I have been a Hilton Hotels Diamond in their Honors loyalty program for several years and was horrified to see the telltale signs my account had been hacked. I acted quickly and identified the fraud, it’s a shame Hilton didn’t act as swiftly.
Catching Them Quickly
Hilton sent me an email to let me know my email address on file had changed. My thought process went something like this:
Um, no. I didn’t do that.
Is this a genuine Hilton email? [looked at sender address and logged into account]
The hackers had time to add a new email address. Had I not seen the email come through, it would have likely been too late to stop them before a withdrawal occurred. Checking my email when it chimed was a stroke of convenient luck.
How I Stopped Them
I immediately called Hilton while I logged into my account online. My saved password was still working to that point and while I sat on hold for about two minutes I witnessed the perpetrator’s action as they made adjustments to my account.
I took a screenshot of my balance and explained the issue to the rep. The email address that was added looked similar to others on my file. The domain was USA.com and this has happened often enough but with other scams that USA.com has this statement on the matter. The agent knew what to do, filed the report and stated my account was locked down. I would hear from Hilton’s fraud team the next morning (it was nearly midnight when I called in.) Satisfied, I hung up.
Hilton Didn’t Actually Lock The Account
The rep filed the fraud claim but since no points had been stolen yet, there were no notes on the report as it was conveyed to me. I called back in two days later since I had heard nothing. I asked the agent about the fraud report.
“Which reservation in Atlanta tonight is fraudulent?” she asked.
“All of them. What do you mean? My account was locked down since the fraud claim was filed.” I was less than calm at this point.
“Yes of course. So you made the 500,000 point transfer to Points.com and then the two reservations were made?” She asked.
“No. Anything after the point in which I filed the fraud claim and you told me my account was locked down was not me. I was locked out of my account due to the password change.” A silence filled the line for a moment.
She then put me on hold and got a supervisor. Within twenty seconds the line went dead and I waited for them to call me back. By not correctly locking down the account, Hilton exposed themselves to costs that I am not responsible for covering, so what benefit is there in not locking the account down instantly?
The Rep That Got It Right
After twenty minutes I tried them again, got a different representative, Linda. I was irate at this point and she did a great job of both handling my issue and my frustration. Instead of waiting for fraud prevention to reach out, she corrected my email address, reset my password, freezing the fraudsters out of my account and refunded the spent points, over 600,000 in two days.
She also froze my account successfully (though there was little need to do so at that point) and I continue to await the fraud team to reach out via email (not phone) to open the account back up.
She contacted the hotels that had guests checked in under my account number (they likely checked in with the app). The perpertrators were in the rooms at the time (two Atlanta properties) and the authorities were called while I was on hold.
Hilton Needs To Tighten Security
IHG accounts have been rampantly hit with points theft over the last few years. I’m not going to say it’s because they hate their elites, but I will say that their IT staff probably needs to find something they are good at and do that. IHG passwords are still four-digit pins. That’s it. Hilton doesn’t allow for special characters and limits the length of a password. That should change.
The chain also needs to add two-factor authentication.
In the last couple of weeks, others have reported Hilton account hacks. The first rep could have done all the things the third rep did and stopped Hilton paying out to Points.com and a franchisee for the rooms in Atlanta. Why isn’t there an ability for me to freeze and un-freeze (thaw?) my account myself? Hilton could improve training so that the fraud department may not have to be involved at all.
Hold times on the Diamond Desk were short, just two minutes or so, but why not have a chat feature for account activity issues?
The Hilton App Could Help
The App should also issue a notification that says: “Your (X) has changed. If you’ve not requested this change click this link.” Consider for a moment that guests can select your room, use the app and a smartphone as a room key which may be unlocked by facial recognition or fingerprint. It’s more secure than their password, why not trust notifications to alert people sooner than email – it seems archaic.
Has this happened to you? What did you do about it? Have you had other accounts hacked and how did you and the brand respond?
Come see Matthew and me at FTU Chicago.
The weekend of sessions is available for just $249 and if you use my affiliate link you can save another $25with discount code SPRING when you purchase before May 13th at midnight PST. Both days include lunch, coffee, and iced tea, and a pizza welcome dinner the evening prior (May 31st) to the first 75 who sign up.