Just yesterday, someone tried to steal a large six-figure balance from my Hilton Honors account. The only reasons they failed were because I was vigilant and Hilton’s customer service team was quick to lock down the account and reverse any redemptions. But there’s more that can be done, especially as people share more about their lives online and account services become increasingly automated.
This story uses an example of my experience with Hilton, but you might want to follow similar advice with other programs.
Whoever tried to steal my Hilton points… better luck next time. 🤨
— Travel Codex (@travelcodex) December 2, 2019
I’m not sure how this happened. I do use services like Award Wallet to track several accounts, and I store my passwords with them. (There is an option not to store your passwords, if you want to be more secure.) My mailing address isn’t hard to find. It’s possible I inadvertently posted a picture on the blog with my Hilton Honors account number.
These are all bad security moves. I do not normally live my life thinking people are out to get me, but at the same time I realize I have made it easier for that small slice of the population that wants to do bad.
Still, few people know my personal email address or my phone number, which are the only ones I’ve ever used with a loyalty program, and there’s no evidence either one was compromised. It remains unclear how someone was able to access and change the contact information on my account.
I was able to detect and prevent the fraud by paying close attention to my email alerts. Around lunch yesterday I got an email from Hilton that a new email address had been added to my account. Then shortly after I got a second email that an email address had been removed. I quickly tried to log in on my phone’s app and found that I couldn’t.
Immediately I found myself a conference room at the office and called Hilton’s customer service team. They had difficulty confirming my identity because, lo and behold, the information I gave them was no longer on my customer profile. But I did know my account number, the approximate balance, and a history of recent stays. Perhaps this is what the fraudster used, too?
In any case, they immediately put a lock on the account to block future redemptions and cancelled transactions that were already in place. We were able to put my email address and phone number back into my account profile and remove the incorrect information. I also changed the password on my Hilton Honors account and my email address.
The guy must have still been logged in because new information was being populated as we worked.
Now here’s the important part. Hilton has an option to add two-factor authentication to your account, which means they will email or text you before making any changes. Now that it’s turned on I’ve already received at least one text that I didn’t request, perhaps because the fraudster was making a second attempt to undo our fixes.
To do this yourself, log into your Hilton account, click on Profile, and then click on Personal information. There is a section on the right to add enhanced security.
The next step was to wait for Hilton’s fraud department to complete its review. I was told that I would still be able to log in but that no redemptions would be permitted until then.
Fortunately it took less than a day. Their team made the usual recommendations to change my password and add the two-factor authentication I just mentioned. While on the phone with customer service, they also suggested it was possible to change my account number. Apart from replacing my phone number and email address, which I really don’t want to do, that might be the most effective step for now.
Always, always keep a close eye on your loyalty programs. It may not be real money, but it’s worth something to someone, and the controls are never as good as a bank. In this case everything worked out well. You can imagine how upset I’d be if I ignored those notifications and called Hilton a week later!
