By clicking a retailer link you consent to third-party cookies that track your onward journey. This enables W? to receive an affiliate commission if you make a purchase, which supports our mission to be the UK's consumer champion.

Are loyalty reward points and vouchers safe from fraud?

Which? investigates your rights if your points are stolen
Danielle Richardson

Shoppers often save up loyalty reward points through schemes such as Nectar, Clubcard and Morrisons More to spend over Christmas. But how safe are these points balances - often worth hundreds of pounds - from being stolen?

There's protection in place if someone were to make unauthorised transactions on your credit or debit card, but not on a loyalty card. In fact, many retailers' terms and conditions specifically say they have no responsibility for lost reward points.

Which? speaks to two shoppers whose reward points have been stolen, reveal what your rights are and how you can protect your points stash.

Be more money savvy

free newsletter

Get a firmer grip on your finances with the expert tips in our Money newsletter – it's free weekly.

This newsletter delivers free money-related content, along with other information about Which? Group products and services. Unsubscribe whenever you want. Your data will be processed in accordance with our Privacy policy

Are loyalty reward points being stolen?

There have recently been reports of Morrisons More points and Nectar points going missing from people's accounts.

Which? spoke to two victims to find out what happened and how the loyalty schemes responded.

'I had over 34,000 Morrisons More points'

'I noticed there was a problem with my More points as I was about to do an online shop on 28 November,' says Morrisons shopper Emily Sheppard.

'When I looked at the transaction history, the points had been spent on 25 November in Kidderminster. I'd had over 34,000 points and have been left with 4,100.'

Morrisons More members can earn five points for every £1 spent in-store and online. Once members reach 5,000 points they get a £5 voucher, which means each point is worth 0.1p.

Emily spent over £6,800 with Morrisons to amass such a large points balance, but in the blink-of-an-eye, a fraudster spent her hard-earned rewards worth £30.

She told Which? she had been saving up the points to spend over the festive period and reported the matter to the More Card helpline.

Morrisons responded: 'In some cases, suspicious activity can suggest someone is attempting to access an account which is not theirs. However, in your case there was no such suspicious activity.

'We had no way of identifying this as being fraudulent activity... Where this type of activity occurs, it is usually because the same email address and password combination is used across multiple sites.'

Morrisons accounts are secured with the use of an email address and password combination.

Emily was told she should check her affected accounts on haveibeenpwned.com (this site lets you know if your details have been leaked through security breaches), with Morrisons concluding: 'This is not due to a lack of safeguard or security on the Morrisons system.'

When Emily complained about this response she was told to contact Action Fraud, and that Morrisons had nothing to do with the security breach: 'As this was not a breach by Morrisons, but your own personal data, we are unable to refund the points onto your account.'

Other customers have taken to Twitter, having had a similar experience.

A Morrisons spokesperson told Which? Money: 'Online hackers target people who use the same username and password across multiple sites. We regularly remind our customers about the importance of using a unique password.

'We take online security very seriously and our customer data has not been breached.'

'Nectar told me to go to the police'

Carleen McCarthy had been getting some shopping at her local Sainsbury's on 20 November, putting her Nectar card into her coat pocket before going home.

Logging into her account the next day, she saw a message congratulating her for 'treating herself' and spending her Nectar points - only she wasn't the person who had spent them.

'The app said I'd spent nearly £30-worth of Nectar points in a branch of Sainsbury's I'd never been to before.

I realised I didn't have my Nectar card any more, and that someone must have taken it. I cancelled it straight away and spoke to someone on the live chat feature on the Nectar website.

'The response has been absolutely useless. On live chat and on Twitter, the response has just been, “there's nothing we can do - you need to go to the police”.

'The police are busy enough, so I'm just not going to bother them with this. I haven't been given a reason why my points can't be refunded; I was really made to feel like this is all my fault.'

Like many people, Carleen had been saving her points to help out with the cost of Christmas.

She says it's affected how she'll spend with Sainsbury's in the future: 'I refuse to carry a Nectar card any more, as there's just no point - I only have the app on my phone now.

'Before, I was purposely going to Sainsbury's for the special offers and things, but as they haven't helped me at all at a time when I needed it, the loyalty isn't really there for me any more.'

There were reports of some Nectar customers having lost their points online as well - and Sainsbury's advice was similar to that of Morrisons.

When asked about stolen Nectar points, a Sainsbury's spokesperson told Which? Money: 'We regularly review our security measures to ensure customers are protected and advise customers to regularly update their passwords and be mindful of increasingly sophisticated phishing attempts from fraudsters.

'We also ask customers to report any points they believe are missing from their account so that we can investigate.'

Are other loyalty schemes at risk?

We asked other loyalty scheme providers about how they make sure points are secure and what they would do if members reported points being stolen.

Tesco told us Tesco Clubcard points aren't worth anything until they're converted into vouchers.

The supermarket also told us there has never been a breach relating to Clubcard points, but a very small number of cases where vouchers have been stolen from a customer's account. These vouchers have always been replaced.

Superdrug told Which? Money that there have been instances of Superdrug Beautycard points being stolen in the past, but it's rare, and such incidents have been 'thoroughly investigated'.

It says keeping loyalty points on the Superdrug app is a more secure alternative to using a physical card.

What happens if your reward points get stolen?

Reward points don't have the same level of protection as spending on a debit or credit card.

Banks are legally obliged to reimburse customers for unauthorised transactions; retailers offering loyalty points aren't.

The levels of security for reward points are also much lower - there's no Pin required to spend on cards in-store, and the online email and password security features are unlikely to have the same level of encryption as a bank's website.

With this in mind, retailers seem to be putting the responsibility for rewards points safety on customers.

According to its online advice, Nectar states: 'The Primary Collector is responsible for the security of all Nectar Cards issued on his/her Nectar Account and all vouchers issued on that account.

'If a Nectar Card is lost or the holder thinks an unauthorised person has become aware of any security code, password or account number, they should contact the Nectar Customer Service Centre immediately.

'We cannot be responsible for any unauthorised use of points or any lost or stolen vouchers.'

Instead, customers are being directed to Action Fraud - the UK's national reporting centre for fraud and cybercrime.

What can you do to protect your reward points?

If you're part of any reward schemes, it's worth checking your points balance and statements regularly to see if there are any transactions you don't recognise.

Even if there's nothing wrong, it's good practice to change your password regularly.

Loyalty reward accounts are unlikely to have the same level of security as bank accounts, so it's even more important to have a secure password.

It should:

  • be different from any other accounts
  • not contain any personal information, such as your pet's name
  • contain special characters, numbers and a mix of upper and lower case letters
  • not be stored in your browser system.

However, it won't help you if your physical card has been stolen. You should also make sure you safely stow away any store cards you carry around with you to prevent them from getting stolen.

If you fall victim to loyalty card fraud you should report it to the scheme provider and change your password. You can also report the crime to Action Fraud which will investigate the issue.

More on this

Related articles

About Us

Which? Limited is registered in England and Wales to 2 Marylebone Road, London NW1 4DF, company number 00677665  and is an Introducer Appointed Representative (FRN 610689) of the following:


1. Inspop.com Ltd for the introduction of non-investment motor, home, travel and pet insurance, who are authorised and regulated by the Financial Conduct Authority (FCA) to provide advice and arrange non-investment motor, home, travel and pet insurance products (FRN310635). Inspop.com Ltd is authorised and regulated by the Financial Conduct Authority (FCA) to provide advice and arrange non-investment motor, home, travel and pet insurance products (FRN310635) and is registered in England and Wales to Greyfriars House, Greyfriars Road, Cardiff, South Wales, CF10 3AL, company number 03857130. Confused.com is a trading name of Inspop.com Ltd. 


2. LifeSearch Partners Limited (FRN656479), for the introduction of Pure Protection Contracts and Private Health Insurance, who are authorised and regulated by the FCA to provide advice and arrange Pure Protection Contracts and Private Health Insurance Contracts.  LifeSearch Partners Ltd is registered in England and Wales to 3000a Parkway, Whiteley, Hampshire, PO15 7FX, company number 03412386.


3. HUB Financial Solutions, for the introduction of equity release advice and an annuity comparison service, who are authorised and regulated by the Financial Conduct Authority (‘FCA’) to provide advice and guidance on financial products for those who have retired or are approaching retirement (FCA Firm Reference Number: 455713). HUB Financial Solutions is registered in England and Wales to Enterprise House, Bancroft Road, Reigate, Surrey RH12 7RP, company number 05125701.


4. Alan Boswell Insurance Brokers Ltd (FRN 301), for the introduction of non-investment landlord insurances, who are authorised and regulated by the Financial Conduct Authority to provide advice and arrange insurance contracts. Alan Boswell insurance brokers Ltd is registered in England at Prospect House, Rouen Rd, Norwich NR1 1RE, company number 02591252.


Other financial services:

Mortgage service provided by London & Country Mortgages (L&C), Unit 26 (2.06), Newark Works, 2 Foundry Lane, Bath BA2 3GZ. London & Country are authorised and regulated by the Financial Conduct Authority (registered number: 143002). The FCA does not regulate most Buy to Let mortgages. Your home or property may be repossessed if you do not keep up repayments on your mortgage.


We do not make, nor do we seek to make, any recommendations or personalised advice on financial products or services that are regulated by the FCA, as we’re not regulated or authorised by the FCA to advise you in this way. In some cases, however, we have included links to regulated brands or providers with whom we have a commercial relationship and, if you choose to, you can buy a product from our commercial partners. 


If you go ahead and buy a product using our link, we will receive a commission to help fund our not-for-profit mission and our campaigns work as a champion for the UK consumer. Please note that a link alone does not constitute an endorsement by Which?.