Amber Shuker-Bright (left) and Fariba Rad (right) were among those affected

Scammers are still having a shopping spree with stolen Nectar points,with shoppers seeing their accounts drained in places they have never visited. 

Meanwhile,some say they have been locked out of their accounts entirely and have asked Sainsbury’s for an explanation. 

The supermarket introduced an ‘account lock’ feature to their loyalty app in February to try and crack down on the problem – but customer services reps are still fielding dozens of complaints.

Mum-of-two Fariba Rad,from Putney in London,told Metro she was ‘really upset’ to get two emails on Sunday morning thanking her for spending her balance.

‘First I started thinking about when I was at Sainsbury’s,but then I saw the area was Oakley and I said to myself,“someone’s hacked my points”,’ she said. 

The thieves spent £12.50 in two transactions of 1000 and 1500 points,leaving her with only 194 points left worth 97p. 

One shopper asked a customer service rep,‘What on earth is happening?’

Another said they were ‘going nuts’ trying to resolve £100 of lost points and then being locked out of their account

Another asked,‘I see your feed full of the same issues. Do you have a major problem?’

Some shoppers contacting Nectar online said their points had been spent while they weren’t even in the UK,while others said they were having problems with the app and ‘can’t even log in’.

In recent months,retail cybersecurity has come into the spotlight after Marks and Spencer was hit by a devastating hack which is still not completely resolved,with online shopping unavailable. 

Supermarkets Co-op and Harrods were targeted by hackers too,while sports brand Adidas also fell victim – so the natural question for many was if Sainsbury’s could also have been compromised.

But the supermarket said they were not experiencing any IT issues.

They confirmed that Fariba had fallen victim to fraud,and that criminals use a range of tactics to try and profit from their popular loyalty scheme,which has over 23 million members.

The ease with which scammers can access Nectar points was revealed in January,when This Is Money revealed over 12 million points worth some £63,000 had been taken in the year prior. 

'I haven't even left my house'

Another Sainsbury’s shopper,43-year-old Amber Shuker-Bright,pictured at the top of this article,said she and her husband lost £60 of points.‘We do what most people do – save them for Christmas,’ the mum-of-one told Metro.She realised something was wrong when she got an email thanking her for redeeming 2000 points in Brixton on April 12,but thought: ‘I’m in Putney and I haven’t even left my house.’The mum-of-one said her husband lost even more this weekend,when scammers spent 10,000 of his points,worth £50,in Camden. She did not know there had been issues with points theft in the past,or that there was an option to lock her account,saying this should be made more clear.Sainsbury’s has refunded the couple’s points after checking they were spent outside of their usual area,but sales assistant Amber said she is worried many customers wouldn’t even realise they were victims,as they might assume their partner had spent the points on a linked account. She said the incident left her worried about how scammers got her details,and what else they may have accessed.The paper reported that scammers were selling account numbers online,although it’s unclear how they accessed them in the first place. Sainsbury’s has not revealed how they think scammers are doing this,fearing that it could encourage more fraud if they do.Fariba,a 44-year-old professional placement advisor,said she struggled to resolve the loss of her points because her mum was the primary account holder,despite using the card ‘for years’ with her email address – a problem that others also reported to customer services reps. Eventually,she managed to resolve the issue and will be sent a new card with the lost points added to it.But she described the process as ‘really pointless and a waste of my time’,saying the experience made her concerned that criminals have her details. 

How are scammers able to steal Nectar points?

There are no ID checks to spend points,except at Argos when there are if the amount is over £50.A loophole meant that anyone with a user’s account number or barcode could potentially spend their points,unless the spend lock feature was turned on.Last year,Cian Heasley,Threat Lead at Adarma cyber security firm,told Metro: ‘The specific nature of this vulnerability hasn’t been disclosed,but it could be that the attackers are conducting a brute-force attack. In this type of attack,malicious individuals,either manually or through automation,attempt to log into a customer reward portal using randomly generated reward account numbers.‘When they do not receive a “no such user” or similar error message,they know the account is active and can generate a barcode scannable account identifier to spend the reward points.People saw their points spent in places they have never been (Picture:X)Shoppers have been asking if the app is working correctly (Picture: X)One customer said ‘I can’t even log in. I see others have the same issue. What’s going on?!’‘To defend against this attack,app developers should incorporate security measures into the app’s design. For instance,they should require a full login or identity authentication to spend points and ensure that login portals do not indicate whether accounts are valid or not. Limiting the number of login attempts before imposing a timeout can also slow down brute-force guessing attacks.‘The attackers may also be using credential stuffing,a cyber-attack where hackers use breached account information,like usernames and passwords,to gain unauthorised access to other online accounts. To protect against credential stuffing,it is crucial that individuals do not reuse passwords across different accounts,enable multifactor authentication whenever possible,and consider using a password manager to store and manage passwords for various apps and websites securely.’A Nectar spokesperson said: ‘The security of our customer accounts is our highest priority and the proportion of those impacted by fraud each year is very small.‘We have a range of measures which detect and in many cases prevent fraud,including point spending confirmation emails and our Spend Lock feature.’