Igor Litovsky, Founder & CTO of Mastermind Loyalty, on how loyalty programs have become a target for cybercriminals
In 2025, digital fraud finally ceased to be a problem confined to specific industries. According to the Digital Trust Index 2025 released by Sift, consumer exposure to online fraud schemes surged by 89 % compared to 2024, illustrating how rapidly fraud patterns are spreading across ecommerce and other digital ecosystems — with attacks becoming more accessible and harder to detect for users. Experts today are particularly focused on segments where value exists not in the form of money but can be easily converted into it.
Loyalty programs are undergoing a fundamental transformation. Points, bonuses, and miles effectively function as digital currency, as they can be accumulated, transferred, or exchanged for goods or cash back. At the same time, architecturally, many companies keep them in the marketing domain rather than in risk control. This contradiction has made loyalty programs one of the most attractive targets for attackers.
Igor Litovsky has been working with this reality for over 15 years — an IT and cybersecurity expert with more than 20 years of experience, Founder and CTO of Mastermind Loyalty. In December 2025, he received a Congressman’s Award — a Certificate of Recognition presented in person by a member of the United States Congress — for his contributions to cybersecurity and loyalty fraud prevention.
When points are protected less than dollars
The key problem with loyalty programs lies in how they have historically been perceived by businesses. According to Igor, rewards have turned into shadow currency, but the level of protection remains at the level of marketing promotions. “Most loyalty programs operate on bonus points or coupons that can be exchanged for goods, travel, gold bars, or simple cashback. Over the years, loyalty programs have become so widespread that it’s almost impossible to find a retailer or credit card without one. And yet, reward accounts are simply not protected or monitored as rigorously as dollar accounts,” he explains.
The situation is exacerbated by architectural complexity. Modern loyalty programs involve multiple players: issuing banks, program providers, fulfillment centers, travel providers, and billing and reconciliation systems. This creates numerous entry points for attacks. Unlike banking systems, loyalty platforms evolve faster than they can be fortified. The customer has barely completed a purchase, and the new point balance is already printed on the receipt. Behind the scenes, a real-time engine processes historical data, where even millisecond delays can be exploited. In this narrow time window, attackers can exploit synchronization gaps between systems — for example, initiating rapid redemptions or balance manipulations before risk controls fully register the transaction.
Why has digitization made the system more vulnerable
A common misconception is that digitization automatically makes systems more manageable. In reality, it often lowers the entry threshold for attacks. According to Litovsky, the global digital market is growing, and competition is rising proportionally. Processes become more sophisticated — a necessity to stay afloat — but speed is often achieved at the expense of quality, with overlooked details and insufficient resources for control. AI and bots, when in the wrong hands, have become both a powerful tool and a real threat. In loyalty systems, this often means faster onboarding, instant point accrual, simplified redemption flows, and fewer friction checks — all of which are attractive not only to customers but also to attackers. AI-driven bots now automate abuse at scale, targeting precisely these high-speed, low-friction processes.
There is also a structural vulnerability in the very nature of loyalty programs. Igor gives an example: how to prevent a situation where someone signs up for a credit card, receives a welcome bonus, and then abandons it? Such scenarios open opportunities for abuse. “The term ‘digital’ itself can mean many things. Sitting at a computer, often in another part of the world, people become invisible. Invisibility is tempting — especially when the target is a reward system that is monitored less strictly than financial accounts and often treated as a secondary asset,” he says.
From cashier bonuses to account takeovers
Fraud in loyalty programs rarely looks like a complex hacking operation. “Sometimes clerks at gas stations create loyalty cards for themselves, which they run through when the customer doesn’t do so,” Litovsky gives as an example. Formally, there are no violations, but the points go in the wrong direction.
The most dangerous type remains account takeover. Not only does the client see an emptied account, but the reputational damage to the company can be devastating. “If the company decides to compensate, then we are looking at financial damage as well. In real life, it’s usually both,” he emphasizes. With the development of bots, the speed and scale of such incidents have increased dramatically. Credential stuffing— a technique where attackers take leaked username-password combinations from one breach and automatically test them across other services, including loyalty accounts — has become a standard tactic.
Igor’s professional portfolio includes well-known American and multinational organizations from travel, retail, e-commerce, and financial services. Over various implementations, his multi-layered fraud control framework typically reduced abuse during point redemption by 52%, while simultaneously improving the customer experience and reducing support inquiries by 34%.
A race without a finish line
Modern fraud fighting is a continuous race where attackers adapt faster than companies. “Good guys usually beat bad guys everywhere on TV… except in the news. The biggest problem is becoming and remaining proactive. Given the modern day IT workload, it’s not easy, but you have to try. Being just a firefighter is not enough,” Litovsky notes.
The lack of time, budget, and people forces companies to act reactively. Betting on one “magic” solution often fails. Over the years of work, Igor has developed a methodology that, through a combination of rules engine optimization, anomaly detection, and behavioral analytics, has achieved a sustainable reduction in losses by 30–60% year over year, depending on the maturity of the client’s infrastructure and the initial level of fraud exposure.
At Mastermind they also designed a graph-based risk monitoring tool that visualizes systemic vulnerabilities in real time. Instead of isolated alerts, the system maps relationships between accounts, devices, transactions, and behaviors, helping to make coordinated fraud patterns visible early. Unlike traditional dashboards, this approach offers a network-penetration-style view of fraud detection ecosystems, allowing actions to be taken before damage occurs.
When the “simple” turns out to be effective
The most effective measures are often not the most exotic. “Very often, simple things help — not giving people more access than necessary. This helps against internal fraud. Real-time monitoring with automated alerts is another tool. Data mining and AI/ML are now fundamental to modern fraud prevention,” Igor explains.
The next level involves integrating anti-fraud policies directly into CRM. According to Litovsky, this approach helped reduce manual overrides by 70% and customer escalations by 40% in the projects he oversaw. By design, CRM focuses on people and their activities, making it a natural place to monitor profiles and financial behavior. This allows teams to “put things together” and ask the question: “Why?” — a method Igor likens to the investigative work of a police detective, turning data into actionable insight while simultaneously improving operational efficiency.
At Mastermind Loyalty they also built a 24/7 real-time fraud operations pipeline that transformed response time from days to minutes. The team helps enterprises protect against identity theft through multi-factor authentication, device fingerprinting, and behavioral biometrics, which allows a significant proportion of account takeover attempts to be blocked at an early stage. “Using industry standards never hurts — customers are used to it. Multi-factor authentication, strong passwords — the first line of defense. User categorization by risk level and additional verification — another layer. A multi-layered approach must be applied,” he explains.
When the best result is silence
In cybersecurity, success is measured by what didn’t happen. “In this business, the best result is silence. Silence is hard to measure, just like the effectiveness of a loyalty program by how many customers didn’t leave. We can measure the number of incidents and whether they can be resolved automatically. Automation almost always reduces manual work, including support calls,” says Litovsky. For him, proactive prevention — not reactive firefighting — is the defining trait of mature fraud operations.
One of the key principles of Igor’s work is the ability to think like an attacker. Protection professionals try to look at processes from the attackers’ perspective. “We learn, argue… It’s like playing chess with yourself. AI and automation combined with human intelligence and persistence always give the best results,” he shares.
A four-time Microsoft Certified Expert (Azure Developer, Data Engineer, DevOps Engineer, and Solutions Architect), Litovsky actively participates in the professional community, serving as a member of IEEE and Loyalty360 — The Association for Customer Loyalty, and Loyalty Magazine.com, where he shares his approaches and methodologies with industry colleagues.
The scale of the threat
The numbers speak for themselves. Global annual losses from loyalty fraud are estimated at $1–$3 billion. In the US alone, stolen loyalty rewards cause significant financial damage, often forcing companies to reimburse customers out of pocket and absorb the impact themselves. The growth dynamics are impressive.
“When it comes to trillions of unused points, the question is no longer about marketing, but about financial infrastructure. All assets representing value are potentially vulnerable. Loyalty rewards are among them,” Igor sums up.
The global loyalty management market continues to grow. In an ecosystem where loyalty fraud accounts for a significant share of digital abuse, specialists at Litovsky’s level become critically important. His methodologies demonstrate that strong protection enables sustainable business growth. Today, when loyalty programs have become financial infrastructure with trillions of dollars in points, they require the same level of protection as any financial asset.
