in December, she knew something had gone wrong.

The Vancouver woman found herself subscribed to mailing lists she'd never signed up for, along withemails saying she'd just redeemed PC Optimum points at a grocery store halfway across the country.

Within about 25 minutes, Canavan says fraudsters drained around $1,000 worth of points from her account, and the mailing-list tactic aimed to distract her from the theft.

Butpanic had already set inbecause, as she told Cost of Living, she'd been saving her points to pay for Christmas.

"So then it was like, 'OK, so how am I going to afford Christmas now?' "

A loyalty card with the words PC Optimum on the front is seen close-up in a person's hand. The aisle of a retail store is seen in the background.
Canavan got her points reinstated in early January, but not before using a credit card to pay for her daughter's Christmas presents. (CBC)

Whilefraud has plagued points collectors for years PC Optimum notably faced a spree of fraud back in 2018 the issue recently resurfaced after Scene+ notified points program members in January that there would be new identification requirements for redeeming points at grocery stores.

As more people have their online account credentials leaked thanks to data breaches, it's an issue that's challenging to solve, according to oneexpert. And because they havereal cash value, loyalty points offer a potentially lucrative stream for thieves.

"When it comes to the loyalty points space, it's certainly growing," said Kevin Lee, vice-president of trust and safety at fraud management firm Sift.

Lee points to his own phone, which has hundreds of apps, many of which offer their own unique points programs, for everything from airfare to groceries to burgers.

"Because of that growing rich area, that becomes a great ground for fraudsters or criminals to take advantage of as well in the form of account compromise."

How it happens

There are two main ways bad actors can get their hands on your points.

The first is to take advantage of the fact that many people reuse the same dead-easy password across multiple sites, said Lee. If you use a password like "Password1234," for example, a thief only has to figure that out in one place to access your profiles across multiple businesses, he said.

"The fraudster essentially does a form of credential stuffing. They just brute force try a ton of different password permutations to eventually crack the code."

A smiling man in a checkered shirt smiles for a portrait.
Kevin Lee, vice-president of trust and safety at fraud management firm Sift, said the growing number of loyalty points programs has created new opportunity for fraudsters. (Submitted by Sift)

The other way is through data breaches.

"So you, as a consumer, may have the strongest password on the planet that you only use at one particular company," said Lee. "But if that company were to have a data breach and that personal identifiable information like a password, a username, email address, etc., were to be compromised, then suddenly you're exposed."

In an email to CBC, a spokesperson for Loblaw, the company that owns the PC Optimum program, said it's actually seen a decrease in fraud cases in recent years, "largely due to the efforts our customers have taken to secure their information."

"It's important for customers to remember that your PC Optimum points are real cash value, so you should secure your information the same way you would your bank details. Beyond that, we suggest people look at not only their account, but also the email associated with it, as stolen email and password credentials from other hacks are one of the biggest risks to fraud."

A man carrying a shopping bag walks past a huge sign bearing the words
Loblaw said cases of loyalty points theft have decreased in recent years, a change it attributes to improved digital privacy practices of its members. (Aaron Vincent Elkaim/The Canadian Press)

Fraud prevention tips

The statement went on to offer fraud-prevention tips, like enabling two-stepverificationon email accounts, never clicking on links in emails claiming that your account has been compromised, and using a password manager such as LastPass or 1Password.

Two-step verification requires users to sign into accounts with more than just a password usually a security code sent via text or push notification. The extra layer of security makes it that much more difficult for hackers to gain access.

Rosalind Ashe isn't quite sure howthieves got access to her Scene+ points last fall. The Toronto woman had been busy withwork and hadn't checked the email address associated with the loyalty program in a while.

When she did, she noticed an email saying she'd just redeemed more than 11,000 points at Montana's. "I don't really go to chain restaurants," Ashe said.

A woman in a purple knit sweater smiles for a photo.
Rosalind Ashe was defrauded of more than 84,000 Scene+ points, which she said were only reinstated after she threatened to shut down all her accounts with Scotiabank, which is part-owner of the loyalty points program. (Submitted by Rosalind Ashe)

She called Scene+ right away, and while she was on the phone with the loyalty program, logged into her Scene+ accountand noted a series of redemptions starting two months earlier at businesses around the Greater Toronto Area, none of which she'd ever patronized.

"They were redeeming, I would say, probably on average about $100 worth at a time. And so they were at movie theatres. They were at grocery stores. One grocery store that they went to, they spent $500."

Reimbursement can be an issue

Ashe sayswhen she first escalated the problem with Scene+, she was told an investigation would be completed within a couple of weeks. But in an email from Scene+ a few weeks later, Ashewas asked if she'd shared her credentials with anyone; she had not.In another call she was told it was too lateto be reimbursed because their 60-day window for reporting fraud had passed since the first fraudulent charges appeared.

The Scene+ program is a joint venture between Cineplex and Scotiabank, so Ashe took her concerns to the bank she's been with since she was a teenager.

"I said that I wanted to know the process for closing all of my accounts, including my credit card accounts, because of the situation."

Her missing 84,000 points were reinstated a couple hours later.

A person is scene waiting to serve customers behind the concession stand at a movie theatre.
Ashe said some of her points were redeemed by fraudsters at the movies, while others were used at grocery stores. (Christopher Katsarov/The Canadian Press)

But Ashe saysshe's concerned about what the theft of pointscould mean to those who don't have the capacity to persist until they get them back.

"Everything is getting more expensive. And if you have $800 of points that you could spend on groceries, that's pretty significant."

In an email to CBC, a spokesperson for Scene+ rewards said that while the company couldn't comment on individual cases for privacy reasons, "we take cases of fraud seriously and ensure we are taking appropriate measures to protect our members."

"We always encourage members to practice good password hygiene and to monitor their accounts regularly."

Empire, which owns Sobeys, Safeway and other grocery chains where Scene+ points are collected and redeemed, also had the same message.

"Protecting our customers and their points is a priority for Empire. We always encourage customers to practice good password hygiene."

An AI solution?

Kevin Lee says AIcould potentially offer a solution that doesn't put all the onus on the customer.

"A lot of the companies that we work with are deploying our technology and our software to look for anomalous behaviour from a user perspective."

That means if your points are being redeemed in another part of the country, like April Canavan's were, or in a store where you've never shopped before, a clerk could be prompted to ask for ID, or the account could be frozen.

Canavan said her PC Optimum points were eventually restored around the start of the new year, but that she ended up having to put her daughter's Christmas presents on a credit card in the meantime.

She saysshe was never prompted by the app to set up two-step verification, but has it set up now and recommends others do the same.

"Anything that you're saving points on or that has your credit card [number], look into their security features and enable all of them."

Audio produced by Danielle Nerman