We have our first example of Avios / Nectar fraud

Links on Head for Points may pay us an affiliate commission. A list of partners is here.

Last week I wrote an article explaining why Avios fraud may be about to increase, and why you should ensure your account is secure.

Stealing frequent flyer miles is not usually a priority. The requirement to pay for the taxes on the flight you book with a credit card, as well as giving your real name and passport details whilst booking, is not attractive to thieves. This is why British Airways Executive Club accounts are not a top target for hackers.

Now things have changed. Hack into an BA account and you can transfer 50,000 Avios onto a random Nectar card, giving the thief £400 to spend.

We have our first hacked reader

Last night I got an email from a reader who had, literally, discovered that he had been hacked an hour before he contacted me.

The reader had checked his email and found around 70 random pieces of content. “They were all sign ups to weird sites, requests for quotes to Mexican transport companies etc” he wrote.

Halfway through the list was the email from British Airways Executive Club saying that his account had been linked to a Nectar account.

Cunningly, the hacker had hoped that by spamming the inbox with a large amount of content at once, the Nectar email would be missed.

The email said: “Congratulations, your British Airways Executive Club account has successfully been linked to a Nectar account ending in 9013.”

The reader quickly logged in to his British Airways Executive Club account. 50,000 Avios – the monthly maximum – had been transferred to the Nectar card.

(Our reader does have a Nectar card, but it doesn’t end in 9013. He had not yet linked it to his BA account.)

He called British Airways Executive Club and it locked his account. He has been promised an email from BA “in a couple of weeks”.

It is worth noting that our reader was impacted by the British Airways data breach a couple of years ago, during which his Executive Club account details would have been stolen. It isn’t clear if this is connected or not. It is possible that his details are amongst those BAEC accounts being sold on the ‘dark web’.

Conclusion

As I wrote in my article last week, the Avios / Nectar security is lax. There is no attempt to match surnames or email addresses. You can even link and unlink Nectar cards between multiple accounts.

It is possible that the hacker got away with it. Whilst the reader had his British Airways account locked, BA could not lock his Nectar account.

As long as the hacker had already used the Nectar card once, he could immediately head into Sainsbury’s and spend £400. More likely, he will have ordered £400 of eBay credit and used it to buy something from another eBay account under his control.

PS. It turns out we have had a 2nd example of fraud amongst our readers. After this article was published, someone else got in touch.

“Same thing happened to us too! We got an email saying our Executive Club account had been linked to a Nectar account. And 50k Avios were transferred out. We contacted both BA and Nectar but so far no news (BA said it could take up to 28 days for their audit team to investigate but they said we should get our Avios back).”

How to earn Avios points from UK credit cards

How to earn Avios from UK credit cards (December 2021)

As a reminder, there are various ways of earning Avios points from UK credit cards. Many cards also have generous sign-up bonuses!

There are two official British Airways American Express cards with attractive sign-up bonuses:

British Airways BA Amex American Express card

British Airways American Express

5,000 Avios for signing up, no annual fee and an Economy 2-4-1 voucher for spending ….. Read our full review

British Airways BA Premium Plus American Express Amex credit card

British Airways American Express Premium Plus

25,000 Avios and the UK’s most valuable credit card perk – the 2-4-1 companion voucher Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points, such as:

American Express Preferred Rewards Gold

Your best beginner’s card – 20,000 points, FREE for a year & two airport lounge passes Read our full review

The Platinum Card from American Express

30,000 points and an unbeatable set of travel benefits – for a fee Read our full review

Run your own business?

We recommend Capital On Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, along with a sign-up bonus worth 10,500 Avios:

Capital On Tap Business Rewards Visa

The most generous Avios Visa or Mastercard for a limited company Read our full review

You should also consider the British Airways Accelerating Business credit card. This is open to sole traders as well as limited companies and has a 30,000 Avios sign-up bonus:

British Airways Accelerating Business American Express

30,000 Avios sign-up bonus – plus annual bonuses of up to 30,000 Avios Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

(Want to earn more Avios? Click here to visit our home page for our latest articles on earning and spending your Avios points and click here to see how to earn more Avios this month from offers and promotions.)

Category

British Airways and Avios, Sainsbury's and Nectar

This article is closed to new posts. Discussion continues in the HfP Forums.

Matarredonda says:

6 Feb6 February 08:18

Thanks Rob for highlighting.
People with a lot of Avios going to need to be careful to avoid these scum stealing hard earned points which are now effectively money.
Rich says:

6 Feb6 February 08:19

The point raised about linking to Nectar straight away to stop this is an interesting one.
Does anyone know if in theory this would work and stop points being transferred anywhere other than the two accounts?
Stu says:

6 Feb6 February 08:20

It occurred to me that if you were to un-link and re-link your Nectar account 3 times after the initial linking, that would trigger the 4 link annual limit and thus prevent anyone from linking another Nectar account for 12 months?

Not sure if the limit of 4 linking per annum applies to different accounts though?

I appreciate this would tie you in terms of not being able to link another Nectar account but to me that’s better than getting 50K Avios pinched!
Anna says:

6 Feb6 February 08:25

Rob, you’re correct that the hackers will probably get away with this, especially if they’re based abroad (I can’t see many criminals being hugely motivated by a basket of free groceries from Sainsbury’s). I don’t know what BA’s policy is but many companies don’t even involve the police when anything like this happens, and even when they do it’s very. very difficult to trace criminals through IPP addresses. If they are based overseas, you can basically forget it unless there’s a very serious offence being investigated.
You just have to hope BA decides you’re an innocent victim and reimburses the missing avios, but this isn’t guaranteed either because you’d struggle to prove to them that it wasn’t you who transferred the avios out.
- Anna says:
  
  6 Feb6 February 08:28
  
  (Quickly checks avios balance…)
- Chris Heyes says:
  
  6 Feb6 February 11:00
  
  Hi, Anna i agree with the first part the hackers will probably get away with it.
  and yes most company’s don’t inform the police, even cover it up themselves if they can
  But disagree with the part were you say it’s very difficult to “trace” any hacker can be traced overseas or not.
  It’s just very expensive to do in practice, you need to employ a Hacker Chaser which costs a lot, but it can be done depending on resources.
  London police have there own, but are very stretched, but still manage to shut some down, very few arrests though
  - Anna says:
    
    6 Feb6 February 11:07
    
    Hi Chris – sorry, I didn’t mean technologically difficult, what hampers investigations is that it’s not easy to get authority to access someone’s data, you have to jump through hoops to get a RIPA authority including proving that you won’t impinge on anyone else’s privacy (accidentally or otherwise) – known as “collateral intrusion”. Facebook is notorious for refusing to supply member’s details and because the company is based in the US it’s virtually impossible to get them to co-operate.
    Apple is a similar case in point – they refuse to give customer details even to the FBI so in this country the government had to pass a separate law making it an offence to refuse to give your password to the police. You often see criminals taking the relatively minor punishment for this rather than giving up the contents of their phones.
    - memesweeper says:
      
      6 Feb6 February 11:37
      
      Im not a criminal and I won’t be giving up my password if I get my collar felt. IMO accused people should not be required to self incriminate.
    - Anna says:
      
      6 Feb6 February 14:33
      
      You’re not going to be asked to give up your password unless you’re actively being investigated! Though you might feel differently if you (or your family) were the victim of a massive fraud or sex abuse ring.
      - Brian says:
        
        7 Feb7 February 21:44
        
        If my family were the victim of massive fraud why would the police need access to my phone?
    - bafan says:
      
      6 Feb6 February 16:37
      
      Same. I also wouldn’t. How can I have the right to remain silent if they can force you to give your password. This country SMH.
Anna says:

6 Feb6 February 08:31

If hackers can access one BAEC account, can they then transfer avios from the whole HHA? Just wondering whether to change all our passwords now, even though the child members, for example, don’t have any avios of their own to speak of.
- Doug M says:
  
  6 Feb6 February 10:40
  
  Why not change them, it’s decent prevention and little effort.
- Dr C says:
  
  6 Feb6 February 11:33
  
  No only the Avios directly held
Sam says:

6 Feb6 February 08:37

Was the key issue poor security on the email account? Or reused emails?

Email is often the gateway into our online lives. It needs to be very secure. As others have said:
– use a password manager so you can have long(ish) unique passwords
– use multi factor authentication

Both Microsoft and Apple are introducing free passwords managers so you really have no excuse. If you don’t trust the cloud, you can get ones stored on a single pc if that is practical for you
- Sam says:
  
  6 Feb6 February 08:37
  
  Reused emails = reused passwords….
- memesweeper says:
  
  6 Feb6 February 11:40
  
  Bitwarden offers free cloud storage of your encrypted password database. They *cannot* read it and you do not need to ‘trust’ the cloud. The code base they use is open and audited. You only need to trust the maths behind the crypto. Strongly recommended for security and convenience.
meta says:

6 Feb6 February 08:49

Can someone remind me whether you actually need BAEC account password to link Nectar and BAEC? It seems that only BAEC number is sufficient in which case changing your BAEC password won’t help.
- AJA says:
  
  6 Feb6 February 08:57
  
  Yes I had to log in to my BAEC account when I first linked the two. That was via the nectar app. And when transferring 1600 nectar point I got a OTP code via text. No idea if you get a OTP when sending Avios to nectar
  - meta says:
    
    6 Feb6 February 09:01
    
    Ah, ok. So you do need the password. So the hacker knew the reader’s BAEC password as well. This isn’t clear from the article.
signol says:

6 Feb6 February 08:58

A few years ago I had my Nectar account hacked, £40 of points were stolen and used in store in Leicester. (I live in Norwich and could prove it couldn’t have been me. I was at work the whole day). Nectar closed the account, opened me a new one, and refunded the missing points.
- Lottie says:
  
  6 Feb6 February 09:16
  
  Same happened to me about 5 years ago, luckily I’d spent nectar that day in my local shop and the stolen £80 was used in a shop hundreds of miles away. All my points were refunded by Nectar pretty quickly.