Thieves stole $1,000 in Optimum points from this woman. Here's how to safeguard your points
Using complex passwords, enabling 2-step verification can help protect loyalty account balances
When April Canavan's inbox was suddenly flooded with emails in December, she knew something had gone wrong.
The Vancouver woman found herself subscribed to mailing lists she'd never signed up for, along with emails saying she'd just redeemed PC Optimum points at a grocery store halfway across the country.
Within about 25 minutes, Canavan says fraudsters drained around $1,000 worth of points from her account, and the mailing-list tactic aimed to distract her from the theft.
But panic had already set in because, as she told Cost of Living, she'd been saving her points to pay for Christmas.
"So then it was like, 'OK, so how am I going to afford Christmas now?' "
While fraud has plagued points collectors for years — PC Optimum notably faced a spree of fraud back in 2018 — the issue recently resurfaced after Scene+ notified points program members in January that there would be new identification requirements for redeeming points at grocery stores.
As more people have their online account credentials leaked thanks to data breaches, it's an issue that's challenging to solve, according to one expert. And because they have real cash value, loyalty points offer a potentially lucrative stream for thieves.
"When it comes to the loyalty points space, it's certainly growing," said Kevin Lee, vice-president of trust and safety at fraud management firm Sift.
Lee points to his own phone, which has hundreds of apps, many of which offer their own unique points programs, for everything from airfare to groceries to burgers.
"Because of that growing rich area, that becomes a great ground for fraudsters or criminals to take advantage of as well in the form of account compromise."
How it happens
There are two main ways bad actors can get their hands on your points.
The first is to take advantage of the fact that many people reuse the same dead-easy password across multiple sites, said Lee. If you use a password like "Password1234," for example, a thief only has to figure that out in one place to access your profiles across multiple businesses, he said.
"The fraudster essentially does a form of credential stuffing. They just brute force try a ton of different password permutations to eventually crack the code."
The other way is through data breaches.
"So you, as a consumer, may have the strongest password on the planet that you only use at one particular company," said Lee. "But if that company were to have a data breach and that personal identifiable information like a password, a username, email address, etc., were to be compromised, then suddenly you're exposed."
In an email to CBC, a spokesperson for Loblaw, the company that owns the PC Optimum program, said it's actually seen a decrease in fraud cases in recent years, "largely due to the efforts our customers have taken to secure their information."
"It's important for customers to remember that your PC Optimum points are real cash value, so you should secure your information the same way you would your bank details. Beyond that, we suggest people look at not only their account, but also the email associated with it, as stolen email and password credentials from other hacks are one of the biggest risks to fraud."
Fraud prevention tips
The statement went on to offer fraud-prevention tips, like enabling two-step verification on email accounts, never clicking on links in emails claiming that your account has been compromised, and using a password manager such as LastPass or 1Password.
Two-step verification requires users to sign into accounts with more than just a password — usually a security code sent via text or push notification. The extra layer of security makes it that much more difficult for hackers to gain access.
Rosalind Ashe isn't quite sure how thieves got access to her Scene+ points last fall. The Toronto woman had been busy with work and hadn't checked the email address associated with the loyalty program in a while.
When she did, she noticed an email saying she'd just redeemed more than 11,000 points at Montana's. "I don't really go to chain restaurants," Ashe said.
She called Scene+ right away, and while she was on the phone with the loyalty program, logged into her Scene+ account and noted a series of redemptions starting two months earlier at businesses around the Greater Toronto Area, none of which she'd ever patronized.
"They were redeeming, I would say, probably on average about $100 worth at a time. And so they were at movie theatres. They were at grocery stores. One grocery store that they went to, they spent $500."
Reimbursement can be an issue
Ashe says when she first escalated the problem with Scene+, she was told an investigation would be completed within a couple of weeks. But in an email from Scene+ a few weeks later, Ashe was asked if she'd shared her credentials with anyone; she had not. In another call she was told it was too late to be reimbursed because their 60-day window for reporting fraud had passed since the first fraudulent charges appeared.
The Scene+ program is a joint venture between Cineplex and Scotiabank, so Ashe took her concerns to the bank she's been with since she was a teenager.
"I said that I wanted to know the process for closing all of my accounts, including my credit card accounts, because of the situation."
Her missing 84,000 points were reinstated a couple hours later.
But Ashe says she's concerned about what the theft of points could mean to those who don't have the capacity to persist until they get them back.
"Everything is getting more expensive. And if you have $800 of points that you could spend on groceries, that's pretty significant."
In an email to CBC, a spokesperson for Scene+ rewards said that while the company couldn't comment on individual cases for privacy reasons, "we take cases of fraud seriously and ensure we are taking appropriate measures to protect our members."
"We always encourage members to practice good password hygiene and to monitor their accounts regularly."
Empire, which owns Sobeys, Safeway and other grocery chains where Scene+ points are collected and redeemed, also had the same message.
"Protecting our customers and their points is a priority for Empire. We always encourage customers to practice good password hygiene."
An AI solution?
Kevin Lee says AI could potentially offer a solution that doesn't put all the onus on the customer.
"A lot of the companies that we work with are deploying our technology and our software to look for anomalous behaviour from a user perspective."
That means if your points are being redeemed in another part of the country, like April Canavan's were, or in a store where you've never shopped before, a clerk could be prompted to ask for ID, or the account could be frozen.
Canavan said her PC Optimum points were eventually restored around the start of the new year, but that she ended up having to put her daughter's Christmas presents on a credit card in the meantime.
She says she was never prompted by the app to set up two-step verification, but has it set up now and recommends others do the same.
"Anything that you're saving points on or that has your credit card [number], look into their security features and enable all of them."
Audio produced by Danielle Nerman