narvik

So, how often does this happen, you think?
And can anyone figure out what exactly what went on here? I guess the hotel staff has to be in on it?

"[A couple] used someone else's reward account information to book and stay at the Marriott hotel in Atlanta, Georgia."

StevenSeagalFan

I was a manager at a major airline in the US and had corporate security call me at the gate and say hey don't board these 2 people they're using someone else's miles and they're stolen, they'll even call someone who pretends to be that person, but the jig is up and we've caught on.

Nazdoom

I find it pretty ballsy to use someone's account without their permission to book a stay, even for a thief. Like, how do you enjoy your stay and sleep through the night worrying the charade could fall apart and someone could come knocking at any moment?

For such a small amount of value to steal (a couple hundred dollars at most, really), it's fairly high risk low reward. Surely stealing some electronics or a bike or car would yield a better return, no?

I would assume a thief with access to a Marriott account would try to convert the points to another points currency or even gift cards or physical merchandise, and then redeem that for anothe thing, in efforts to launder the points and obfuscate their origin to have a better shot at cashing them in for something flippable before ever getting caught.

I would guess the people actually staying are not the thieves themselves, but rather people who thought they booked a real stay through some legitimate third-party that just so happens to be the thief, or their partner, collecting cash from real guests in exchange for discounted stays that are in reality just booked on stolen points.

But who knows, maybe the thief is both sophisticated enough to steal points but dumb enough to not be able to cash them in without getting caught.

tjk1976

Years ago, when I was in SPG's pilot Ambassador program (which I was invited to participate in before the program was launched), I got call from my ambassador asking if I was in Seattle because she noticed that I had checked into the Sheraton there. She thought it was weird because I hadn't mentioned it and I didn't book it through her. Long story short, it turned out that somebody had checked in fraudulently using my membership number. Fortunately, my credit card wasn't charged, but they did get upgraded because of my status. I don't know what happened to the people involved, but I was issued a new SPG number because of it. Based on the OP's video and my own experience, I guess people using other people's membership numbers is a thing.

narvik

Is involvement of hotel staff necessary to pull this scam off, you think?

1mileman

this is exactly why mobile check in and forcing you to come to the desk is the reason more often than not. so next time you complain about it, come back to this thread!

tjk1976

Great question. It does make you wonder though. Every single time I have ever checked into a hotel (which is hundreds and hundreds of times over the years), I have been asked to present ID at check-in. The episode I described above probably happened in 2010 or thereabouts, so I'm not sure if mobile check-in even existed yet. So, yes, it's possible that it was an inside job. SPG was pretty tight lipped about the details of what happened, other than insisting that I get a new membership number since my old one was compromised. And if memory serves, they let me keep the credit for the fraudulent stay for the inconvenience.

applesauce

Seems like this could easily be resolved with non-crappy MFA and GPS.

Schnit

This is a crazy video. What it sounds like to me is that Rico runs a scam to make money selling reservations in other people's names. Probably doing it from a fake profile, making it harder to track back to him.

InFlightJay

This happened to me that year as well and at a Marriott property.

I was in traveling in Western Europe and did not have any issues for most of my trip. I check into a new hotel in a good country, one that you don't expect fraud in. That evening, someone must have taken my membership number and booked two rooms in another Marriott hotel in the same country, but in a different city (2 hrs away). The only way I found out was when I was checking my Bonvoy app the next day. I saw two reservations and thought it was a glitch. I did not get any email for the reservations either. It was several thousand dollars for the rooms. I called the hotel directly and asked about the reservation and they wanted to charge me a cancellation fee! I explained it made no sense for me to book the rooms when I was staying in another city. The front desk person was not helpful but when I mentioned I was going to call headquarters they reluctantly cancelled and waived the fee. I ended up calling the Marriott Titanium hotline and they launched an investigation after I explained the situation. They couldn't really answer how 2 resverations wouldn't send an email notification and made me set up extra security. I've never had any issues with my account. for the many years I've been a member. After a few months they got back to me and said their investigation didn't find hotel staff were involved. I always thought it was a bunch of BS and now this video makes me think Marriott is aware how fraud is easily done by using a membership number.

I highly suspect hotel front desk passed my membership number and they booked in the extra rooms via the other hotel's reservation system. Probably thinking they'd charge me and let my credit card take the hit and fraud protection cover the expense (I'd be unaware because I'd have charges for my primary stay). I found out the second hotel is known for criminal activity in that particular country. This video totally makes me think it's an inside job because how else would someone know to use a membership number that has payment details saved.

tjk1976

Having now watched the video (43:56 of my life that I'll never get back), it makes sense how the scam is intended to work. It relies on the FD clerk at check-in to either be poorly trained or not to be paying attention. Since it's possible to make a legitimate reservation and add a second guest's name at the time of booking and asking that they allow the second guest to check in first because the member is arriving later (on a later flight, for example), scammers have figured out that they can game it for nefarious purposes. The suspects in the video exploited the process using some third-party scam artist who had fraudulently obtained a member's account information and is going around selling rooms on Instagram and paying for them using the victim's Bonvoy points. In this particular case, it wasn't until the suspect couple was physically checking in that they asked to add the female suspect's name to the reservation. That's when the FD clerk should have clued in that something wasn't right.

I have, on occasion, asked that my spouse be allowed to check in before my arrival and such requests have always been granted (after all, the requirement is that the member stay in the room, not that they be present at check-in). I can now see how there are vulnerabilities associated with hotels letting anybody other than the member him/herself check in.

KRSW

Here's a similar story I posted last year: Man gets into someone else's Bonvoy account, makes res, arrested

Schnit

What we dont know from the video is who/why she was added as the second guest. Rico could have called the hotel, said he was the person who is being scammed, and request their friend who is arriving first to be added. This would be no different than what you did, but they just dont know it is really Rico

tjk1976

Except, the FD clerk who figured out that something weird was going on (a different clerk than the one who checked them in) told the investigating officer that the suspect couple added the female suspect's name to the reso during check-in. You're not wrong though, "Rico" could easily have done it too when he made the fraudulent booking posing as the victim member.

Xero

Some tips for keeping your Marriott account secure:

• Make sure your password does not appear on https://haveibeenpwned.com/Passwords. If it does, change it immediately.
• Make sure your password is complicated and unique. Ideally, it should be a randomly generated password (ie: https://1password.com/password-generator/)
• Make sure you are receiving email alerts from your account. That way, you can immediately address anything suspicious.
• Make sure all of your personal info on your account is up to date, including both your phone and email.
• Enable 2-factor authentication.

Of course, nothing is foolproof. Somebody can always call Marriott pretending to be you. But if you can keep your login information off the dark web, your chances of being hacked are much smaller.