Shoppers often save up loyalty reward points through schemes such as Nectar, Clubcard and Morrisons More to spend over Christmas. But how safe are these points balances – often worth hundreds of pounds – from being stolen?
There’s protection in place if someone were to make unauthorised transactions on your credit or debit card, but not on a loyalty card. In fact, many retailers’ terms and conditions specifically say they have no responsibility for lost reward points.
Which? speaks to two shoppers whose reward points have been stolen, reveal what your rights are and how you can protect your points stash.
Are loyalty reward points being stolen?
There have recently been reports of Morrisons More points and Nectar points going missing from people’s accounts.
Which? spoke to two victims to find out what happened and how the loyalty schemes responded.
‘I had over 34,000 Morrisons More points’
‘I noticed there was a problem with my More points as I was about to do an online shop on 28 November,’ says Morrisons shopper Emily Sheppard.
‘When I looked at the transaction history, the points had been spent on 25 November in Kidderminster. I’d had over 34,000 points and have been left with 4,100.’
Morrisons More members can earn five points for every £1 spent in-store and online. Once members reach 5,000 points they get a £5 voucher, which means each point is worth 0.1p.
Emily spent over £6,800 with Morrisons to amass such a large points balance, but in the blink-of-an-eye, a fraudster spent her hard-earned rewards worth £30.
She told Which? she had been saving up the points to spend over the festive period and reported the matter to the More Card helpline.
Morrisons responded: ‘In some cases, suspicious activity can suggest someone is attempting to access an account which is not theirs. However, in your case there was no such suspicious activity.
‘We had no way of identifying this as being fraudulent activity… Where this type of activity occurs, it is usually because the same email address and password combination is used across multiple sites.’
Morrisons accounts are secured with the use of an email address and password combination.
Emily was told she should check her affected accounts on haveibeenpwned.com (this site lets you know if your details have been leaked through security breaches), with Morrisons concluding: ‘This is not due to a lack of safeguard or security on the Morrisons system.’
When Emily complained about this response she was told to contact Action Fraud, and that Morrisons had nothing to do with the security breach: ‘As this was not a breach by Morrisons, but your own personal data, we are unable to refund the points onto your account.’
Other customers have taken to Twitter, having had a similar experience.
— Tasha Powell (@Moustasha_) December 14, 2019
A Morrisons spokesperson told Which? Money: ‘Online hackers target people who use the same username and password across multiple sites. We regularly remind our customers about the importance of using a unique password.
‘We take online security very seriously and our customer data has not been breached.’
‘Nectar told me to go to the police’
Carleen McCarthy had been getting some shopping at her local Sainsbury’s on 20 November, putting her Nectar card into her coat pocket before going home.
Logging into her account the next day, she saw a message congratulating her for ‘treating herself’ and spending her Nectar points – only she wasn’t the person who had spent them.
‘The app said I’d spent nearly £30-worth of Nectar points in a branch of Sainsbury’s I’d never been to before.
I realised I didn’t have my Nectar card any more, and that someone must have taken it. I cancelled it straight away and spoke to someone on the live chat feature on the Nectar website.
‘The response has been absolutely useless. On live chat and on Twitter, the response has just been, “there’s nothing we can do – you need to go to the police”.
‘The police are busy enough, so I’m just not going to bother them with this. I haven’t been given a reason why my points can’t be refunded; I was really made to feel like this is all my fault.’
Like many people, Carleen had been saving her points to help out with the cost of Christmas.
She says it’s affected how she’ll spend with Sainsbury’s in the future: ‘I refuse to carry a Nectar card any more, as there’s just no point – I only have the app on my phone now.
‘Before, I was purposely going to Sainsbury’s for the special offers and things, but as they haven’t helped me at all at a time when I needed it, the loyalty isn’t really there for me any more.’
There were reports of some Nectar customers having lost their points online as well – and Sainsbury’s advice was similar to that of Morrisons.
When asked about stolen Nectar points, a Sainsbury’s spokesperson told Which? Money: ‘We regularly review our security measures to ensure customers are protected and advise customers to regularly update their passwords and be mindful of increasingly sophisticated phishing attempts from fraudsters.
‘We also ask customers to report any points they believe are missing from their account so that we can investigate.’
- Find out more: how to report a scam
Are other loyalty schemes at risk?
We asked other loyalty scheme providers about how they make sure points are secure and what they would do if members reported points being stolen.
Tesco told us Tesco Clubcard points aren’t worth anything until they’re converted into vouchers.
The supermarket also told us there has never been a breach relating to Clubcard points, but a very small number of cases where vouchers have been stolen from a customer’s account. These vouchers have always been replaced.
Superdrug told Which? Money that there have been instances of Superdrug Beautycard points being stolen in the past, but it’s rare, and such incidents have been ‘thoroughly investigated’.
It says keeping loyalty points on the Superdrug app is a more secure alternative to using a physical card.
- Find out more: best and worst supermarket loyalty cards
What happens if your reward points get stolen?
Reward points don’t have the same level of protection as spending on a debit or credit card.
Banks are legally obliged to reimburse customers for unauthorised transactions; retailers offering loyalty points aren’t.
The levels of security for reward points are also much lower – there’s no Pin required to spend on cards in-store, and the online email and password security features are unlikely to have the same level of encryption as a bank’s website.
With this in mind, retailers seem to be putting the responsibility for rewards points safety on customers.
According to its online advice, Nectar states: ‘The Primary Collector is responsible for the security of all Nectar Cards issued on his/her Nectar Account and all vouchers issued on that account.
‘If a Nectar Card is lost or the holder thinks an unauthorised person has become aware of any security code, password or account number, they should contact the Nectar Customer Service Centre immediately.
‘We cannot be responsible for any unauthorised use of points or any lost or stolen vouchers.’
Instead, customers are being directed to Action Fraud – the UK’s national reporting centre for fraud and cybercrime.
- Find out more: scam victims ignored by police fraud reporting system
What can you do to protect your reward points?
If you’re part of any reward schemes, it’s worth checking your points balance and statements regularly to see if there are any transactions you don’t recognise.
Even if there’s nothing wrong, it’s good practice to change your password regularly.
Loyalty reward accounts are unlikely to have the same level of security as bank accounts, so it’s even more important to have a secure password.
- be different from any other accounts
- not contain any personal information, such as your pet’s name
- contain special characters, numbers and a mix of upper and lower case letters
- not be stored in your browser system.
However, it won’t help you if your physical card has been stolen. You should also make sure you safely stow away any store cards you carry around with you to prevent them from getting stolen.
If you fall victim to loyalty card fraud you should report it to the scheme provider and change your password. You can also report the crime to Action Fraud which will investigate the issue.
- Find out more: how to create secure passwords