Your American AAdvantage Account At Risk: The Growing Crisis of Stolen Miles And How The Airline Fights Back

There has been an absolute rash of American Airlines AAdvantage account fraud lately. I must have heard from a dozen readers in the past two weeks who had miles stolen.

I had to deal with issuing an award over the phone myself yesterday and found that the agent was required to verify a lot more information than usual from me before issuing the ticket. Something systematic seems to have happened that’s led to this.

Clint Henderson of The Points Guy wrote about his experience including the frustrations dealing with American over getting his miles back. A few weeks ago One Mile at a Time dealt with the same thing.

The AAdvantage fraud team isn’t available over the weekend, making it easier to actually travel on fraudulent redemptions. They require you to fill out a police report and give them a copy. Only that’s not the easiest thing with some police departments. (American has a different set of hoops for you to jump through when dealing with less citizen-friendly police departments and those where, like in Austin, police have quiet quit in the midst of protracted contract negotiations.)

American made a strategic blunder that makes this all worse for customers. They used to allow Award Wallet to track accounts for members.

  • One click and members get updates on all of their account balances, and it’s easy to see changes immediately. Hundreds of thousands of customers knew almost immediately when miles were drained, and could act quickly to get redemptions cancelled, help get thieves caught, and mitigate American’s losses.

  • However American decided that customers needed to go to their own website, and figured that they’d do so if they had to in order to see their balances. But balance changes at Award Wallet draw customers to the AA.com website for the details! An inability to easily see changes – without the effort of having to go to a dedicated website and log in (and the login is no longer even right there on the screen when most people arrive) means less engagement.

    In the case of fraud on member accounts that used to be checked with Award Wallet, the losses are American’s own fault – and exactly what I wrote to expect.

  • Last summer I covered American rolling out multi-factor authentication to access AAdvantage accounts. I had to deal with that for the first time this week. It both mitigates fraud but also raises the transaction cost of accessing an account and makes it less likely that a member will do so, either not going back in the first place or abandoning the effort (for instance, they don’t have their phone with them when on their laptop or tablet).

Meanwhile, American’s crackdown on fraud in response to this surge has meant more members who’ve sold their miles getting caught. I heard from one this week who shared a note from the security team and wanted to know what to do.

  • American doesn’t really ‘want’ to ‘get’ most individual members. They’re looking for the big fish, the brokers who are buying and selling miles at scale.

  • American faces no meaningful burden of proof, and customers have little recourse. They can shut down an account with little evidence or no evidence. So assume if they contact you it doesn’t matter whether you incriminate yourself, since American (and any loyalty program, really) is prosecutor, judge and jury. If you don’t respond, you’ll get your account shut down. If you deny it, you’ll get your account shut down unless you can prove your innocance.

  • So the best thing to do when you’ve sold miles is to admit it and give them all of the information they’re asking for – all of the contact information, names involved, and metadata. That’s how you get the most favorable outcome, which may mean a penalty of some amount of miles still remaining in your account for a first offense and the ability to continue in the program versus a banning.

Having your account hacked is annoying. You’ll need a new AAdvantage number and they’ll want you to use a new e-mail address, too. You’ll need to get a police report on the theft, which is interesting because the implication is that the miles belong to you rather than to the airline. You’re treated as though it’s your own security lapse that’s caused the theft, rather than – as is clearly the case – a systematic issue with American AAdvantage accounts being targeted lately.

And selling miles is reasonably likely to have consequences, if you care about having an ongoing business relationship with the airline and mileage program. It’s one thing if you plan to just walk away from them anyway – it’s not illegal, the consequences are civil – but risking an elite account with large mileage balance has long struck me as foolhardy.

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community InsideFlyer.com, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »

Comments

  1. In the meantime, seven weeks since March 1 and American still can’t even tell us how many loyalty miles a person has.

  2. I was hacked on April 3rd and lost 45000 miles for two award tickets. I spent hours on the phone trying to reach American customer service and/or security which only has M-F 9 to 5 hours and the wait time was hours. When I did get through I had to get a new account #, establish a new E-Mail Address and password and the remaining miles in my account (the guilty one only took about 15% of what I had) were transferred to my new account. BUT….all my reservations, and status is with the old account which is still accumulating miles and LPs. Having been “on the road” for the past 3 weeks I am now in touch with my local Police Dept to get a report of stolen property which I have to send (via .jpg or a pdf scan) to American and hopefully get the 45000 miles restored. This has been a VERY unpleasant experience where I was receiving the impression that I was the criminal rather than the victim. It is/was as bad as trying to work with the new American Business program….where there is NO ONE to talk to for resolving issues or gaining information….only a robotic “chat person” and when you exhaust that resource you can ask a specific question to the American Business “team” which I have done and am now waiting weeks for an answer. If you only get some miles for your business, putting up with the many restrictions and headaches makes me really wonder if it’s worth the bother.

  3. I checked. No AA account from years ago. But I decided to keep track of mileage on my United and Delta accounts, both which don’t expire but are subject to devaluation. My JetBlue account is almost at zero. My Asiana Account is at zero because I direct the mileage to United. My Singapore account has miles but they are not likely to be used. My Korean Air miles get directed to Delta. My few EVA miles have expired but I bought a few to get a free one way flight before the pandemic with the return on a separate Air China flight (the combination was well less than a roundtrip on EVA Airways and made use of them which wouldn’t have happened if I held them when Covid-19 hit.)

  4. It is your own security lapse. The hackers are getting people who reuse passwords. If you use the same password on multiple sites, you’re ripe for the picking. This is 2024. People should be using unique passwords for every site, that they can’t remember, all stored in a password manager. Over the next few years, Terms & Conditions will be changed, and will put the responsibility on the user/customer for their account security. Fraud is so ripe all over the place these days, it is not our responsibility to protect our accounts.

    Disclaimer: I am the Founder & CEO of multiple startups and deal with this all day long. My recommendation is “Bitwarden” which is end-to-end encrypted, open source, and can’t be hacked. Just use one big complex master password and let the tool do the rest.

  5. I am a lifetime Advantage Gold member, but I am now down to only a few hundred AA miles, with no desire to acquire any more miles. I have had enough with frequent flyer miles programs. I just spent my last 200,000 UA miles, LOL.

  6. The really stupid thing is I can only see my award miles total on the phone app. I can not see individual transactions/redemption. Soooo, how am I supposed to know if I have lost some points?

  7. @GetToThePoints – The AA mobile app definitely shows individual transactions.

    It’s listed as “Your Activity” on the account page.

  8. In my case AA is the one stealing my AAdvantage awards. And to make matters worse they absolutely will not respond when I asked them to remedy the situation. Looks like AA, like Boeing, has become “too big to care”.

    Member since 1982

  9. I called the aadvantage desk to waitlist an upgrade two nights ago and they asked a ton of questions. FF# , address , phone # , email , and the last activity on my account.

  10. Because I didn’t notice until after the 90 day mark, they are refusing to reimburse the miles. How am I supposed to know when all the confirmations are going to the new hacked email address? I have contacted them multiple times and multiple different ways. If you can shed any light on how to recover hard earned miles, would love to know…

  11. A few years ago about 300,000 Avios BA miles were used for hotel awards in Europe. By chance I saw them a few days after they were booked and stopped it in time. I rarely check. Mysterious how I decided to check the account.

  12. Pulling this from Awardwallet is a pain to keep track of these and dumb on AA’s part.

    In a side note I recently had my IHG account hacked twice within a couple of weeks and I found them to be VERY responsive. I did notice it right away (through Awardwallet) which helped. I called them, they transferred me right away to their security team and they made me whole. The second time around they did have to create a whole new account number and change email addresses but it all came out fine.

  13. On March 16, a Sunday, I woke up to find that my AA account was hacked. A total of 650,000 miles were stolen. They were kind enough to leave me 120,000. I called AA and to my surprise (member since 1982) their fraud department only works M-F. Ok, got it. What you don’t realize: 1. If you had status ( was Ex Plat), you now have no status. 2. If you have a Biz account, (as I do) good luck getting them to merge your miles, awards, etc. 3. Calling the Ex. Plat line no longer works. 4. Calling the regular line resulted in over 2+ hour waits multiple times with numerous hang ups when you need to be transferred. 5. AA assumed I didn’t have a life and wouldn’t mind calling back over and over again. I resorted to chat feature. That got me the furthest with minimal wait times (under 45 minutes) HOW pathetic. It’s April 21 and only last week did I get my Exec Plat status back. 6. I mailed in the required police report on March 23. Almost a month later none of my miles have been given back to me (sadly, i need to get an award ticket for my college age daughter to go abroad to school) Can’t get much with 120K. 7. I see NO end in sight. I’m currently in Portugal on holiday and not focused on calling and pursuing them. 8. Seriously considering talking to an attorney to see if I have any rights? Not holding out too much hope. I just want my miles back and awards that I was waiting until March 25 to claim. Accumulated over 400K loyalty points and had yet to claim awards.
    Not sure what else I can do. In closing , sad to lose my AA account number. so easy to remember all of these years. Appalled at the total lack of care and customer service on AA’s part. I own a customer service focused business and if I treated my customers this way, I’d be bankrupt. But wait, AA was bankrupt, I wonder how poorly or how much they had to beg the government to bail them out???

  14. These stories are all horrible. Mine is not. My Aadvantage account notifies me of redemptions by email automatically. Someone went to the trouble of signing me up for several dozen newsletters and other spam and flooded my email to try to hide the notices, I suppose. It didn’t work. I saw i4 tickets issued from Vietnam to Nigeria, 160K miles, and called AA. The wait time was stupid, and it was a weekend. I chose the call back option.
    They called back in a couple hours. I explained. They froze my account, canceled the tickets and said CS would get back to me Monday. They did by email, they requested the police report (which I did online), I provided it, changed email and password and account number. And within 24 hours merged historical status/activity. Miles returned a few days later.
    I found it quite easy.

  15. I received an email at 6am EST , comgratulating me on booking award travel. Someone booked a 55,000 business class trip from ABJ to CMN (cote d iviore – morocco).

    Called AA, waiting for the “security department” to call me back. Agent blocked my account and I can’t login now. Bummer that I am due to receive a 60,000 AA bonus miles promo any day now.

  16. Got hacked several weeks ago. Noticed my email overflowing with span, scrolled to the start of the spam bomb and found a couple AA emails notifying me that my email and password had been changed. Called AA immediately (3 hours after changes) and agent assured me that it was no problem and went about creating a new advantage account.

    Well, turns out it was anything but smooth sailing. Hackers still managed to drain `165000 miles on three separate tickets hours later. Took several call backs to find somebody who knew what they were doing to initiate the process of restoring miles (which included getting the infamous local police report). Several days after returning police report to AA the miles reappeared in my account (wasn’t notified, just kept checking). I can see see the three business class flights I booked from London to Abidjan Ivory Coast. Bastards.

    I highly recommend changing your passwords immediately to avoid this headache. Mine was old and likely compromised (appearing on dark web) years ago. Have gone through and purged similar password on other airline accounts, all my earliest. Be proactive here folks.

  17. I second Mike’s recommendation for Bitwarden. Open source software, with a great “fremium” business model. Makes it easy to keep strong passwords across platforms.

    My heartfelt condolences to everyone who had to deal with stolen miles. Thank you for sharing your stories.

  18. Someone stole all my miles and I did report it within the 90 days. I also did everything that was requested of me and yes it’s still not enough…… ANNOYED

    So let me get this right. What you are telling me now is that all that I been through and what was given to be me is unacceptable? I did everything which was asked of me.
    1) I went to the police station and report the fraud on March 19, 2024 @ 8:30am and the responding office name was Officer Kilrain #3108. The DC # given to me was 24-22-018818.

    2) I provided you all with the information above as soon as it was given to me. Then you all advised me that “I” had to go to City Hall to request a copy of the report and gave me thirty 30 days to get report.

    3) I paid $25.00 for the report and was advised that it will take 12 weeks which will be well passed that 30 days given. I contacted you all and advised that it is impossible to meet that 30 day window. I was then advised to send it when I receive it which is what I did. Now I am being told that the report provided me by the City is not valid/complete.

    4) The names are on report of the people who stole the miles but it looks like the CITY HALL redacted the names of the people who stole the miles as well as my phone number on the report. It appears to me that’s standard for them or their protocol . I did not have the option of telling them what to put on the report. You all already have the name of the individuals why am I being asked for something I had no control over. Do you all want me to pay you all $25.00 to get a report without the names being redacted?

    This process has been very stressful and I am very annoyed. I am senior citizen who had surgery when this theft was realized and as I told them from the start it was a hardship for me to met all the stipulations and yet I did and here comes some more…..

Comments are closed.