I STOOD frozen in horror as I saw my Nectar points account had been drained in the middle of my local Sainsbury’s in December.
I’d built up £110 worth of loyalty points – but it turns out I was just one of thousands of customers who have had theirs cruelly swiped by cunning scammers. Here, we reveal how loyalty points are being stolen on the dark web – and explain how to avoid it happening to you.
I had painstakingly built my Nectar points balance over last year, saving them up to slash money off the expensive Christmas food shop.
I do it every year – as a mum with three kids, come Christmas time you need every bit of financial help you can get.
On Christmas Day I cook for my own family of five and my extended family so it is always a big shopping bill.
I do all my grocery shopping in Sainsbury’s and also buy all the petrol for our family car, a Peugeot 5008, so over a year we rack up a fair amount of points.
That’s why I was horrified last month when I went to spend them and discovered the balance had been slashed to just 3,000 points — worth a measly £15.
“That just can’t be right,” I said dismayed.
When I logged back into my Nectar account and reviewed my statement, I was shocked to discover that on July 28, 2025, two transactions at a Sainsbury’s store listed as “White Rose” had used a total of 22,014 points (worth £110) on the same day.
I googled it and found it was in a shopping centre in Leeds.
Given I live over 200 miles away in Richmond-Upon-Thames in London, I couldn’t fathom how this had happened. I stared at the screen, completely baffled, racking my brain to see if I’d been to Leeds and somehow forgotten it in a strange bout of temporary amnesia.
It was only when I was explaining it to a friend she told me that she’d heard of a new scam where fraudsters “steal” your loyalty points.
I was shocked.
The points spent from my account were worth over £110 and I realised that this was no different really to a thief taking money from my bank account.
I contacted Sainsbury’s and with very little fuss, they set me up a new account and reinstated my points, for which I was grateful.
But I want to warn others that this can happen frighteningly easily.
In Autumn last year, the supermarket introduced Nectar QR codes in apps as a more secure way for customers to collect and spend points.
Nectar said the number of customers affected by this fraud each year is small.
It said: “We’re sorry to hear about this customer’s experience and have been in touch with the account holder to issue them with a new Nectar card and refund their points.”
How loyalty points are being traded online
The experience of The Sun’s Associate Editor, Caroline Iggulden, isn’t unique.
Tech‑savvy scammers are increasingly targeting loyalty schemes at Nectar, Tesco, Boots and British Airways draining points like personal piggy banks in a growing wave of digital fraud.
A report from the Loyalty Security Alliance says up to 5% of loyalty cards across retailers have now been compromised, putting an estimated £300 million worth of points at risk.
Chief Consumer reporter, James Flanders, explains how this cunning scam works – and how to keep YOUR points safe.
Why loyalty cards are easy targets for crooks
While banks have strict security walls, loyalty schemes have historically been easier to crack – which is why thieves love them.
Frank Teruel, from anti-crime platform Arkose Labs, describes the current situation as “loyalty card cyber warfare,” warning that points are “probably the least protected digital currency you have.”
Criminals use a tactic called “credential stuffing”.
This is where they take email and password combinations leaked from other websites and use automated “bots” to try them on Nectar, Tesco, or Boots accounts.
Because so many Brits use the same password for everything, the hackers often get in.
It’s not just a stolen fiver from your loyalty card account you should be worried about – hackers can scrape personal information from your account.
Your loyalty account is a goldmine of sensitive details like your full name, home address, date of birth, and often the last four digits of your payment card.
Mastercard said this information, if stolen, can then be sold in criminal black markets.
“With your address and shopping habits, a fraudster can call your bank, pass security questions, and eventually drain your savings or take out loans in your name,” it said.
“It’s a gateway to total identity takeover.”
The cloning trick that makes loyalty cards weak
If you have a physical loyalty card, beware – they have particular weaknesses that scammers are taking advantage of.
Because older loyalty cards rely on a static barcode or magnetic stripe – rather than a secure chip and PIN – they are frighteningly easy to clone.
Scammers can grab your card number – sometimes just by looking over your shoulder or using software to generate valid sequences – and load it into a generic barcode generator app on their phone.
They don’t need your actual plastic card.
Once a hacker has access, they have two main ways to cash out.
They could walk into stores and spend your points or sell the login details to other customers online who want “cheap” shopping. This is typically done on the messaging app, Telegram, or on the shadowy dark web.
Marijus Briedis, chief technology officer at NordVPN, said: “Stolen loyalty points are effectively treated like a digital currency on the dark web.
“Points from supermarket schemes can be converted into gift cards, electronics or even fuel discounts, making them extremely easy to monetise.”
How points are sold on ‘Telegram’ for £100s
The messaging app Telegram has evolved into one of the biggest marketplaces for stolen points in the UK, says Marijus.
“Telegram wasn’t designed to be a criminal marketplace, its intention is to be a secure messaging platform.
“However, its strong encryption and relatively hands-off approach to moderating content have made it an attractive space for scammers trading stolen loyalty accounts.”
There are countless private channels where illegal trade in stolen accounts — such as Nectar or Tesco logins — can slip under the radar unnoticed.
In one channel Sun Money tracked, one crook was offering 100 Nectar membership codes for £60, 200 for £100, or a bulk deal of 500 for £200.
After we reported the channel, Telegram took it down.
Telegram said: “The sale of stolen credentials is explicitly forbidden by Telegram’s terms of service and is routinely removed by moderators.”
How supermarkets are trying to fight crooks
Retailers are racing to close the net on these fraudsters.
Simon Roberts, chief executive of Sainsbury’s, told The Sun last year that loyalty points theft is a “big new challenge”.
There are ways to protect your points from being swiped.
In February 2025, Sainsbury’s launched a ‘Spend Lock’ feature, allowing customers to freeze their points so they can’t be spent without permission.
Shoppers need to use a QR code in the Nectar app to collect and spend points, replacing the old barcodes that were easier to clone.
Go into your Nectar app account settings and find the section marked “Lock or Unlock Spending”.
Click to lock your points – you will still earn points while locked, but nobody can spend them.
How to lock your Nectar card points
DON’T wait until you’ve been hacked. Here is how to use Sainsbury’s new security tools to protect your Nectar points:
You’ll first need to open the Nectar Card app (available on Google Play or Apple Store).
Then tap into your account settings and find the section marked “Lock or Unlock Spending”.
Click to lock your points.
You will still earn points while locked, but nobody can spend them.
When you want to spend your points, simply open the app and unlock them.
It is usually instant, though it can take a few minutes in busy stores.
To protect your balance, stop using your old card barcode.
Update your app to get the new QR code on your home screen.
If you use your phone’s wallet, add the new QR code from the app.
Check to see if you can ditch your physical card – which can be easier to duplicate or lose – for a digital version. For example, Boots and Tesco offer digital versions.
Beware of paper vouchers, like Tesco Clubcard offers – security experts say they can be easily cloned too.
Tesco said that they take the security of Tesco Clubcard accounts very seriously and have extensive measures in place to prevent fraud.
Your refund rights if you’re hit by crooks
If a shopper wakes up to find their points gone, the path to a refund is not as clear as it is with a credit card.
Unlike a bank card where the law guarantees a refund for fraud, loyalty points are considered a perk rather than cash.
Sarah Coles, head of personal finance at Hargreaves Lansdown, said: “Replacing missing points is up to the discretion of the retailer, but most of them will do so if you have been a victim of fraud.”
Consumer rights expert Martyn James said you need to act fast.
“Sainsbury’s, Tesco and Boots have long been burned by the bad publicity around thieves targeting loyalty points and you’ll need to complain as you notice to be in with a chance of getting them back” he said.
He added: “This is why it’s vital to get into the habit of regularly checking your points”.
A Nectar spokesperson said: “Security is extremely important to us and we have a range of measures which help to safeguard our customer accounts.”
