Cybersecurity Archives

Ever check your airline miles balance and think, “I should probably use those someday”? Well, fraudsters aren’t waiting. While you casually ignore those reward points, criminals are actively hunting for these digital treasures that have somehow become worth more than the companies that create them.

In this episode of Oh My Fraud, host Caleb Newquist explores the surprisingly vulnerable world of loyalty and rewards programs, revealing how the points flooding your inbox have become prime targets for fraud schemes that affect everyone from frequent fliers to wholesale club members.

The Accidental Billion-Dollar Asset Class

When United Airlines started tracking customers in the 1950s, it gave out plaques and promotional materials—basically corporate swag. Fast-forward to today, and rewards programs look entirely different. American Airlines generated $6.5 billion from its AAdvantage program in 2023 alone—not from selling tickets, but from selling miles.

The economics are almost absurd. As Newquist points out in the episode, airlines create miles for about half a cent each. They’re database entries. Then they turn around and sell these digital tokens to credit card partners for two to three cents per mile. That’s a 400% to 600% markup on something that costs virtually nothing.

“The hilarious thing is that these aren’t tangible,” Newquist observes. “They’re just made up. They’re just digital assets created out of thin air.”

The combined loyalty programs of United, American, and Delta are worth $73.8 billion. Think about that: these made-up points are sometimes worth more than the airlines themselves. And McKinsey estimates 30 trillion unredeemed miles sit in passenger accounts globally. That’s enough for every airline passenger on Earth to take a free one-way flight.

But here’s where things get dicey. Despite sitting on this massive pile of value, major airlines, including Southwest, American, Frontier, and Alaska, don’t offer two-factor authentication for account access. These companies spend millions on aircraft safety but can’t implement basic security that’s been standard in banking for over a decade.

When Your Miles Take an Unexpected Trip

The human cost of this security gap becomes painfully clear through recent victims’ stories. In July 2024, multiple Alaska Airlines customers woke up to drained accounts. One victim lost 150,000 miles, worth about $1,900. Another reported on Reddit that hackers stole over 200,000 miles. The points were being used to book luxury hotels in Abu Dhabi.

Gabrielle Bernardini, a writer for The Points Guy, discovered her Southwest account had been hacked when she received an email confirming a Hampton Inn reservation in Kalamazoo, Michigan—a booking she never made. The fraudster burned through 17,100 points, worth about $240.

Through persistence, Bernardini got her points back. But Southwest made it clear they were only doing it as a “gesture of goodwill” and a “one-time exception.” Their actual policy? “Southwest is not responsible for unauthorized access to a member’s account and will not replace stolen points.” Newquist confirmed that’s still the policy today.

Clint Henderson’s American Airlines nightmare went even further. Fraudsters drained hundreds of thousands of his AAdvantage miles for car rentals. Recovery meant jumping through incredible hoops. American required a new email address for his new account and demanded a PDF or screenshot of his police report. When Henderson went to file the police report, the NYPD’s online system was down. He had to visit a precinct physically, then was told that he couldn’t have a copy of his report until a detective intervened the next day.

Even with proof of fraud, the car rental company that accepted the stolen points simply refused to refund them. Henderson eventually got his miles back from American, but the whole ordeal revealed just how messy these situations can become.

From Sam’s Club to the Gas Pump

The problem isn’t limited to airlines. In May 2024, Sacramento County authorities arrested 38-year-old Inam Rasool after discovering he’d been systematically draining other customers’ Sam’s Club accounts. What started as an attempt to leave with $1,000 in unpaid merchandise turned into something bigger.

Store personnel began monitoring his return visits and uncovered a sophisticated operation. Rasool used stolen Sam’s Cash rewards to buy merchandise, resell it online. When police searched his home, they found over $25,000 worth of electronics, medications, pet food, hygiene products, supplements, and snacks. They also found shipping supplies, a computer, and a label printer for his online sales operation.

Meanwhile, in Peters Township, Pennsylvania, 18-year-old Paul Kostanich was hitting Giant Eagle fuel perks accounts. Video showed him visiting gas stations almost daily, holding his phone to barcode scanners to activate stolen points from different accounts. He admitted to hacking about 20 accounts and faced 58 charges, including identity theft.

One victim’s reaction captured the general disbelief, “I could never imagine someone hacking a Giant Eagle Perks card. I mean, really?”

Why This Keeps Happening

The problem is, rewards programs were never designed as financial assets—they’re marketing tools that accidentally became valuable. As Newquist explains, “They’re just a marketing gimmick developed by corporations that they hope will get us to spend more money with them. And it just so happens that they’re very, very good at doing that.”

From a corporate perspective, the math works out. If rewards fraud costs the industry $1 to $3 billion annually, but these programs generate over $70 billion for just the top airlines, that’s less than 5% lost to fraud. For many companies, it’s just a cost of doing business, especially when they can push losses onto consumers through terms of service that disclaim responsibility.

This creates what Newquist calls a perfect storm for fraudsters. You’ve got valuable assets with minimal protection, companies that won’t pursue prosecution, and victims left holding an empty bag while corporations point to fine print.

Protecting Your Points (Since No One Else Will)

So what can you do? Newquist offers practical advice with characteristic honesty.

First, change your passwords for rewards accounts. “I know you’d have to be a cerebral freak to generate a different password for virtually every account.” But at least make them different from your banking passwords.

Second, use two-factor authentication wherever it’s available. “Is it tedious? Yes. Does it save your bacon 99.9% of the time? Also, yes.”

Third, consider a password manager. Yes, the big ones have been hacked, but the benefits of managing unique passwords outweigh the risks.

Finally, actually check your accounts occasionally. Don’t be obsessive, but treat them with the same attention you’d give a bank balance.

The Bottom Line

Those rewards points you’ve accumulated aren’t just marketing fluff; they’re real value with real vulnerabilities. Companies have created a $74 billion economy from thin air, then washed their hands of responsibility when that value gets stolen.

For accounting professionals, this is a masterclass in risk transfer. For everyone else, it’s a wake-up call. In a world where teenagers systematically drain fuel perks and hackers book Abu Dhabi hotels with your miles, ignorance is an invitation.
Listen to the full episode above for Newquist’s complete investigation, including more cases and why he thinks these programs are essentially “legal money laundering” schemes. And maybe check your rewards balances while you’re at it. Just in case someone in Abu Dhabi isn’t already enjoying them.

Here’s something that might keep you up at night: A hacker breaks into a Comcast email account and immediately creates a new Outlook.com account with an almost identical username. When they send emails through the compromised account, they set the reply-to address to redirect responses to their fake Outlook account. Most people never notice the domain switch. They see a familiar name, hit reply, and hand over sensitive information directly to the fraudster.

This real-world example comes from security expert Jamie Pollock, who joined his wife and business partner, Alicia Katz Pollock, and co-host Dan DeLong for episode 104 of The Unofficial QuickBooks Accountants Podcast. The episode, titled “Insecurity about Security,” couldn’t be more timely. As Dan noted, accountants and ProAdvisors across various Facebook groups report compromised logins with increasing frequency, raising urgent questions about the security of the QuickBooks ecosystem.

“We as accountants are the gateway to security for our clients because we have our hands in our clients’ sensitive data,” Alicia explained. With real money movement now possible through QuickBooks Bill Pay, payments, and payroll, a single compromised accountant login can expose dozens or even hundreds of client accounts. That’s why Dan suggested bringing in Jamie, who teaches internet security courses. As Dan put it, “we need someone smarter than both of us combined.”

Passkeys: Your New Best Friend (Once You Understand Them)

Remember when accountants and clients just shared login credentials? Dan does. Back in 2013, when he worked at Intuit, this practice was so common that the company built the QuickBooks Online Accountant portal specifically to stop it. “People would get into their clients’ QuickBooks Online with their clients’ login,” Dan recalled. “And Intuit was like, that can’t be a best practice.”

Fast forward to today, and we’re on the verge of an even bigger change: replacing passwords entirely with something called passkeys.

Jamie explained this complex technology in simple terms. “A passkey is an encryption key. It’s a physical token,” he explained. “You go to the server—Intuit or Google or whoever—and say I’d like a passkey. It generates this passkey and downloads it onto your device.”

Think of it like those old war movies Dan referenced, where two people need to turn keys simultaneously to launch missiles. Your device has one key, the server has the other. When you log in, they work together to verify your identity without transmitting anything that could be stolen.

To help explain how this works, Jamie offered a comparison everyone already knows: secure websites. “If a website doesn’t have security, it’s HTTP, and if it has an SSL certificate, it’s HTTPS,” he said. When you visit a secure site, it downloads an encryption key to your browser. Any information you submit gets encrypted with that key, and only the server can unlock it. Passkeys work the same way, but for your identity instead of your data.

The technology depends on two things: password vaults that sync your passkeys across devices, and biometric authentication like fingerprints or facial recognition. “Nobody has my face or my finger,” Jamie pointed out, explaining why passkeys are so secure.

But here’s the catch: we’re in an awkward transition period. “Passkeys are meant to replace passwords,” Jamie explained. “But every company, every app, every website implements it differently.” Not everyone has biometric devices or password vaults yet, so companies like Intuit keep both systems running in parallel. Alicia estimates we’re “five or maybe ten years away” from passwords disappearing completely, since everyone needs biometric-capable devices first.

The Fraud Tactics Hitting QuickBooks Users Right Now

Integrating payment features into QuickBooks has transformed accountant credentials into what Dan calls “one point of access” for bad actors. With bill pay, QuickBooks payments, and payroll all accessible through a single login, fraudsters have shifted their focus from individual businesses to the accountants who hold the master keys.

Alicia shared a disturbing story that shows just how sophisticated these attacks have become. Someone contacted her through Facebook, asking for help with a locked QuickBooks account. She emailed the person to verify their identity, and they confirmed it was really them. But Alicia had a bad feeling, and her instincts were right. “I realized it was actually the hacker inside the email account.” The fraudster had compromised both the QuickBooks account and the email, turning normal verification into a trap.

Jamie explained how these email compromises typically work. Hackers break in and immediately create a new free account on Outlook or Gmail with a similar username. They set up forwarding rules and reply-to addresses that redirect responses to their controlled accounts. “Most people don’t notice and they answer the message,” Jamie said. “Next thing you know, they’re in the hands of the hacker.”

The recovery process itself has become a vulnerability. Dan highlighted a concerning issue: if you can’t access your phone or email, Intuit offers a third option involving photo ID submission. “It doesn’t take a whole lot. It’s not that far of a stretch to say that these bad actors can forge your documents,” Dan warned. Unlike banks that require account numbers or debit card information, Intuit’s recovery relies primarily on information that’s often publicly available.

Not all fraud stories end badly, though. Alicia shared how Intuit called one of her clients after detecting multiple unauthorized login attempts from Georgia and Florida. The investigation revealed fake invoices for $900 and $24,000 in the client’s system. While Alicia joked that creating invoices instead of expenses showed “the hacker used the software wrong,” it demonstrated both the scale of potential fraud and Intuit’s active monitoring.

A newer concern involves QuickBooks’ invoice forwarding system. The system now uses a standardized email format (companyname+expenses@assist.intuit.com) that vendors can use to submit invoices directly. “If that email address gets out, people can send you bills,” Alicia warned. “If you’re not paying attention, you might pay somebody that isn’t actually a supplier.”

Your Security Toolkit: Practical Steps You Can Take Today

The good news? You don’t need a computer science degree to protect yourself and your clients. The hosts shared several strategies any accountant can implement immediately.

First up is what Dan and Alicia call the “backdoor login” strategy. “You add yourself as a team member in your QBO using a different email address,” Alicia explained. Create a completely separate Gmail account just for this purpose, add yourself with full access to QuickBooks and all clients, and store those credentials securely. If your primary login gets compromised, you can still access everything while resolving the breach.

Password management is crucial, and Alicia shared how her firm uses 1Password. “Every employee has their own personal private vault,” she explained. “But then we have group vaults that are only by permission.” Administrative passwords stay separate from general team access, bookkeeping credentials remain isolated from other systems, and everything requires biometric authentication. “I can sit down at any of my computers and have instant access to the things that I need,” she said. “But nobody else can get in because it’s either under my personal password or literally my fingerprint.”

Jamie shared his rules of internet security. Rule one: “Know your source.” Click on the sender’s name in any email to reveal the actual address. “They can fake the name, but they can’t fake the email address,” Jamie emphasized. If something claims to be from Intuit but shows @gmail.com, you’ve spotted a fake.

Another powerful rule: “Don’t do anything. Don’t react, don’t click the link, don’t call the number, don’t reply to the text.” Most scams create artificial urgency to provoke immediate action. “If there’s urgency on their part, you should just stop,” Jamie advised. His reassuring logic? “If you owe somebody $500 through PayPal, they’ll get back to you. I guarantee it.”

Additional quick tips from the episode:

Hover over links before clicking to see the actual destination
Forward suspicious emails to fraud@intuit.com
Check security.intuit.com for current security alerts
Watch for deceptive URLs using dashes (like intuit-quickbooks-dash-fake.com)
Enable two-factor authentication despite the inconvenience

Speaking of two-factor authentication, Jamie reframed the hassle as a feature. “It’s a little bit of a hassle for you. But getting hacked and having $24,000 move around that you didn’t see? That’s a little bit more of a hassle.” Plus, unexpected authentication requests alert you to breach attempts, letting you change passwords before damage occurs.

The Road Ahead: Staying Secure in an Evolving Landscape

The transition to better security won’t happen overnight. Alicia compares computer aging to “double dog years.” By the time a computer is five years old, it’s like a 70-year-old person, and at seven years, it’s 94. Until everyone upgrades to biometric-capable devices, we’ll be managing both old and new security methods.

Security in QuickBooks is only as strong as its weakest link, which is often the recovery process. “The passkey or the way to sign in can only be as secure as the recovery process,” Dan observed. Unlike banks that require separate credentials like account numbers, Intuit’s recovery relies primarily on email and phone verification—both potentially vulnerable to compromise.

This vulnerability matters because of scale. One compromised accountant login doesn’t just expose one business; it potentially unlocks financial data for tens or hundreds of client accounts. As Dan put it, accountants have become “one point of access that a bad actor could access.”

The profession must also stay informed about evolving threats. Many accountants don’t know about resources like security.intuit.com for current alerts or that forwarding suspicious emails to fraud@intuit.com helps track fraudulent campaigns. As Alicia noted near the episode’s end, “They’re always finding new backdoors. I’m sure a year from now we’re going to have this conversation again.”

Jamie also mentioned his own services, including email cleanup and password management training. “My favorite is unread messages that are more than two years old,” he said. “You never read them two years ago, you’re not going to read them now.”

The episode ended with exciting news about Intuit actively seeking feedback. They’ve launched a new board specifically for ProAdvisors to provide actionable suggestions about banking feeds. “The developers are reading it,” Alicia emphasized. “You can have conversations with other people, we can upvote suggestions, and the developers actually join the conversation.”

Take Action: Your Security Starts Now

Security in the QuickBooks ecosystem isn’t just about protecting passwords; it’s about protecting livelihoods. Every compromised login is a potential breach of trust with clients who depend on you to safeguard their financial data.

The tools and threats will continue evolving, but your responsibility to protect client data remains constant. As Jamie’s simple rules demonstrate, effective security requires consistency and awareness. Know your source. Don’t react to urgency. Use the backdoor login strategy. Enable two-factor authentication even though it’s annoying.

Listen to the full episode for additional examples, detailed technical explanations, and Jamie’s complete security framework. The conversation includes specific guidance that could save your practice from becoming the next cautionary tale. Because in today’s digital accounting landscape, vigilance isn’t paranoia; it’s professionalism.

Alicia Katz Pollock’s Royalwise OWLS (On-Demand Web-based Learning Solutions) is the industry’s premier portal for top-notch QuickBooks Online training with CPE for accounting firms, bookkeepers, and small business owners. Visit Royalwise OWLS, where learning QBO is a HOOT!

Your Airline Miles Are Worth $74 Billion and Hackers Know It