Fraud on Velocity Frequent Flyer accounts

Sponsored Post

Struggling to use your Frequent Flyer Points?

Frequent Flyer Concierge takes the hard work out of finding award availability and redeeming your frequent flyer or credit card points for flights.

Using their expert knowledge and specialised tools, the Frequent Flyer Concierge team at Frequent Flyer Concierge will help you book a great trip that maximises the value for your points.

Can you somehow reset a velocity password without logging in? Madz had a unique password, so how can this happen?

It would be great if each report here confirmed if a unique password is used.
 
Can you somehow reset a velocity password without logging in? Madz had a unique password, so how can this happen?
If the hackers have accessed your email account they can use the 'forgot my password' link on the VFF login page (to get sent a 'reset password link' email and reset it that way assuming they know your old one?).

Maybe some people have followed a link in a phishing email/SMS/ad, and entered their VFF credentials there without realising it's fake.
 
Last edited:
If the hackers have accessed your email account they can use the 'forgot my password' link.

Maybe some people have followed a link in a phishing email/SMS/ad, and entered their VFF credentials there without realising it's fake.
go back a few posts for my full story but I did click on a pdf in a work email. From that point my work email has been used to create a zillion accounts on a zillion websites. It's a problem where websites use an email as a username, but Velocity doesn't. The problem with Velocity, in my case, is that my email address was changed without me being notified. I don't know how my email address and velocity number were "matched". I managed to change it back before any damage but have since received two more hacking attempts where I did get the forget your password link. My work email, which is also my Velocity email, is listed on several public websites and I send to tonnes of clients etc each year, so it's not or doesn't have to be a phishing thing.
 
I’ve had 700,000 points transferred out fraudulently on 31 July and 2 August. I noticed on Tuesday night and called Virgin immediately. It’s the same story as others, the hackers have changed my email, phone etc and booked flights to London, Shanghai, San Francisco, New York and more in names that I have never heard of. They have frozen my account and said they will launch an investigation that will take 30 days. The weird thing is that I updated my password for the first time in a few years in early July, to a unique password.

This is tens of thousands of dollars worth of points. They better be able to cancel those redemptions!
Intrigued by this.

Maybe I'm missing something here, but of all the types of fraud you could choose to do, you'd think booking international flights with stolen FF points would surely be one of the dumbest... Unless you are compounding the crime by also travelling on a fake passport, surely the identities of the people catching those flights are going to be trivial for the authorities to determine?
 
but I did click on a pdf in a work email
Just in case you haven't done so already, you've scanned for viruses/malware by now I take it? Clicking on a pdf link can do a lot more than expose your email address, if they've used it to install malware they potentially have access to everything on your machine.
 
Maybe I'm missing something here, but of all the types of fraud you could choose to do, you'd think booking international flights with stolen FF points would surely be one of the dumbest
They probably have a scam setup selling half-price flights or something, take the cheap payment off unsuspecting victims, book using stolen Velocity points... Looks like Velocity don't have any restrictions on who you can book reward tickets for... and disappear.

My guess would be they are getting payments in cryptocurrency and targeting people who want to spend their crypto rather than bring the income through proper channels... there may be other explanations, but that one is my non-evidence based guess.

 
Oh that's horrible @Happy Dude
I wonder if they got your velocity number from an email in your account (if they got access to your work email account). Then if they were in there they could action then delete password reset links overnight before anyone realised?

Velocity should also send us an SMS when account details are changed (QFF do this)
 
Oh that's horrible @Happy Dude
I wonder if they got your velocity number from an email in your account (if they got access to your work email account). Then if they were in there they could action then delete password reset links overnight before anyone realised?

Velocity should also send us an SMS when account details are changed (QFF do this)
IT told me they couldn't have done that and that they're soon bringing in a system that allows access to company servers etc from only a company device. I did get into "trouble" for using work email for personal things, which I do because it's easier to deal with just one. Everything I've pretty much ever signed up to has been with my work email. Occasionally I'll sign up with a hotmail, gmail etc when exploiting 'sign up as a new customer' type offers.
 
Just in case you haven't done so already, you've scanned for viruses/malware by now I take it? Clicking on a pdf link can do a lot more than expose your email address, if they've used it to install malware they potentially have access to everything on your machine.
We were hacked a few years ago so possibly not the best IT dept around. I haven't scanned but IT may have done that when I told them about it. I don't have any admin rights etc.
 
IT told me they couldn't have done that and that they're soon bringing in a system that allows access to company servers etc from only a company device.
Ah sorry, I assumed you were on a work device when you mentioned work email. If you were on a personal device then, as advice from others above, that needs to be scanned.
 
Ah sorry, I assumed you were on a work device when you mentioned work email. If you were on a personal device then, as advice from others above, that needs to be scanned.
No you assumed correctly. I was on a work device. I assumed that IT did scans or whatever was needed security-wise. IT assured me the hackers couldn't have accessed anything on my computer. Like you, I thought they could and had read my emails to get info such as Velocity #, but I'm told that wasn't possible.
 
Use a password manager and randomly generated password - never reuse passwords between websites and never share your master password. It should already be built in to any relatively modern device/browser.

For most people that will stop 90% of attacks on your account that relies on password being reused across websites. MFA and Passkeys etc are even better of course.

Of course Velocity’s account security is laughable. There’s no mandatory MFA for points or high risk transaction nor does it even notify you on suspicious login activities or have a way for you to audit those.
 
In the past 2 weeks I've received "we detected unusual (successful?) login activity" emails for my Avianca LifeMiles account...but more concerningly my personal email account. IP addresses in the US in both cases...where I wasn't. Both use, strong, unique passwords.
 
The Frequent Flyer Concierge team takes the hard work out of finding reward seat availability. Using their expert knowledge and specialised tools, they'll help you book a great trip that maximises the value for your points.

AFF Supporters can remove this and all advertisements

So when accounts are suspended, are they suspending all status benefits, ie Priority boarding, chekin, lounge, seating etc? Assume so as account not valid. If so, that sucks and is there any chance of retrospectively claiming points / SC and additional time on status level once its sorted?
 
I think only their frequent flyer accounts are suspended, not the airline account. Eg Velocity account not Virgin account. So status still intact
 
All good advice offered in here

Single point of failure

Unfortunately one needs to diversify their finances AND diversify their passcodes IMHO Banking passwords must be unique plus anything that can provide ID info.

Running Two or more email (and a work one) accounts affords some peace of mind

The crooks will always likely be one step ahead and combatting their approach especially if they get access to data dumps like Medibank or Optus or All don’t aid you in keeping all your various accounts safe
 
Would be nice if we could "lock our points".
Like what we can do with our bank cards.
VFF could set up, when we call them, set up a verbal password/passcode, to burn points.
But I guess it will cost VFF $, and NR wouldnt be too keen on that.
2fa/mfa are all scammable, its only when and if they set up a verbal code word, that only VFF and the member know, that is the only safe way.
Unless of course, the scammers crack into VFFs records.
 
Back
Top