My Southwest Rapid Rewards account was hacked: How I got my points back


Well, it finally happened — I fell victim to one of my loyalty program accounts being hacked, specifically my Southwest Rapid Rewards account. On Dec. 3, I received an email from Southwest at 9:30 p.m. EST confirming my hotel reservation at Hampton Inn & Suites Kalamazoo-Oshtemo for a check-in date of Dec. 4 and a checkout date of Dec. 5.

The email stated that 17,100 Southwest points were deducted from my account to book this hotel. According to TPG’s December 2024 valuations, that’s about $240 in value. Initially, I thought this might be a phishing email scam trying to coax me into clicking on the links provided to steal information. Immediately, I logged into my Southwest account to check if the points had been deducted.

Unfortunately, yes, this hacker had used my hard-earned reward points to book a hotel stay.

Here are the steps I took to get my points back and how you can try to prevent hackers from stealing your points and miles.

Related: How to protect yourself against rewards program data breaches

What I did when my Southwest Rapid Rewards account was hacked

JUSTIN PAGET/GETTY IMAGES

After realizing that someone had accessed my Rapid Rewards account, I immediately changed my password to prevent additional points from being used. Next, I called Southwest to inform the airline that my account had been hacked and that my points had been used fraudulently.

Because it was late at night, the Southwest representative informed me that this was a Rapid Rewards issue — she could only assist with flights and not hotel reservations — so I would need to call the phone line for the loyalty program in the morning when it reopened.

However, the Southwest rep told me to call the hotel directly to let them know that this reservation was made because my account had been hacked. Though it would not help me get my points back immediately into my account, it was worth leaving a paper trail of the steps taken to show that this was fraud.

When I called the hotel directly, the front desk employee was extremely apologetic. Though she could not cancel the reservation on her end, she left a detailed note for her manager to give me a call in the morning so he could try to resolve the issue.

Daily Newsletter

Reward your inbox with the TPG Daily newsletter

Join over 700,000 readers for breaking news, in-depth guides and exclusive deals from TPG’s experts

Related: How to identify and prevent credit card fraud

Though nothing further could be done that night to get my Southwest points back, I spent the next few hours making sure my loyalty program passwords were updated. While some airlines and hotel programs have employed two-step authentication, others, such as Southwest, have not yet followed suit.

To give myself peace of mind, I decided to change all of my passwords to try to mitigate the risk of my other accounts being hacked and my rewards being stolen using my information.

The next morning, I called Southwest Rapid Rewards and gave the woman a detailed description of what had happened, explaining that I had immediately contacted Southwest, informed the airline of the account hack, called the hotel and changed my account password. The rep told me that she would be filing a report and that someone from Southwest would follow up with me via email regarding my points. She noted several times that it was a good thing I had discovered the hack immediately, as some people don’t realize for months that they have rewards missing from their account.

After I was done speaking with the Southwest rep, the hotel manager gave me a call to let me know that he had received the booking note and he would be canceling the reservation on his end. Because this reservation was booked with points through a third party, he could not give me back my rewards, but again, it showed Southwest that a paper trail was being left to help my case.

Southwest did give me my points back, but …

ZACH GRIFF/THE POINTS GUY

On Dec. 4, I received an email from a Southwest Rapid Rewards rep telling me that the airline takes “the security of our members’ Rapid Rewards accounts seriously, and we protect our members from fraudulent activity by fortifying your data against a breach.” The email states that Southwest “requires members to enter a password prior to accessing any of their account information,” and they encourage the use of a “strong password.”

The email also cites Southwest’s terms and conditions, noting that the airline is “not responsible for unauthorized access to a member’s account and will not replace stolen points or awards.”

However, as a “gesture of goodwill and one-time exception,” Southwest decided to refund me the 17,100 points.

Aside from being a Rapid Rewards member, I also hold the Southwest Rapid Rewards® Plus Credit Card. I’m not sure if this fact was taken into account when my case was being reviewed.

While I am thankful that Southwest returned my reward points, I can’t help but acknowledge that we live in a digital age in which hackers and scammers work endlessly to access people’s personal account information. Even big corporations have fallen victim to these hacks. For Southwest to rely solely on one password and not an additional step to authenticate the user seems a bit behind the times.

We reached out to Southwest with my experience, and a spokesperson sent us the following statement:

Southwest is committed to protecting our Customers’ accounts with comprehensive cyber security controls. We will continue to enhance our core technology and have implemented a range of proactive and responsive security measures across our platforms.

It’s worth noting that Southwest isn’t alone here, as several other airlines — including American and Frontier — don’t have two-factor authentication options for securing your loyalty account balances.

So, how am I trying to protect my accounts in the wake of this hack?

Related: Understanding 3D credit card security and how it could affect your trips to other countries

Steps to protect your loyalty accounts to safeguard your points and miles

ALEXANDER SPATARI/GETTY IMAGES

Though these additional steps aren’t guaranteed to protect your personal information and loyalty accounts, they sure won’t hurt.

Change and update your passwords

Whether you’ve been hacked or not, updating your password regularly is a good idea, especially if you haven’t done so in a long time. Additionally, make sure to have different passwords for each of your accounts. If you have one password (or a very similar one) for every account, hackers may easily access all of them.

Set up two-step authentication (when possible)

Nowadays, many airline and hotel loyalty programs offer two-step authentication to help secure your account. The program will typically require an additional code, which will be sent via email, text or through an authentication app such as Google Authenticator.

Get email and/or text alerts

Though no one likes to be inundated with a bunch of emails and/or texts, it’s a good idea to make sure your communication preferences are updated. Most programs will contact you when a booking is made, your points and miles are used or even if your contact information/profile has been updated. This will help you identify fraud early — which can make it easier to resolve.

Because Southwest immediately notified me about my booking — and because I’m someone who frequently checks my emails on my phone — I could contact the proper parties right away, change my account password and resolve the issue.

Related: My AAdvantage account was hacked: Here’s what happened and how you can protect yourself

Bottom line

A hacker recently redeemed more than 17,000 of my Southwest Rapid Rewards points, though I was able to quickly take steps to get them back. Unfortunately, I am not the first — and won’t be the last — points and miles enthusiast to fall victim to an account hack. Earlier this year, TPG managing editor Clint Henderson had almost 400,000 American Airlines AAdvantage miles stolen from his account. Luckily, he too got them back.

But as fraudsters continue to get more clever in their hacking methods, it’s best to be diligent and pay close attention to your personal accounts. Though Southwest refunded me my points, according to their terms, this was not guaranteed and replacement of stolen points is seemingly only approved on a case-by-case basis. Therefore, to ensure you don’t completely lose out on your hard-earned rewards, take additional steps to secure your accounts.



Source link

Comments (0)
Add Comment