Trip Astute has partnered with CardRatings for our coverage of credit card products. Trip Astute and CardRatings may receive a commission from card issuers. Responses are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser's responsibility to ensure all posts and/or questions are answered. Opinions, reviews, analyses & recommendations are the author’s alone, and have not been reviewed, endorsed or approved by any of these entities.

Points and miles theft isn’t something you hear about often, but it’s on the rise. Thieves are starting to realize that it’s not only easier to steal points, but it often can be done more discretely than making unauthorized purchases. A lot of people who’ve had their accounts hacked and credit card points stolen did not realize it until they wanted to use their points to book a redemption.

Chase Sapphire Preferred credit card
Chase Ultimate Rewards points (like those earned using the Sapphire Preferred) are extremely versatile and easy to redeem, making them a target for thieves

Why points theft is on the rise

While banks are getting better at detecting fraudulent charges and activity that relate to your spending, there is less effort spent on monitoring your points and rewards. Most people do not check their points every day. This means that a savvy thief could redeem your points for while without you or the bank detecting any unusual activity. If they change the contact info on the account, it makes it even more difficult to detect.

Fraud alerts generally catch unauthorized charges, but not unauthorized point redemptions

With all the recent hacks, there is a ton of user data floating around the dark corners of the internet. Since many people use the same password for multiple accounts, hackers will use this compromised data to see if they can access other accounts. Add to the fact that a lot of banks, including my Chase account, don’t have robust security options when logging into their website. This makes it hard for the average person to protect their account.

What to do if your points are stolen

Report it immediately

It’s important to be vigilant about any unusual activity. Most points theft results in gift card redemptions rather than transfers to travel partners since it’s harder to trace. If you notice missing points, the first step is to report it immediately to your issuer or bank. Just like with any fraudulent charge, the bank or issuer will do an investigation on how the theft occurred. Since using your points means that the thief likely had access to your account, you’ll want to immediately change your password. It’s important to also verify that your contact information is correct. Hacker will often change your contact information in order to intercept account alerts.

From what I’ve heard, most people have been able to get their points back. However, it can take some time for the banks to perform their investigation and come to a conclusion.

Work with loyalty programs

If you have a hotel card like the Marriott Bonvoy Boundless, you may have to contact Marriott to get your points back

Also, if you have a co-branded credit card, like a Marriott Bonvoy Boundless or IHG Rewards Club Premier card, you may have to contact the loyalty program to determine how the points were stolen. They will likely be involved in getting your points back instead of the issuer.

Report the incident to local law enforcement

You may want to consider reporting the incident to your local law enforcement. Notifying them of the incident can help investigators collect data and connect activities to other cases. Having additional data points may help to pinpoint a suspect, especially if others have reported similar circumstances.

It may be worthwhile contacting your local law enforcement to report the incident

I hope none of you have to deal with this situation. For a lot of us, points carry a lot of value, not just in monetary terms, but also in the fact that they represent future vacations and travel. Just like with anything valuable, it feels like a huge violation to have them stolen.

Tips to protect against credit card points theft

I want to share some tips to help reduce the risk of being a victim of points theft.

1. Use a password manager:

Password managers are a great way to not only keep all your passwords unique and difficult, but also removes the headache of memorizing them. For example, I’ve used 1Password for years. 1Password generates random new passwords for me that are synced to all my devices. When I need to log into a website or app, I can have it pull the password once I enter my master password.

1Password creates and maintains all your passwords securely across your devices

1Password also detects when an account has experienced a data breach and recommends when you should change your password for specific sites.

There are many other password managers out there. For example, Fiona prefers to use LastPass and it seems to work well for her. The bottom line is that you should be creating complex and long passwords that are unique to every site you visit.

2. Avoid open network connections:

Don’t let thieves intercept your data while on an open network

Have you often seen the “free wifi” hotspots at cafes and airports? Be careful when joining them — actually, just avoid them! They’re often a way for thieves to intercept your data, especially your login information. I recommend avoiding these connections or using tools to secure your data.

3. Use a VPN:

VPNs ensure that your data is not intercepted while being transmitted over the web

If you’re using a connection that may not be secure, I recommend using a VPN service. There are a ton of VPN providers out there. I personally recommend Private Internet Access. It works seamlessly with both my computer and phone, and I use it whenever I’m on a public network. The VPN creates a virtual tunnel between you and the website or service that you’re accessing. This prevents others from intercepting your traffic.

4. Avoid public USB charging ports:

This is a security vulnerability that I recently learned about. Apparently, some public USB charging ports have been altered to install malware on your device. I have to admit that I’ve been guilty of using these USB ports in the past, especially at hotels and airport lounges.

Avoid the charging USB ports found in airports, lounges, and hotels

Since you’ve likely packed your own charger when traveling, I recommend using it instead of these open USB ports. Not only will it be more secure, but you can often charge your device faster using a multi-port USB charger. In fact, my Anker 4-port USB charger can charge multiple devices faster than most basic USB ports and default chargers.

5. Track your points with AwardWallet:

AwardWallet Logo
AwardWallet is a great way to track your points and receive notifications on changes

AwardWallet is one of the best tools to use for tracking your credit card and loyalty points. Using AwardWallet can also notify you when there are changes to your point balances, which can be extremely helpful for detecting points theft.

6. Check your point balances if you get a fraud alert:

Make sure to check your points balances if you receive a fraud alert from an issuer

If you happen to have a fraudulent charge appear on your account, I suggest checking your point balances. Most times, we’re more concerned about getting a new card number and replacement card. We don’t check to see if our points or rewards have been affected. While having a fraudulent charge doesn’t mean that your points balances have been compromised, it’s good practice to check them anyway.

7. Beware of phishing emails or calls:

Don’t fall for fake emails, phone calls, and websites requesting your login information

Since stealing your points requires access to your account, your login information is more valuable than your actual credit card. One of the easiest ways for thieves to get this information is by simply asking you for it! Be wary of any emails or phone calls requesting that you enter your login information or provide any password details over the phone. In fact, even when I get emails alerting me to a new statement, I avoid clicking on the links. Instead, I log into my account like normal and access the statement. That way I know that I’m not going to a spoofed website that is trying to “phish” my information.

Final thoughts

I would love to see issuers and banks implement more security measures for accounts. Specifically, multi-factor authentication measures like time-based passwords and tokens. Our financial accounts are so important to our lives. It doesn’t make sense that industry-standard security measures aren’t used to protect them!

Have any of you experienced points theft or know anyone that has? Also, do you have any other tips to share?

If you’re interested in applying for a new credit card, we encourage you to compare credit card offers. We do get a commission if you use our link. It doesn’t cost you anything extra, but it helps us to continue building content for our site and channel.

Trip Astute has partnered with CardRatings for our coverage of credit card products. Trip Astute and CardRatings may receive a commission from card issuers. Responses are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser's responsibility to ensure all posts and/or questions are answered.


Your email address will not be published. Required fields are marked *

  • Do not use a password manager. It’s one password to store them all, if you even password protect it. Then they have access to ALL your passwords. I saved my passwords in google chrome browser. Hackers gained access to my email/password which I thought were secure. They then had access to ALL my passwords, email, etc and stole money from my chase savings, all my rewards points, purchased things on my amazon, and wrecked a few other misc accounts since they could just login with a VPN and chrome browser and go to town. My local PD and the FTC have been helping me but to no avail. Chase has refused to refund my missing 50$ and give back my stolen rewards points since it took me 3 days to notice. Hacking happened on a Friday and I found out when I got back on Monday…

    Password managers and storing passwords digitally is a bad bad bad idea.


Get notified of travel updates, articles & contests

Thank you for subscribing.

Something went wrong.