by Sarah Arnold & John Siddle on 13 Sep 2025
Cyber bandits use AI to steal loyalty points in black market worth £300m – here’s how to protect yourself
CYBER criminals are stealing loyalty card points in a black market worth £300million, the Sun on Sunday can reveal.
So-called “points bandits” are targeting the likes of Nectar and Avios schemes — with up to five per cent of Brits affected.
Gangs use artificial intelligence to spew out multitudes of random card numbers, until they land on a valid one by chance.
Then they are able to generate barcodes and steal the points from loyal customers.
Cyber crime expert Frank Teruel, the chief operating officer at anti- cyber crime platform Arkose Labs, told The Sun on Sunday:
“This is loyalty card cyber warfare. It’s the same as taking cash. But here’s the difference. If you walk into a Lloyds branch in London and steal some money, you’ll probably be caught and go to prison. If you steal someone’s points online and you are potentially miles away, it’s a really difficult problem.”
‘Despicable thing to do’
“Loyalty cards, right now, are the point of least resistance. It’s probably the least protected digital currency you have.”
Last year the Competition and Markets Authority found 97 per cent of shoppers are members of at least one supermarket loyalty scheme, and on average consumers belong to three.
And, according to the latest research, Brits have an estimated £6billion of unclaimed loyalty points stacked up on cards.
Now a new global survey from the Loyalty Security Alliance and Arkose Labs reveals up to five per cent of loyalty cards have been compromised.
The alliance says that the figure “reflects the UK market”, meaning £300million of points are at risk of being drained.
Julie Dowling, 50, from Crayford, Kent, was horrified when 46,000 Nectar points worth £230 were taken from her account in June.
Julie, a cleaner, and her builder husband Keith, 54, had been saving up the points to spend on their Christmas food shop in Sainsbury’s.
“Nectar thieves stole my family’s Christmas money. It’s a despicable thing to do.”
The message she was sent revealed 46,000 points had been deducted in St Albans, Herts. She was left with 1,159 points worth £5.79.
Julie, who got her points refunded, warned: “People need to know as it’s just like stealing money out of your wallet or purse.”
Points a hot target
Jennifer Bruton, a cyber crime consultant at Bores, said: “The problem is that to spend points with something like a Nectar card all you need is the barcode — and the card numbers which are used to create the barcode are predictable.”
But some loyalty card hacks are more sophisticated. Organised crime gangs based in China, Russia and Africa use industrial scale phishing enterprises — sending scam emails or other messages purporting to be from reputable firms, to steal logins and take over loyalty accounts.
The Loyalty Security Alliance and Arkose Labs’ report found that airlines and holiday loyalty schemes are a hot target for cyber criminals.
Their survey found 68 per cent of hotels are concerned about points theft, with travel booking sites facing “persistent threats from cybercriminals”.
How to protect yourself:
- Regularly check your points balance for any suspicious activity.
- Use features like Sainsbury’s ‘Spend Lock’ on the Nectar app to prevent unauthorized redemptions.
- Cash in your points regularly to reduce the balance available to thieves.
- Be wary of phishing emails or messages asking for your login details.
- Use strong, unique passwords for each of your loyalty accounts.
A Sainsbury’s spokesperson said that the security of Nectar accounts was a “highest priority” and insisted that the number affected by points theft was “small”.
Read the original article here.
