Fraud on Velocity Frequent Flyer accounts
- Thread starter bluemelbs
- Start date
- Joined
- Jul 27, 2019
- Posts
- 110
- Qantas
- Bronze
- Virgin
- Red
- Oneworld
- Ruby
If the hackers have accessed your email account they can use the 'forgot my password' link on the VFF login page (to get sent a 'reset password link' email and reset it that way assuming they know your old one?).
Maybe some people have followed a link in a phishing email/SMS/ad, and entered their VFF credentials there without realising it's fake.
Last edited:
Happy Dude
Established Member
- Joined
- Oct 13, 2006
- Posts
- 2,642
What?
Happy Dude
Established Member
- Joined
- Oct 13, 2006
- Posts
- 2,642
go back a few posts for my full story but I did click on a pdf in a work email. From that point my work email has been used to create a zillion accounts on a zillion websites. It's a problem where websites use an email as a username, but Velocity doesn't. The problem with Velocity, in my case, is that my email address was changed without me being notified. I don't know how my email address and velocity number were "matched". I managed to change it back before any damage but have since received two more hacking attempts where I did get the forget your password link. My work email, which is also my Velocity email, is listed on several public websites and I send to tonnes of clients etc each year, so it's not or doesn't have to be a phishing thing.
Intrigued by this.
Maybe I'm missing something here, but of all the types of fraud you could choose to do, you'd think booking international flights with stolen FF points would surely be one of the dumbest... Unless you are compounding the crime by also travelling on a fake passport, surely the identities of the people catching those flights are going to be trivial for the authorities to determine?
MJ_/\_
Junior Member
- Joined
- Jul 16, 2024
- Posts
- 39
Just in case you haven't done so already, you've scanned for viruses/malware by now I take it? Clicking on a pdf link can do a lot more than expose your email address, if they've used it to install malware they potentially have access to everything on your machine.
MJ_/\_
Junior Member
- Joined
- Jul 16, 2024
- Posts
- 39
They probably have a scam setup selling half-price flights or something, take the cheap payment off unsuspecting victims, book using stolen Velocity points... Looks like Velocity don't have any restrictions on who you can book reward tickets for... and disappear.
My guess would be they are getting payments in cryptocurrency and targeting people who want to spend their crypto rather than bring the income through proper channels... there may be other explanations, but that one is my non-evidence based guess.
Can You Book Award Flights With Your Points for Other People?
Most frequent flyer programs let you use your points to book reward flights for family members. Some airlines also let you redeem points for friends or anyone else.
www.australianfrequentflyer.com.au
- Joined
- Jul 27, 2019
- Posts
- 110
- Qantas
- Bronze
- Virgin
- Red
- Oneworld
- Ruby
Oh that's horrible @Happy Dude
I wonder if they got your velocity number from an email in your account (if they got access to your work email account). Then if they were in there they could action then delete password reset links overnight before anyone realised?
Velocity should also send us an SMS when account details are changed (QFF do this)
I wonder if they got your velocity number from an email in your account (if they got access to your work email account). Then if they were in there they could action then delete password reset links overnight before anyone realised?
Velocity should also send us an SMS when account details are changed (QFF do this)
Sponsored Post
Struggling to use your Frequent Flyer Points?
Frequent Flyer Concierge takes the hard work out of finding award availability and redeeming your frequent flyer or credit card points for flights.
Using their expert knowledge and specialised tools, the Frequent Flyer Concierge team at Frequent Flyer Concierge will help you book a great trip that maximises the value for your points.
Happy Dude
Established Member
- Joined
- Oct 13, 2006
- Posts
- 2,642
IT told me they couldn't have done that and that they're soon bringing in a system that allows access to company servers etc from only a company device. I did get into "trouble" for using work email for personal things, which I do because it's easier to deal with just one. Everything I've pretty much ever signed up to has been with my work email. Occasionally I'll sign up with a hotmail, gmail etc when exploiting 'sign up as a new customer' type offers.
Happy Dude
Established Member
- Joined
- Oct 13, 2006
- Posts
- 2,642
We were hacked a few years ago so possibly not the best IT dept around. I haven't scanned but IT may have done that when I told them about it. I don't have any admin rights etc.
- Joined
- Jul 27, 2019
- Posts
- 110
- Qantas
- Bronze
- Virgin
- Red
- Oneworld
- Ruby
Ah sorry, I assumed you were on a work device when you mentioned work email. If you were on a personal device then, as advice from others above, that needs to be scanned.
Happy Dude
Established Member
- Joined
- Oct 13, 2006
- Posts
- 2,642
No you assumed correctly. I was on a work device. I assumed that IT did scans or whatever was needed security-wise. IT assured me the hackers couldn't have accessed anything on my computer. Like you, I thought they could and had read my emails to get info such as Velocity #, but I'm told that wasn't possible.
Use a password manager and randomly generated password - never reuse passwords between websites and never share your master password. It should already be built in to any relatively modern device/browser.
For most people that will stop 90% of attacks on your account that relies on password being reused across websites. MFA and Passkeys etc are even better of course.
Of course Velocity’s account security is laughable. There’s no mandatory MFA for points or high risk transaction nor does it even notify you on suspicious login activities or have a way for you to audit those.
For most people that will stop 90% of attacks on your account that relies on password being reused across websites. MFA and Passkeys etc are even better of course.
Of course Velocity’s account security is laughable. There’s no mandatory MFA for points or high risk transaction nor does it even notify you on suspicious login activities or have a way for you to audit those.
bcworld
Established Member
- Joined
- May 26, 2010
- Posts
- 3,778
- Qantas
- Bronze
- Virgin
- Platinum
In the past 2 weeks I've received "we detected unusual (successful?) login activity" emails for my Avianca LifeMiles account...but more concerningly my personal email account. IP addresses in the US in both cases...where I wasn't. Both use, strong, unique passwords.
AustraliaPoochie
Senior Member
- Joined
- Feb 9, 2014
- Posts
- 7,692
Most likely too late now, or use a VPN.
MarkD
Established Member
- Joined
- Jul 25, 2011
- Posts
- 1,293
- Qantas
- Silver
- Virgin
- Platinum
So when accounts are suspended, are they suspending all status benefits, ie Priority boarding, chekin, lounge, seating etc? Assume so as account not valid. If so, that sucks and is there any chance of retrospectively claiming points / SC and additional time on status level once its sorted?
The Frequent Flyer Concierge team takes the hard work out of finding reward seat availability. Using their expert knowledge and specialised tools, they'll help you book a great trip that maximises the value for your points.
- Joined
- Jul 27, 2019
- Posts
- 110
- Qantas
- Bronze
- Virgin
- Red
- Oneworld
- Ruby
I think only their frequent flyer accounts are suspended, not the airline account. Eg Velocity account not Virgin account. So status still intact
CaptJCool
Established Member
- Joined
- May 31, 2012
- Posts
- 3,638
All good advice offered in here
Single point of failure
Unfortunately one needs to diversify their finances AND diversify their passcodes IMHO Banking passwords must be unique plus anything that can provide ID info.
Running Two or more email (and a work one) accounts affords some peace of mind
The crooks will always likely be one step ahead and combatting their approach especially if they get access to data dumps like Medibank or Optus or All don’t aid you in keeping all your various accounts safe
Single point of failure
Unfortunately one needs to diversify their finances AND diversify their passcodes IMHO Banking passwords must be unique plus anything that can provide ID info.
Running Two or more email (and a work one) accounts affords some peace of mind
The crooks will always likely be one step ahead and combatting their approach especially if they get access to data dumps like Medibank or Optus or All don’t aid you in keeping all your various accounts safe
AustraliaPoochie
Senior Member
- Joined
- Feb 9, 2014
- Posts
- 7,692
Would be nice if we could "lock our points".
Like what we can do with our bank cards.
VFF could set up, when we call them, set up a verbal password/passcode, to burn points.
But I guess it will cost VFF $, and NR wouldnt be too keen on that.
2fa/mfa are all scammable, its only when and if they set up a verbal code word, that only VFF and the member know, that is the only safe way.
Unless of course, the scammers crack into VFFs records.
Like what we can do with our bank cards.
VFF could set up, when we call them, set up a verbal password/passcode, to burn points.
But I guess it will cost VFF $, and NR wouldnt be too keen on that.
2fa/mfa are all scammable, its only when and if they set up a verbal code word, that only VFF and the member know, that is the only safe way.
Unless of course, the scammers crack into VFFs records.
Become an AFF member!
Join Australian Frequent Flyer (AFF) for free and enjoy a better viewing experience, as well as full participation on our community forums.AFF members can also access our Frequent Flyer Training courses, and upgrade to enjoy lots of other benefits and discounts!
AFF forum abbreviations
Wondering about Y, J or any of the other abbreviations used on our forum?Check out our guide to common AFF acronyms & abbreviations.