Data breaches are becoming all too common, but they primarily affect credit cards. While most people take steps to secure their credit card accounts and protect themselves against identity thieves, few take the same steps against credit card point theft.

What happens when your points and miles are stolen? Although the effects are not as devastating as identity theft, the steps you need to take to protect yourself and restore your points balances are similar. Here’s everything you need to know about what to do if your rewards account is hacked.

How are credit card points stolen

Stealing credit card points is more complicated than stealing a credit card for unauthorized use. Fraudsters need to acquire your ID, successfully hack your account and clean it up. Stolen rewards usually end up being sold on the dark web, redeemed for gift cards, or used for merchandise purchases through the rewards program. Unfortunately, credit card companies don’t have point fraud alerts, so fraudsters can easily go unnoticed.

This practice isn’t new, but the COVID-19 pandemic has presented a great opportunity for scammers. As travelers stopped traveling, they still spent with credit cards and perhaps paid less attention to their rewards accounts. The result was heaps of rewards for the catch.

Forbes contributor Brett Holzhauer fell victim to one of these scammers when his Amex Membership Rewards account was hacked. He and his wife had 200,000 points stolen, but it didn’t stop there: the thieves went shopping with his The Blue Business® Plus credit card from American Express.

In the end, American Express refunded his points and removed the fraudulent charges, but what’s concerning is that it only came to Brett’s attention when he received a fraud alert about major purchases the thieves had made. If they hadn’t raised a fraud alert, it might have taken months before he learned of the missing dots.

How to recover your stolen points

Fortunately, there is hope if your points are stolen. If there’s been a data breach and your points are gone, you can get them back by immediately calling your bank or loyalty program. As someone this has happened to in the past, I can attest that it is a relatively painless process. In most cases, the customer service agent will review how the points were redeemed. For example, if the rewards were used for a flight departing from an airport far from your home, with a passenger name that does not match yours, this is an easy way to determine that the booking was not authorized.

Some programs can also see from which location your account was accessed. If it was far from your usual location, that might indicate it wasn’t you. In most cases, determining a fraudulent point redemption is not too difficult. Still, it is crucial to report it immediately when you become aware of it.

In addition to calling your bank or loyalty program to report your points stolen, there are other steps you should take to protect your account. Here’s a step-by-step guide to recovering your points and securing your account after a breach, although many of these steps can be implemented now to prevent unauthorized use of your rewards.

Secure your account

The first thing you’ll want to do when you discover an anomaly in your points balance is secure your account. In addition to points, your loyalty account contains other information that could be compromised. Changing your password and setting up multi-factor authentication helps prevent further data breaches.

If you haven’t already, cybersecurity expert Bahman Hayat recommends setting up a password manager like 1Password. These password managers work by automatically storing and organizing all your usernames, passwords, PINs and account numbers in an encrypted and secure database.

If you haven’t changed your passwords in the past few years, chances are they were compromised in one of dozens of data leaks. You can find out if this is the case by going to Have I Been Pwned.

Hayat also recommends changing all your account passwords after a data breach. While you’re checking your point balances (more on this step below), it’s also a good time to update your passwords.

Call the program immediately

Once your account is secure, you’ll want to call your relevant loyalty program immediately. In most cases, you should be able to recover your points after an investigation.

Years ago, hackers broke into my Radisson Rewards account and redeemed over 500,000 points for gift cards. As an avid travel hacker, I didn’t know what offended me more – that my points had disappeared or that they had been redeemed at such a low value. Anyway, I called Radisson Rewards and they restored my balance within hours.

However, not all programs will be this fast. When hackers broke into my JetBlue account three years ago, it took me several days to get my points back.

Check if other accounts have been compromised

Once you’ve notified your loyalty program, you’ll want to check your other accounts for similar violations. I use AwardWallet to track all of my point balances in one place.

If you don’t use point tracking, you’ll need to log in to each individual loyalty program account to ensure your balance is intact. Check your balance and recent activity carefully, as your balance may not be completely cleared. This part can be tedious, but it will ensure that you not only secure the account that has been compromised, but the others as well.

How to avoid having your points stolen

When it comes to preventing point theft, a strong offense is the best defense. You should expect your rewards accounts to be hacked at some point. The best way to deal with it is to stay one step ahead of hackers. Here are three steps you can take to prevent point theft.

Track your points

Tracking your points is key to detecting data breaches and ensuring your points aren’t stolen. With point trackers like AwardWallet, you can even set alerts to receive an email when your balance suddenly changes. Ten years ago, that’s how I learned that my Radisson Rewards points had been wiped out by hackers.

Secure your passwords

Password security is essential to prevent account takeovers and point theft. Hayat recommends creating a different password for each account and using a password manager app to store them securely in one place.

Multi-factor authentication should also be part of your password security strategy. Hayat says, “I recommend Microsoft or Google Authenticator. This is preferable to text-based authentication, which is vulnerable to swap attacks.

Be careful what you click

According to Cisco’s Cybersecurity Threat Trends Report, phishing is responsible for 90% of data breaches. Scammers are becoming more sophisticated in creating emails that appear to come from banks and loyalty programs. Some of them will even address you by your first name and ask you to click on a link to read a message or confirm your account information.

When you receive an email like this, it’s best not to click on it at all. Instead, go directly to the bank’s or loyalty program’s website. Sign in securely, then go to the message center or account overview page to see if there’s really anything you need to verify.

At the end of the line

Data breaches are inevitable and will affect almost everyone at some point. The best you can do is secure your accounts to prevent point theft in the first place. Following the steps outlined above can help you recover your points quickly and prevent further violations.