Thieves Targeting Velocity Frequent Flyer Accounts

Loyalty program fraud risk warning
Hackers are stealing points from Velocity Frequent Flyer accounts. Photo: Adobe Stock.

An alarmingly high number of Velocity Frequent Flyer members have had their accounts hacked and points stolen in recent months.

Velocity Frequent Flyer says that the security of its members’ accounts is its priority. But it hasn’t yet implemented some common security measures such as multi-factor authentication.

Luckily, If your points get stolen through no fault of your own, Velocity Frequent Flyer will eventually reinstate them. But it’s still hugely inconvenient for those caught up in this mess.

Lots of people have had Velocity points stolen lately

Fraud is a serious problem for all frequent flyer programs. Hackers gaining unauthorised access to accounts is one aspect of that. Occasionally, they may even steal points from unsuspecting members.

This in itself is not new, and loyalty programs have protocols in place for when this happens. But a lot more people than usual have reported having points stolen from their Velocity accounts in recent weeks and months.

Here’s just a handful of AFF member posts from the last few weeks alone…

I just had my account hacked. Password and contact and credential details changed. By some weird twist of fate I still have view access to my account via the app. 264400 points used for a flight redemption.
sharkiesrule, 7 August 2024

I had an almost identical experience – 2 business class tickets booked on ANA to JFK in mid-July, reported to Velocity a couple of days later and the account suspended for 30 business days. Email & password were also changed.
Thomas088, 8 August 2024

I’ve had 700,000 points transferred out fraudulently on 31 July and 2 August. I noticed on Tuesday night and called Virgin immediately. It’s the same story as others, the hackers have changed my email, phone etc and booked flights to London, Shanghai, San Francisco, New York and more in names that I have never heard of. They have frozen my account and said they will launch an investigation that will take 30 days. The weird thing is that I updated my password for the first time in a few years in early July, to a unique password.
Madz, 8 August 2024

I’m not sure what the point of the 125,000 point limit per transfer is. My account was cleaned out within 2 minutes using 4 back to back transfers.
aikman, 8 August 2024

Today I found an unauthorised transaction on my velocity account. Someone booked ticket from Doha to Colombo using my points. I reached out to Velocity FF and they have suspended my account. Has it happened to other people?
VFF is saying that they will resolve it within 30 days.
msarswat, 19 August 2024

I have had a very similar experience as of late. I’m now at 45 business days and I have been told by the last operator (offshore – I believe TCS) that they have an absolute influx of cases at the moment – and still no actual response.
I personally can’t wait to get my points back, redeem them, and be completely done with VFF. I’d rather accrue nothing and solely fly the other competitor (which I mainly do unless they are fully booked for the flight required) as this has been one of the most brutally frustrating experiences I can recall than have my account scammed because a multi-M company can’t afford to purchase 2FA for their systems.
Ant1993, 19 August 2024

My Velocity account was hacked on 03/07/24 as well – 1.30 Million points were redeemed in Myers vouchers Telephone Number & Email was changed but strangely was not notified by any email from Velocity at all. I called the next day once i could not login & raised a dispute was told 30 business days but now that has passed still no update Getting no further update from the overseas call centre & told still working on it.
angad596, 20 August 2024

I have the same. 2 days ago i tried to log on to book a flight and couldnt. Said account was blocked, so velocity knew something was going on but they failed to contact me. Called velocity and they had a different email for me. It was changed back, i logged on and i had lost over 700000 points a few weeks ago so now had almost none. Lost to a myer redemption.
Crustypedro, 23 August 2024

All Nippon Airways (ANA) Boeing 787 at Sydney Airport
Thieves have used stolen points to book flights on partner airlines. Photo: Matt Graham.

What happens if someone steals your Velocity points

First of all, if you notice that someone has gained unauthorised access to your Velocity account and/or redeemed your points, you should call Velocity Frequent Flyer immediately on 13 18 75. The Velocity Membership Contact Centre is open daily from 7.30am-10.30pm (AEST).

Velocity will then lock your account, pending an investigation. It does this to protect both the member and the loyalty program.

“The security of Velocity member accounts is our priority, and we continuously evaluate and enhance our security measures,” a Velocity Frequent Flyer spokesperson told Australian Frequent Flyer.

“In the event unauthorised account activity is detected or reported, Velocity will assist members to secure their account while a thorough investigation is undertaken.”

Velocity generally advises that these investigations will take 30 business days. However, in recent months investigation times have blown out much further, causing even greater inconvenience to affected members.

When asked about this, the Velocity spokesperson said: “It is important that investigations are thorough to protect our members and our program partners. We sincerely apologise to members who have been impacted by an extended investigation process.”

While your account is under investigation, you won’t be able to log in or redeem any points. However, you can still earn Velocity points and use your membership benefits, including lounge access, when flying with Virgin Australia.

Virgin Australia Lounge in Canberra
You can still use the lounge while your account is locked. Photo: Matt Graham.

Once Velocity completes its investigation, if it finds you did nothing wrong, the program will reinstate your frequent flyer points.

See our guide to what happens when your frequent flyer account is locked for more details.

What is Velocity doing about this?

Velocity Frequent Flyer already has dedicated fraud prevention resources in place, including several security and anti-fraud protections.

Two weeks ago, Velocity temporarily suspended the ability to transfer points to family members online. Although Velocity wouldn’t specifically say why, we understand this was a direct response to a recent spate of thefts using this feature. (In the meantime, if you need to transfer points to a family member, you can still do so by calling the Velocity Membership Contact Centre.)

Australian Frequent Flyer understands that Velocity is also now in the process of introducing new security measures to further protect member accounts, including multi-factor authentication. Velocity will announce more details about this soon – and frankly, that couldn’t come soon enough.

Qantas Frequent Flyer implemented two-factor authentication in 2019. It’s perhaps no coincidence that there have been far fewer reported instances of stolen Qantas points in the past five years.

What you can do to protect your account

Currently, all somebody needs to access your Velocity Frequent Flyer account is your membership number and password. For this reason, it’s a really good idea to set a strong password that is hard to guess and that you don’t use anywhere else.

“To help protect their accounts, we encourage members to regularly change passwords and not use the same password across multiple accounts,” Velocity’s spokesperson said.

If you haven’t changed your Velocity password recently, now might be a good time to do so.

Other than that, keep a close eye on your account. And don’t ignore any emails you may receive from loyalty programs advising of unusual activity on your account.

If you haven’t logged into your Velocity account for a while, you might also want to check now if anyone there is any recent redemption activity on there that you don’t recognise. If there has been, you should report this to Velocity so they can take steps to protect your account – and reinstate any points that may have been stolen.

The editor of Australian Frequent Flyer, Matt's passion for travel has taken him to over 90 countries… with the help of frequent flyer points, of course!
Matt's favourite destinations (so far) are Germany, Brazil & Kazakhstan. His interests include aviation, economics & foreign languages, and he has a soft spot for good food and red wine.

You can connect with Matt by posting on the Australian Frequent Flyer community forum and tagging @AFF Editor.
________________________

Related Articles

Community Comments

Loading new replies...

I just tried to log in to my account and got the following message:

"INACTIVE, SUSPENDED OR CLOSED ACCOUNT
The Velocity Membership number you have entered is associated with an inactive, suspended or close account. Please check that you have entered the correct membership details or contact the Membership Contact Centre for assistance."

Called up the contact centre - and they informed me that my mobile number, email and address had been changed on the account - and that a large number of points had been transferred out? My account is under investigation - and someone will contact me within 30 business days.

Has anyone had this issue before? I didn't realise stealing points was a thing?

Cheers,
dB

Given the value, absolutely. My passwords are 20+ characters and now have 300+ passwords, don't ask. Plus I use an encrypted password manager with 2FA. It's the only sensible pathway.

Reply 5 Likes

click to expand...

Oh dear, do you remember how many points in your account?

Reply Like

I'm surprised Velocity doesn't have MFA itself to log into the account.

Reply 2 Likes

I saw another report of this in the last week in a Velocity FB group.

Account had 400k points and woke up to 4 transfer confirmation emails...3 x 125k (the max per transfer) and 1x25k.

Reply 1 Like

Not that I have the solution, but they coulndt stop the transfers, but they blocked the account, shows doesnt it.
Not so bad if the transfers or the change in contact data couldnt be done, but its after the fact, that they close the account;
Poor show!
---
So the scammers succeeded in their task, and VFF couldnt do antying about that side.

Reply Like

I'm surprised Velocity doesn't have MFA itself to log into the account.

I agree ... or at the very least make it available to members as an option.

In the meantime, using RoboForm password manager gets me by ....

Reply 1 Like

Yes. And we also moved house so that maybe that was the trigger.

Yeah, that's true. There are also laws around data handling and responsible disclosure that companies can't skirt with terms of service.

I ended up emailing [email protected] since the call centre weren't helpful. From their response:

I've asked them for the results of the investigation along with relevant logs or other information.

Hey, did you end up getting the call back from Velocity with a new account set-up with all points credited ?
I’m currently dealing with them at the moment. Had over 350k took from my account for an online Myer redemption in May. It’s been over 30 business days and called them today for an update and told to sit tight. Someone will either call me or email. That’s as much as I could get out of them. It’s frustrating to say the least.

Reply 1 Like

click to expand...

Hey, did you end up getting the call back from Velocity with a new account set-up with all points credited ?
I’m currently dealing with them at the moment. Had over 350k took from my account for an online Myer redemption in May. It’s been over 30 business days and called them today for an update and told to sit tight. Someone will either call me or email. That’s as much as I could get out of them. It’s frustrating to say the least.

They tried calling me a few times when it was really inconvenient. In the end that meant I needed to call them instead. Did so, we did a password reset and a couple of other admin tasks and that was that. They told me there weren't any points taken and — now that I think about it — I'm not sure I ever actually vetted that claim, probably something to check (wasn't sitting on a boatload of Velocity points anyway).

If you've lost points then that's just straight up theft so might be most effective to talk to the police at this point. It's more hassle than you should have to endure, but eventually it's just down to finding the least painful path forward.

Reply Like

click to expand...

I saw another report of this in the last week in a Velocity FB group.

Account had 400k points and woke up to 4 transfer confirmation emails...3 x 125k (the max per transfer) and 1x25k.

Do you happen to remember what that FB group was? Sadly the exact scenario you described has happened to me and I'm keen to know the likely outcome of their investigations.

Reply Like

Do you happen to remember what that FB group was? Sadly the exact scenario you described has happened to me and I'm keen to know the likely outcome of their investigations.

The group is Velocity Frequent Flyers and this is the post:

Most cases like this that I have seen reported any time in the past few months...Velocity give themselves 30 business days for investigation and then far exceed that.

Reply 2 Likes

click to expand...