Cybersecurity

The Shadow Economy of Stolen Points That Nobody Talks About

Earmark Team · December 10, 2025 ·

While you carefully track every penny in your bank account, there’s $100 billion sitting unprotected in forgotten loyalty accounts worldwide. That eye-opening number comes from Kim Sutherland, global head of fraud and identity at LexisNexis Risk Solutions, who recently joined host Caleb Newquist on the Oh My Fraud podcast to discuss the growing threat of rewards and loyalty fraud.

This episode is a perfect companion to the show’s previous exploration of reward program fraud cases, with insights from someone whose team analyzes 120 billion transactions annually. Sutherland pulls back the curtain on how loyalty programs—those everyday rewards we collect at coffee shops and airlines—are a prime target for sophisticated fraud operations.

The $13 Billion Digital Currency You’re Ignoring

The global loyalty management market now exceeds $13 billion, and it’s everywhere you look. As Sutherland explains, “Almost every type of company you interact with has some type of a program to reward their existing customers.” From airlines and credit cards to restaurants, hair salons, auto mechanics, and even schools, businesses use these programs to strengthen customer relationships.

The average person belongs to anywhere from 16 to 20 loyalty programs, but they actively monitor only a fraction of them. This gap creates a perfect opportunity for fraudsters. “They understand the value of each of those rewards points, and they pay more attention to the ones you’re not paying attention to,” Sutherland warns.

These aren’t just marketing gimmicks anymore. “Loyalty points are a form of digital currency,” Sutherland says. People treat them like savings accounts, letting balances grow and planning vacations around accumulated miles. However, your bank account has federal protection and robust security. Your coffee shop points? Not so much.

When Newquist mentions his Starbucks app, calling it “a mini bank within that company,” he highlights a crucial point. These companies handle customer funds and issue digital currency but operate without the strict oversight required of traditional financial institutions.

The dark web has turned these points into a tradable commodity. Sutherland says stolen points have specific dollar values attached and are bought and sold alongside other illegal goods. It’s not just individual criminals either. Fraud has become a business with specialized roles, training programs, and sophisticated operations.

How Criminals Harvest Your Digital Rewards

Account takeover leads the fraud playbook, and it’s devastatingly simple. While you legitimately earn points through purchases, criminals break into your dormant accounts. They either transfer your points to accounts they control or drain them for purchases before you notice.

Because loyalty accounts lack the security of traditional financial accounts, “there is more opportunity for someone to do an account takeover,” Sutherland explains.

The numbers are alarming. Sutherland reports nearly 100% year-over-year growth in loyalty-based fraud across different industries and regions. On the dark web, these stolen points trade like currency. And fraudsters operate like niche service lines—some steal data, others monetize it, and still others provide technical infrastructure.

Synthetic identity fraud takes things to another level. Criminals combine pieces of real information, such as your name, someone else’s address, another person’s phone number, to create fake identities. These synthetic identities can operate for years, building credit and accumulating points across dozens of programs.

“The real problem with synthetic identity fraud is, even if your name had been used, you may never know you were part of the creation,” Sutherland warns. There’s no real victim to report the crime, making detection extremely difficult. These fake identities might start with a jewelry store loyalty program, build credibility, then work up to valuable airline or credit card rewards.

Insider threats add another layer of risk. Travel agents booking trips might divert clients’ points to personal accounts. Employees with system access could redistribute points. Third-party agents in real estate or auto sales can siphon off points customers never knew existed.

The technical sophistication is striking. Fraudsters use device farms—racks of phones running automated scripts—to manage thousands of fake accounts. They employ burner phones, throwaway email addresses, and test security responses by making small account changes before executing major thefts.

The Impossible Balance Between Security and Convenience

“The best form of authentication is one a consumer uses,” Sutherland observes, highlighting the core challenge facing businesses. Companies must balance three competing priorities: privacy, security, and convenience. For consumers, convenience almost always wins.

Unlike employees who follow whatever security protocols their employers require, consumers simply abandon programs that make redemption difficult. As a result, even if businesses implement bank-level security, doing so could destroy the convenience that makes these programs attractive.

The solution Sutherland recommends is passive security measures that work in the background. Companies embed sophisticated tools in mobile apps that analyze device behavior without disrupting user experience. Is the device jailbroken? Has it been associated with previous fraud? Is it moving naturally, or is it part of a static device farm?

Despite technological advances including biometric authentication, AI fraud models, and emerging digital credentials, Sutherland says, “The biggest challenge is still identity verification.” After 20 years of trying, verifying that someone is who they claim to be remains unsolved.

Fighting Back Through Collaboration

Forward-thinking companies now treat loyalty fraud as a brand reputation issue rather than a compliance checkbox. “It is truly trying to ensure that consumers can trust what they’re doing,” Sutherland explains, noting that customers immediately take to social media when something goes wrong.

The response has become increasingly collaborative. Organizations create “fusion centers” where fraud, cybersecurity, and anti-money laundering teams work together. Through LexisNexis’s proprietary network, businesses share fraud intelligence across industries and borders. For example, banks in Singapore share patterns with UK retailers and major financial institutions collaborate on emerging threats.

This cooperation is essential because, as Sutherland notes, “Fraud does not stay within any country. We see the same fraudsters transacting in the US and in France and in South Africa.”

Companies focus on key vulnerability points, particularly when customers change account details. Something as simple as updating an email address or phone number can trigger an account takeover if proper verification isn’t in place. Yet each additional security step risks losing customers to competitors.

What This Means for Accounting Professionals

With $100 billion in unused points, nearly 100% annual growth in loyalty fraud, and criminals operating sophisticated international networks, this is an emerging category of financial crime that could impact your clients.

For businesses, a major loyalty breach can lead to financial loss and potential brand devastation in an era of instant social media backlash. For individuals, compromised loyalty accounts often serve as gateways to broader identity theft, especially through synthetic identity techniques.

Most concerning is that companies can’t simply apply traditional banking security models to loyalty programs. The convenience consumers demand conflicts with the security these digital assets require. As programs expand into every corner of commerce and younger generations treat points as legitimate currency, the attacks will continue.

Accounting professionals should recognize loyalty programs for what they’ve become: an unregulated digital currency that criminals actively exploit. While we’ve been protecting traditional accounts, fraudsters have built infrastructure to harvest value from the rewards programs we ignore.

Listen to the full Oh My Fraud episode with Kim Sutherland to learn specific red flags for loyalty fraud, discover emerging authentication technologies that could protect clients, and understand why those forgotten rewards programs might be your clients’ biggest vulnerability. Because in a world where your morning coffee purchase contributes to a $13 billion shadow economy, treating digital rewards with the same seriousness as traditional currency is just professional prudence.

Your Airline Miles Are Worth $74 Billion and Hackers Know It

Earmark Team · November 17, 2025 ·

Ever check your airline miles balance and think, “I should probably use those someday”? Well, fraudsters aren’t waiting. While you casually ignore those reward points, criminals are actively hunting for these digital treasures that have somehow become worth more than the companies that create them.

In this episode of Oh My Fraud, host Caleb Newquist explores the surprisingly vulnerable world of loyalty and rewards programs, revealing how the points flooding your inbox have become prime targets for fraud schemes that affect everyone from frequent fliers to wholesale club members.

The Accidental Billion-Dollar Asset Class

When United Airlines started tracking customers in the 1950s, it gave out plaques and promotional materials—basically corporate swag. Fast-forward to today, and rewards programs look entirely different. American Airlines generated $6.5 billion from its AAdvantage program in 2023 alone—not from selling tickets, but from selling miles.

The economics are almost absurd. As Newquist points out in the episode, airlines create miles for about half a cent each. They’re database entries. Then they turn around and sell these digital tokens to credit card partners for two to three cents per mile. That’s a 400% to 600% markup on something that costs virtually nothing.

“The hilarious thing is that these aren’t tangible,” Newquist observes. “They’re just made up. They’re just digital assets created out of thin air.”

The combined loyalty programs of United, American, and Delta are worth $73.8 billion. Think about that: these made-up points are sometimes worth more than the airlines themselves. And McKinsey estimates 30 trillion unredeemed miles sit in passenger accounts globally. That’s enough for every airline passenger on Earth to take a free one-way flight.

But here’s where things get dicey. Despite sitting on this massive pile of value, major airlines, including Southwest, American, Frontier, and Alaska, don’t offer two-factor authentication for account access. These companies spend millions on aircraft safety but can’t implement basic security that’s been standard in banking for over a decade.

When Your Miles Take an Unexpected Trip

The human cost of this security gap becomes painfully clear through recent victims’ stories. In July 2024, multiple Alaska Airlines customers woke up to drained accounts. One victim lost 150,000 miles, worth about $1,900. Another reported on Reddit that hackers stole over 200,000 miles. The points were being used to book luxury hotels in Abu Dhabi.

Gabrielle Bernardini, a writer for The Points Guy, discovered her Southwest account had been hacked when she received an email confirming a Hampton Inn reservation in Kalamazoo, Michigan—a booking she never made. The fraudster burned through 17,100 points, worth about $240.

Through persistence, Bernardini got her points back. But Southwest made it clear they were only doing it as a “gesture of goodwill” and a “one-time exception.” Their actual policy? “Southwest is not responsible for unauthorized access to a member’s account and will not replace stolen points.” Newquist confirmed that’s still the policy today.

Clint Henderson’s American Airlines nightmare went even further. Fraudsters drained hundreds of thousands of his AAdvantage miles for car rentals. Recovery meant jumping through incredible hoops. American required a new email address for his new account and demanded a PDF or screenshot of his police report. When Henderson went to file the police report, the NYPD’s online system was down. He had to visit a precinct physically, then was told that he couldn’t have a copy of his report until a detective intervened the next day.

Even with proof of fraud, the car rental company that accepted the stolen points simply refused to refund them. Henderson eventually got his miles back from American, but the whole ordeal revealed just how messy these situations can become.

From Sam’s Club to the Gas Pump

The problem isn’t limited to airlines. In May 2024, Sacramento County authorities arrested 38-year-old Inam Rasool after discovering he’d been systematically draining other customers’ Sam’s Club accounts. What started as an attempt to leave with $1,000 in unpaid merchandise turned into something bigger.

Store personnel began monitoring his return visits and uncovered a sophisticated operation. Rasool used stolen Sam’s Cash rewards to buy merchandise, resell it online. When police searched his home, they found over $25,000 worth of electronics, medications, pet food, hygiene products, supplements, and snacks. They also found shipping supplies, a computer, and a label printer for his online sales operation.

Meanwhile, in Peters Township, Pennsylvania, 18-year-old Paul Kostanich was hitting Giant Eagle fuel perks accounts. Video showed him visiting gas stations almost daily, holding his phone to barcode scanners to activate stolen points from different accounts. He admitted to hacking about 20 accounts and faced 58 charges, including identity theft.

One victim’s reaction captured the general disbelief, “I could never imagine someone hacking a Giant Eagle Perks card. I mean, really?”

Why This Keeps Happening

The problem is, rewards programs were never designed as financial assets—they’re marketing tools that accidentally became valuable. As Newquist explains, “They’re just a marketing gimmick developed by corporations that they hope will get us to spend more money with them. And it just so happens that they’re very, very good at doing that.”

From a corporate perspective, the math works out. If rewards fraud costs the industry $1 to $3 billion annually, but these programs generate over $70 billion for just the top airlines, that’s less than 5% lost to fraud. For many companies, it’s just a cost of doing business, especially when they can push losses onto consumers through terms of service that disclaim responsibility.

This creates what Newquist calls a perfect storm for fraudsters. You’ve got valuable assets with minimal protection, companies that won’t pursue prosecution, and victims left holding an empty bag while corporations point to fine print.

Protecting Your Points (Since No One Else Will)

So what can you do? Newquist offers practical advice with characteristic honesty.

First, change your passwords for rewards accounts. “I know you’d have to be a cerebral freak to generate a different password for virtually every account.” But at least make them different from your banking passwords.

Second, use two-factor authentication wherever it’s available. “Is it tedious? Yes. Does it save your bacon 99.9% of the time? Also, yes.”

Third, consider a password manager. Yes, the big ones have been hacked, but the benefits of managing unique passwords outweigh the risks.

Finally, actually check your accounts occasionally. Don’t be obsessive, but treat them with the same attention you’d give a bank balance.

The Bottom Line

Those rewards points you’ve accumulated aren’t just marketing fluff; they’re real value with real vulnerabilities. Companies have created a $74 billion economy from thin air, then washed their hands of responsibility when that value gets stolen.

For accounting professionals, this is a masterclass in risk transfer. For everyone else, it’s a wake-up call. In a world where teenagers systematically drain fuel perks and hackers book Abu Dhabi hotels with your miles, ignorance is an invitation.
Listen to the full episode above for Newquist’s complete investigation, including more cases and why he thinks these programs are essentially “legal money laundering” schemes. And maybe check your rewards balances while you’re at it. Just in case someone in Abu Dhabi isn’t already enjoying them.

When Hackers Come Knocking: Protecting Your QuickBooks Practice from Modern Security Threats

Earmark Team · November 16, 2025 ·

Here’s something that might keep you up at night: A hacker breaks into a Comcast email account and immediately creates a new Outlook.com account with an almost identical username. When they send emails through the compromised account, they set the reply-to address to redirect responses to their fake Outlook account. Most people never notice the domain switch. They see a familiar name, hit reply, and hand over sensitive information directly to the fraudster.

This real-world example comes from security expert Jamie Pollock, who joined his wife and business partner, Alicia Katz Pollock, and co-host Dan DeLong for episode 104 of The Unofficial QuickBooks Accountants Podcast. The episode, titled “Insecurity about Security,” couldn’t be more timely. As Dan noted, accountants and ProAdvisors across various Facebook groups report compromised logins with increasing frequency, raising urgent questions about the security of the QuickBooks ecosystem.

“We as accountants are the gateway to security for our clients because we have our hands in our clients’ sensitive data,” Alicia explained. With real money movement now possible through QuickBooks Bill Pay, payments, and payroll, a single compromised accountant login can expose dozens or even hundreds of client accounts. That’s why Dan suggested bringing in Jamie, who teaches internet security courses. As Dan put it, “we need someone smarter than both of us combined.”

Passkeys: Your New Best Friend (Once You Understand Them)

Remember when accountants and clients just shared login credentials? Dan does. Back in 2013, when he worked at Intuit, this practice was so common that the company built the QuickBooks Online Accountant portal specifically to stop it. “People would get into their clients’ QuickBooks Online with their clients’ login,” Dan recalled. “And Intuit was like, that can’t be a best practice.”

Fast forward to today, and we’re on the verge of an even bigger change: replacing passwords entirely with something called passkeys.

Jamie explained this complex technology in simple terms. “A passkey is an encryption key. It’s a physical token,” he explained. “You go to the server—Intuit or Google or whoever—and say I’d like a passkey. It generates this passkey and downloads it onto your device.”

Think of it like those old war movies Dan referenced, where two people need to turn keys simultaneously to launch missiles. Your device has one key, the server has the other. When you log in, they work together to verify your identity without transmitting anything that could be stolen.

To help explain how this works, Jamie offered a comparison everyone already knows: secure websites. “If a website doesn’t have security, it’s HTTP, and if it has an SSL certificate, it’s HTTPS,” he said. When you visit a secure site, it downloads an encryption key to your browser. Any information you submit gets encrypted with that key, and only the server can unlock it. Passkeys work the same way, but for your identity instead of your data.

The technology depends on two things: password vaults that sync your passkeys across devices, and biometric authentication like fingerprints or facial recognition. “Nobody has my face or my finger,” Jamie pointed out, explaining why passkeys are so secure.

But here’s the catch: we’re in an awkward transition period. “Passkeys are meant to replace passwords,” Jamie explained. “But every company, every app, every website implements it differently.” Not everyone has biometric devices or password vaults yet, so companies like Intuit keep both systems running in parallel. Alicia estimates we’re “five or maybe ten years away” from passwords disappearing completely, since everyone needs biometric-capable devices first.

The Fraud Tactics Hitting QuickBooks Users Right Now

Integrating payment features into QuickBooks has transformed accountant credentials into what Dan calls “one point of access” for bad actors. With bill pay, QuickBooks payments, and payroll all accessible through a single login, fraudsters have shifted their focus from individual businesses to the accountants who hold the master keys.

Alicia shared a disturbing story that shows just how sophisticated these attacks have become. Someone contacted her through Facebook, asking for help with a locked QuickBooks account. She emailed the person to verify their identity, and they confirmed it was really them. But Alicia had a bad feeling, and her instincts were right. “I realized it was actually the hacker inside the email account.” The fraudster had compromised both the QuickBooks account and the email, turning normal verification into a trap.

Jamie explained how these email compromises typically work. Hackers break in and immediately create a new free account on Outlook or Gmail with a similar username. They set up forwarding rules and reply-to addresses that redirect responses to their controlled accounts. “Most people don’t notice and they answer the message,” Jamie said. “Next thing you know, they’re in the hands of the hacker.”

The recovery process itself has become a vulnerability. Dan highlighted a concerning issue: if you can’t access your phone or email, Intuit offers a third option involving photo ID submission. “It doesn’t take a whole lot. It’s not that far of a stretch to say that these bad actors can forge your documents,” Dan warned. Unlike banks that require account numbers or debit card information, Intuit’s recovery relies primarily on information that’s often publicly available.

Not all fraud stories end badly, though. Alicia shared how Intuit called one of her clients after detecting multiple unauthorized login attempts from Georgia and Florida. The investigation revealed fake invoices for $900 and $24,000 in the client’s system. While Alicia joked that creating invoices instead of expenses showed “the hacker used the software wrong,” it demonstrated both the scale of potential fraud and Intuit’s active monitoring.

A newer concern involves QuickBooks’ invoice forwarding system. The system now uses a standardized email format (companyname+expenses@assist.intuit.com) that vendors can use to submit invoices directly. “If that email address gets out, people can send you bills,” Alicia warned. “If you’re not paying attention, you might pay somebody that isn’t actually a supplier.”

Your Security Toolkit: Practical Steps You Can Take Today

The good news? You don’t need a computer science degree to protect yourself and your clients. The hosts shared several strategies any accountant can implement immediately.

First up is what Dan and Alicia call the “backdoor login” strategy. “You add yourself as a team member in your QBO using a different email address,” Alicia explained. Create a completely separate Gmail account just for this purpose, add yourself with full access to QuickBooks and all clients, and store those credentials securely. If your primary login gets compromised, you can still access everything while resolving the breach.

Password management is crucial, and Alicia shared how her firm uses 1Password. “Every employee has their own personal private vault,” she explained. “But then we have group vaults that are only by permission.” Administrative passwords stay separate from general team access, bookkeeping credentials remain isolated from other systems, and everything requires biometric authentication. “I can sit down at any of my computers and have instant access to the things that I need,” she said. “But nobody else can get in because it’s either under my personal password or literally my fingerprint.”

Jamie shared his rules of internet security. Rule one: “Know your source.” Click on the sender’s name in any email to reveal the actual address. “They can fake the name, but they can’t fake the email address,” Jamie emphasized. If something claims to be from Intuit but shows @gmail.com, you’ve spotted a fake.

Another powerful rule: “Don’t do anything. Don’t react, don’t click the link, don’t call the number, don’t reply to the text.” Most scams create artificial urgency to provoke immediate action. “If there’s urgency on their part, you should just stop,” Jamie advised. His reassuring logic? “If you owe somebody $500 through PayPal, they’ll get back to you. I guarantee it.”

Additional quick tips from the episode:

Hover over links before clicking to see the actual destination
Forward suspicious emails to fraud@intuit.com
Check security.intuit.com for current security alerts
Watch for deceptive URLs using dashes (like intuit-quickbooks-dash-fake.com)
Enable two-factor authentication despite the inconvenience

Speaking of two-factor authentication, Jamie reframed the hassle as a feature. “It’s a little bit of a hassle for you. But getting hacked and having $24,000 move around that you didn’t see? That’s a little bit more of a hassle.” Plus, unexpected authentication requests alert you to breach attempts, letting you change passwords before damage occurs.

The Road Ahead: Staying Secure in an Evolving Landscape

The transition to better security won’t happen overnight. Alicia compares computer aging to “double dog years.” By the time a computer is five years old, it’s like a 70-year-old person, and at seven years, it’s 94. Until everyone upgrades to biometric-capable devices, we’ll be managing both old and new security methods.

Security in QuickBooks is only as strong as its weakest link, which is often the recovery process. “The passkey or the way to sign in can only be as secure as the recovery process,” Dan observed. Unlike banks that require separate credentials like account numbers, Intuit’s recovery relies primarily on email and phone verification—both potentially vulnerable to compromise.

This vulnerability matters because of scale. One compromised accountant login doesn’t just expose one business; it potentially unlocks financial data for tens or hundreds of client accounts. As Dan put it, accountants have become “one point of access that a bad actor could access.”

The profession must also stay informed about evolving threats. Many accountants don’t know about resources like security.intuit.com for current alerts or that forwarding suspicious emails to fraud@intuit.com helps track fraudulent campaigns. As Alicia noted near the episode’s end, “They’re always finding new backdoors. I’m sure a year from now we’re going to have this conversation again.”

Jamie also mentioned his own services, including email cleanup and password management training. “My favorite is unread messages that are more than two years old,” he said. “You never read them two years ago, you’re not going to read them now.”

The episode ended with exciting news about Intuit actively seeking feedback. They’ve launched a new board specifically for ProAdvisors to provide actionable suggestions about banking feeds. “The developers are reading it,” Alicia emphasized. “You can have conversations with other people, we can upvote suggestions, and the developers actually join the conversation.”

Take Action: Your Security Starts Now

Security in the QuickBooks ecosystem isn’t just about protecting passwords; it’s about protecting livelihoods. Every compromised login is a potential breach of trust with clients who depend on you to safeguard their financial data.

The tools and threats will continue evolving, but your responsibility to protect client data remains constant. As Jamie’s simple rules demonstrate, effective security requires consistency and awareness. Know your source. Don’t react to urgency. Use the backdoor login strategy. Enable two-factor authentication even though it’s annoying.

Listen to the full episode for additional examples, detailed technical explanations, and Jamie’s complete security framework. The conversation includes specific guidance that could save your practice from becoming the next cautionary tale. Because in today’s digital accounting landscape, vigilance isn’t paranoia; it’s professionalism.

Alicia Katz Pollock’s Royalwise OWLS (On-Demand Web-based Learning Solutions) is the industry’s premier portal for top-notch QuickBooks Online training with CPE for accounting firms, bookkeepers, and small business owners. Visit Royalwise OWLS, where learning QBO is a HOOT!