Loyalty Points Fraud Prevention: $75 Minted in 94s (Simply Explained)
A plain-language guide to loyalty points fraud prevention. No jargon, no tech speak, just what it means for your business.
By Mike Hodgen
I Went to Fix One Problem and Found a Money Printer
I run a fashion brand here in San Diego, handmade goods sold direct to customers. A while back I built a loyalty program, the kind where customers earn points they can spend like store credit.
The problem I sat down to fix was simple: nobody could actually use their points. They'd earn credit, go to check out, and the discount would silently fail.
But while I was digging around in there, I found the opposite problem. And it was a lot worse.
Customers could earn points by leaving a review. Sounds harmless. Except there was nothing stopping anyone from leaving a fake review and getting paid for it. No requirement that they'd ever bought anything. No limit on how many times they could do it.
So I did what you'd do with a door you suspect is unlocked. I tried to kick it in.
One account had earned 1,500 points (about $75 in store credit) by submitting 15 reviews in 94 seconds. Ninety-four seconds. That's not a happy customer. That's someone running a script and laughing.
A Vending Machine That Pays You to Press the Button
Here's the question every business owner should sit with before they pay customers to do anything: if you reward an action, what stops people from gaming it?
The honest answer is nothing. Not unless you build the locks yourself.
When I pulled the numbers, the picture was ugly. My system had handed out $490 in points. And 55% of the accounts earning those points had spent exactly $0 with my brand. More than half the people farming rewards had never bought a thing.
The detail that really stung? My system already had a built-in spot to flag suspicious accounts. The flag existed. It was just never turned on. The intention was there. The protection wasn't.
That's the most common mistake I see in these systems. Someone designs the right safety feature, builds it halfway, and never finishes wiring it up. And nobody notices, because free money doesn't complain.
The Five Locks Every Rewards Program Needs
Here's the checklist I built. If you pay customers for any action, these five locks are the difference between a loyalty program and an open money printer.
Prove they actually bought something. Require at least one real purchase before any points get credited. And when in doubt, the points don't move. If the system can't confirm someone is a real buyer, it says no. A lock that defaults to "yes" isn't a lock.
One reward per product per person. Stop the same person from reviewing the same item over and over and collecting every time. Enforce it at the deepest level so it can't slip through.
Watch the speed. Real customers don't review 15 products in 94 seconds. Fraud has a signature, and the signature is speed. So I flag anyone submitting more than three reviews in a day for a human to look at.
Cap the total. Put a ceiling on how many points one account can ever earn from reviews. Even if every other lock somehow fails, the worst-case damage from one person is a number I chose on purpose.
Don't pay out instantly. Points used to land in an account the second someone hit submit, ready to spend. Now they sit in a three-day waiting period. If a review gets removed or flagged before that window closes, the points get pulled back automatically.
None of these are fancy. They're just rules, written once, enforced every time. When real money is on the line, you want hard rules doing the gating, not software making a judgment call it can be talked out of.
The Hard Part Wasn't the Fix. It Was Deciding Who to Punish.
Building the five locks took a few days. That was the easy part.
The hard part was the past. I had $490 of already-earned points sitting in accounts, and a lot of it was fake.
The technically clean answer is brutal: wipe everyone's points to zero, re-run the rules, and let only the legitimate earns survive. That's the answer a security person gives. It's also a business disaster.
So I didn't do that. I clawed back $112.50, and only from accounts that had spent zero dollars with me, plus a few test accounts I'd created myself during development. The obvious farmers.
I deliberately left $357.50 alone. That belonged to real paying customers, even some who'd earned points through the same loose loophole I built.
Here's why. Taking back loyalty credit from someone who actually paid you money is a trust killer, and that costs way more than the fraud ever could. Picture the email: "We've removed points from your account." From a customer who gave you real money. You don't repair that relationship for $5 in store credit.
The whole point of a loyalty program is repeat business. You don't protect repeat business by punishing your best customers over a loophole you created. Stop the farmers cold. Leave the real buyers alone, even when a strict reading of the rules says you technically could go after them.
Why These Leaks Stay Hidden
Step back, and the lesson goes way beyond my one program.
Every system that rewards an action is a target. Review rewards. Referral bonuses. Sign-up credits. Affiliate payouts. If money flows out when someone takes an action, eventually someone will take that action just to get the money.
And the leak is silent. That's what makes it dangerous. The farmer isn't going to email you. Your honest customers never see it. So it just runs quietly, until the day you go looking for something else and trip over it.
I'll be honest: I built this loophole myself. I shipped a rewards program with no gate, no limit, no waiting period. I only caught it because I got curious about the earn side while fixing something else. That curiosity is the only reason I found it.
Most teams never get curious. They launch the program, watch the engagement numbers go up, and never ask who's actually behind that engagement.
One honest limit: these locks reduce fraud, they don't eliminate it. A patient fraudster with enough real orders can still work the edges. Anyone who promises you fraud-proof is selling you something. I'm offering fraud-resistant, which is the thing that actually exists.
I run a real brand with my own money on the line. I find these problems in my own systems before I'd ever let them near a client's. If you reward customers for actions and you've never tested who can game it, that's exactly the kind of quiet money leak I go looking for. I'd rather find your open money printer before a stranger does.
Want to explore what AI could do for your business?
Book a free 30-minute strategy call. No pitch deck, no sales team, just a real conversation about your operations and where AI fits.
Get AI insights for business leaders
Practical AI strategy from someone who built the systems — not just studied them. No spam, no fluff.
Ready to automate your growth?
Book a free 30-minute strategy call with Hodgen.AI.
Book a Strategy Call