How 500,000+ Avios were stolen from my household account …. and how we got them back!

Two weekends ago, 500,000 Avios were stolen from my British Airways Executive Club account.

I woke up on Sunday morning to an email from British Airways telling me that ‘Activity has taken place on your Household Account’.

That’s odd. I share a Household Account with my immediate family and none of them ever redeem Avios, and certainly would not do so without asking me first.

I logged into my own account to check and lo and behold, five transactions had appeared, indicating that 184,527 Avios had been withdrawn from my account. This was part of a contribution to a Household Account redemption over the course of Saturday.

I immediately knew that fraudulent activity had taken place. I don’t think I’ve ever booked five redemptions in a single day, let alone anyone in my family.

I picked up the phone to British Airways to report the issue and get the account locked. Fortunately I didn’t have to spend long on hold as I called the priority line thanks to my status.

Computer says no

Unfortunately, the call centre was not particularly helpful. Although I am the official ‘Head of the Household,’ and everyone has opted into joining my Household Account, I was told that due to data protection rules they could not tell me about activity on anyone else’s account. This was even though Avios from my account had been used for the redemptions.

They couldn’t even tell me which account had made the redemptions. This was not exactly personal data.

Fortunately, I have the login details and am a third-party nominee on my parent’s accounts and I was able to narrow down the breach to my brother.

Calling him (at an unwanted 8am on a Sunday!) it quickly became clear that he had received an email at some point in the past 24 hours confirming that he had changed the email address on his account (he had not). Not knowing what the new email address on the account was, he was unable to log in to his British Airways Executive Club account to change it back.

Back on the phone with the British Airways call centre, this time with my brother on the line, we again spoke to a customer service agent. She told us she could not do anything, or tell us anything about his account, without him first going through the verification process.

Obviously it was impossible to pass the verification checks. The hacker had changed the email address on the account and, presumably, other contact details as well. She tried to verify the account by asking us who the third party nominee on his account was, but my brother had never set this up – clearly, the hacker had set it up themselves.

She also could not verify him based on information that was correct as of two days prior. She could only verify him based on the current details on the account.

When I asked to speak to the fraudulent activity team, we were told that there was no such phone team and that they would only be contactable by email.

After going in circles for about ten to fifteen minutes, and trying to explain why we could not verify the account but that this was an instance of fraud that needed to be reported, she finally put us on hold – twice – to discuss it with her team.

Only after doing so did it seem like she finally understood and told us the account had been reported. She could not, however, clarify whether his account had been locked as that would be a breach of data protection rules.

Here’s the kicker. After telling us that the account had been reported for investigation, she told us that the relevant teams would be in touch “via the contact details on the account”.

Erm, what?

Having just told her that the hacker had changed the contact details on my brother’s account, she now wanted to send any updates to those new details?

I spent another ten minutes telling her that this was absurd and that she needed to contact us directly, or at least me as the head of the household. She finally demurred and took my details.

Fortunately, it appeared that our accounts were locked and I was unable to login. Unsure about my brother’s account, and with no other means of contact apart from the (unhelpful) call centre, I reached out to the British Airways press office who told me they had forwarded my request to the relevant departments.

(I hoped to speak to BA’s fraud prevention team for this article, but both BA and IAG Loyalty declined to put anyone up for interview.)

After two days of radio silence – no phone calls, no email communication – I received a call from British Airways. Aware that this could be a phishing call using data from the hacked account, I was careful not to reveal any personal information before it became clear that the caller was, indeed, a British Airways employee. (It would be easier if BA had a fraudulent activity number I could call.)

The helpful customer service agent was looking into our case and confirmed that my brother’s account had been hacked. She then returned our accounts to the state they were before the attack, resetting the email address to the previously correct one and remotely enforcing email reset for all accounts in the Household. She also assured us that all Avios would be returned to our accounts.

It appears that, after gaining access to my brother’s account, they only changed the account email – no other personal details were changed. The Avios were then spent over five transactions as part of a hotel booking under my brother’s name. I was told this is a common practice as, although the hotel must be in my brother’s name, the hackers can easily call up the hotels and inform them that the original booker can no longer stay and ask to adjust the guest name.

It is harder for hackers to spend Avios on flight redemptions, as BA locks redemptions in Household Accounts to members in the account or on the ‘Friends and Family’ list which can only be modified by the Head of the Household. As they did not appear to have access to my account, this would not have been possible.

I’m told that it generally isn’t individuals who do this but hacking groups. As part of their investigations, BA’s cybersecurity teams will try to shut these groups down.

It appears that, with an ever-growing number of partners, Avios is becoming a target for hackers who know it is a versatile currency with many opportunities for attack. After all, how many of us have multiple airline Avios accounts linked together, perhaps with a Nectar account? The more connections there are, the more potential vulnerabilities open up.

Conclusion

As you can see, Avios fraud is not the end of the world. Based on my own experience and those of many of you on our forums, British Airways is generally very good at resetting and restoring hacked accounts.

There is room for improvement when it comes to how BA handles such scenarios, particularly when it comes to the frontline call centre which seems ill-equipped. There is also no guidance on the BA website regarding who to call or email in such instances. With millions of members, fraud must be a regular occurrence and providing better guidance to members is an easy way to smooth a stressful process.

That said, the service from the fraud team was excellent. This team clearly know what they are doing and are switched on. The lovely lady I spoke to also took my feedback on board and said she was trying to push for improvements to the process.

Prevention is the best medicine, of course. My advice is to make sure you have set up two-factor authentication on your own account. If you are in a household account then it is also worth encouraging everyone to do so as well, as only one account needs to be breached for all the combined Avios to be stolen.

PS. If you are not a regular Head for Points visitor, why not sign up for our FREE weekly or daily newsletters? They are full of the latest Avios, airline, hotel and credit card points news and will help you travel better. To join our 65,000 free subscribers, click the button below or visit this page of the site to find out more. Thank you.

---

How to earn Avios from UK credit cards (April 2025)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

In February 2022, Barclaycard launched two exciting new Barclaycard Avios Mastercard cards with a bonus of up to 25,000 Avios. You can apply here.

You qualify for the bonus on these cards even if you have a British Airways American Express card:

There are two official British Airways American Express cards with attractive sign-up bonuses:

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points. These points convert at 1:1 into Avios.

SPECIAL OFFER: Until 27th May 2025, the sign-up bonus on the ‘free for a year’ American Express Preferred Rewards Gold card is increased from 20,000 Membership Rewards points to 30,000 points. Points convert 1:1 into Avios (30,000 Avios!) and many other programmes. Some people may see even higher personalised offers. Click here to apply.

SPECIAL OFFER: Until 27th May 2025, the sign-up bonus on American Express Platinum is increased from 50,000 Membership Rewards points to a huge 80,000 points. Points convert 1:1 into Avios (80,000 Avios!) and many other programmes. Some people may see even higher personalised offers. Click here to apply.

Run your own business?

We recommend Capital on Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, and the standard card is FREE. Capital on Tap cards also have no FX fees.

There is also a British Airways American Express card for small businesses:

There are also generous bonuses on the two American Express Business cards, with the points converting at 1:1 into Avios. These cards are open to sole traders as well as limited companies.

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.