The Scattered Spider Playbook: Why Airline Loyalty Accounts Are Prime Targets for ATO

Scattered Spider–style attacks increasingly target airline loyalty accounts, where stolen credentials can be used to hijack frequent flyer accounts and redeem miles for fraud.
Investigations associated with the Scattered Spider ecosystem show how attackers manipulate impersonation campaigns, phishing infrastructure, and account recovery workflows to gain control of customer accounts.

For airline security teams, the lesson is not limited to one threat group. These incidents reveal a broader attack lifecycle where impersonation, credential compromise, and account takeover attacks (ATO) occur long before many traditional security controls detect the threat.

Understanding this playbook helps explain why airline loyalty fraud continues to succeed and where earlier visibility can disrupt the attack before miles are stolen.

Why Airlines Are Prime Targets for Scattered Spider Attacks

Airline loyalty programs present a uniquely attractive opportunity for attackers. They combine high financial value with large customer account bases and fast monetization pathways.  This is why the scale of airline loyalty fraud has grown rapidly as miles function like a tradable digital asset. Our analysis of the dark side of loyalty fraud and billion-dollar frequent flyer scams explains how attackers monetize stolen accounts.

Airlines are increasingly looking for ways to detect and disrupt loyalty fraud earlier in the attack lifecycle. Our guide on how airlines can stop loyalty account takeovers before miles are stolen explores the defensive strategies security teams are deploying to protect frequent flyer accounts.

Miles function as digital currency

Frequent flyer miles can be redeemed for flights, upgrades, and services, or transferred between accounts. Once attackers gain access to a loyalty account, miles can be quickly converted into travel bookings or sold through underground marketplaces.

Massive account populations

Major airline loyalty programs maintain tens of millions of customer accounts. Many rely on passwords reused across multiple services, creating opportunities for attackers to test stolen credential sets at scale.

Fast fraud execution

Unlike many financial fraud schemes, loyalty miles can be redeemed almost immediately. Attackers often complete bookings or point transfers within minutes of gaining access to an account.

These characteristics make airline loyalty programs a recurring target for identity-driven cybercrime.

The Scattered Spider Playbook

Investigations linked to the Scattered Spider ecosystem reveal a consistent pattern of identity-centric intrusion. Instead of exploiting technical vulnerabilities, attackers manipulate authentication systems and customer support processes.

The attack typically unfolds in several stages.

1. Impersonation and Social Engineering

Attacks frequently begin with impersonation. Attackers pose as legitimate airline customers and interact with support channels such as help desks or account recovery systems.

By convincing support staff that they are legitimate users, attackers attempt to trigger password resets or authentication changes that weaken account security.

2. Credential Harvesting

Phishing campaigns remain one of the most common entry points. Attackers deploy websites that mimic legitimate airline login pages and redirect victims through phishing emails, fraudulent advertisements, or spoofed domains. When victims enter their credentials on these pages, attackers capture the login information associated with the loyalty account.

These campaigns often rely on cloned login pages and lookalike domains designed to capture customer credentials. Our breakdown of airline impersonation fraud and fake airline websites explains how attackers use impersonation to harvest login credentials.

3. Authentication Manipulation

If multi-factor authentication (MFA) is present, attackers may attempt to bypass it through social engineering techniques or by exploiting account recovery workflows that allow authentication settings to be reset.

In some cases, attackers trigger repeated authentication prompts or intercept verification codes through compromised communication channels.

4. Account Takeover

Once attackers obtain valid credentials and bypass authentication safeguards, they log into the victim’s loyalty account.

Because the login uses legitimate credentials rather than malware or exploit techniques, the activity may initially appear indistinguishable from normal user behavior.

5. Miles Redemption and Monetization

The final stage involves converting stolen access into value.

Attackers may:

• redeem miles for flights

• transfer loyalty points to attacker-controlled accounts

• sell airline tickets purchased with stolen miles

By the time the victim notices suspicious activity, the miles may already have been redeemed or transferred.

Why Traditional Defenses Miss These Attacks

Many fraud detection systems focus on identifying suspicious activity after a user logs in. While these controls remain important, they often activate too late in the attack lifecycle.

Several factors contribute to this detection gap.

Phishing activity occurs outside the airline infrastructure

Credential harvesting typically happens on external phishing sites. These interactions occur before the airline’s systems ever see the user or the attacker.

Social engineering targets identity workflows

Attackers frequently manipulate account recovery processes or customer support channels, bypassing technical security controls entirely.

Valid credentials appear legitimate

When attackers authenticate using stolen credentials, the login often looks identical to legitimate customer activity. Behavioral monitoring may only detect anomalies after fraudulent actions occur.

As a result, the attack can progress from credential harvesting to miles redemption before conventional defenses generate alerts.

Where the Earliest Signals Actually Appear

The earliest indicators of airline loyalty fraud rarely appear during the login itself.

In many cases, the attack begins before the victim interacts with the airline’s infrastructure. Phishing sites capture credentials on cloned login pages, impersonation campaigns redirect users to fraudulent domains, and attackers harvest authentication data long before an account login occurs.

When attackers eventually authenticate, they often use valid credentials and legitimate devices. At that point the activity can appear indistinguishable from a normal customer login.

This timing gap creates a blind spot for many fraud detection systems. By the time suspicious activity becomes visible inside the account, attackers may already have redeemed miles or transferred loyalty points.

The critical signals therefore appear earlier in the attack lifecycle, during impersonation campaigns, credential harvesting activity, and the first attempt to use compromised credentials.

Stop Loyalty Account Takeover Before Miles Are Stolen, with Memcyco

Airline loyalty fraud rarely begins with the login. By the time attackers access an account, credentials have often already been harvested through impersonation campaigns, phishing sites, or social engineering.

Memcyco’s preemptive solution helps airlines detect and disrupt these attacks earlier in the lifecycle.

The platform provides real-time visibility into credential harvesting activity, identifies compromised credentials and suspicious devices, and enables security teams to intervene before attackers can take control of customer accounts.

With Memcyco, airlines can:

• Detect phishing activity targeting customers in real time

• Identify compromised credentials before they are used to access accounts

• Expose malicious devices attempting account access

• Disrupt loyalty fraud before miles are redeemed

Book a demo and see for yourself how Memcyco helps airlines stop loyalty account takeover before it happens.

FAQs

What is airline loyalty account takeover?

Airline loyalty account takeover occurs when attackers gain unauthorized access to a frequent flyer account and use the stolen credentials to redeem or transfer loyalty miles.

Why do hackers target airline loyalty programs?

Airline loyalty programs are attractive targets because frequent flyer miles have financial value. Attackers can redeem stolen miles for flights or sell them through underground marketplaces.

How do attackers steal airline loyalty miles?

Most attacks follow a similar sequence: impersonation, credential harvesting through phishing sites, authentication manipulation, account takeover, and redemption or transfer of loyalty miles.

Why are airlines targeted by groups like Scattered Spider?

Threat actors associated with the Scattered Spider ecosystem have demonstrated how identity-driven attacks can target airline loyalty programs. The combination of valuable miles, large customer account bases, and fast monetization makes airlines an attractive target.

What are early indicators of airline loyalty account compromise?

Early signals can include phishing campaigns targeting airline customers, cloned login websites harvesting credentials, suspicious credential reuse attempts, and unusual device activity associated with login attempts.

Julian Agudelo

Head of Content Marketing