By Christopher Elliott
What would you do if you logged into your Chase account and found 200,000 Chase Sapphire points were missing?
You’d freak out, right?
And what if Chase refused to return the missing points?
You’d be pretty steamed. I know I would be.
So the fact that Seth Bloom was as level-headed as he was when he reached out to my advocacy team — well, that says a lot about him. The points, which are worth $2,000, had been redeemed in one of the scammiest ways possible: as Apple gift cards sent to an unknown address.
“It’s ridiculous,” Bloom told me.
Bloom’s case raises several important questions:
- What should you do if your rewards points are stolen?
- How can you prove fraud when the evidence is digital?
- What rights do consumers have when their accounts are hacked?
So let’s cut to the right to the chase.
“I can’t prove a negative”
Bloom’s ordeal began a few months ago when his Chase Sapphire account was hacked. The thief used his rewards points to buy 20 $100 Apple gift cards. Bloom didn’t notice the fraud until a few days later, when he logged into his Chase app and saw the deductions.
“I was shocked,” Bloom said. “I’ve been a loyal Chase customer for 15 years. I pay a hefty annual fee for this card. I expected better.”
(He pays $95 a year for his Chase Sapphire Preferred card.)
Bloom immediately called Chase, reported the fraud, and had his card canceled and replaced. He also changed his account password. But when he asked Chase to restore his stolen points, the company refused, demanding “evidence” that he didn’t receive the gift cards.
“How do you prove you didn’t receive something?” he says. “I can’t prove a negative.”
Bloom spent weeks calling Chase, emailing executives, and even contacting Apple for proof that the gift cards were never sent to him. But Chase’s fraud department remained unmoved.
“They kept saying they needed more evidence,” Bloom said. “I felt like I was stuck in a loop.”
What should you do if your rewards points are stolen?
If someone steals your rewards points, time is your most valuable asset. Acting quickly can make the difference between recovering your points and losing them for good. Here are the steps you need to to take to protect yourself and increase your chances of a resolution:
Report the fraud as soon as possible. Contact your credit card company the moment you notice suspicious activity. Most companies have dedicated fraud departments to handle these problems. The sooner you report it, the better your chances of recovering your points.
Change your account credentials. Update your password and enable two-factor authentication (2FA) if it’s available. This adds an extra layer of security to your account and makes it harder for hackers to regain access. And they will try.
Collect evidence. Save emails, text messages and statements. If the company asks for proof, this documentation can strengthen your case.
Document everything. Keep a detailed record of all communications with the company. Note the dates, times, and names of customer service representatives you speak with. If possible, follow up with an email summarizing the conversation to create a paper trail.
Escalate the issue. If the frontline customer service team isn’t helpful, ask to speak with a supervisor or escalate the issue to the Chase executive team. Again, many companies have dedicated executive customer service departments that handle complex cases.
File a police report. While it may seem excessive, filing a police report can provide an official record of the fraud. Some companies require this step before they’ll investigate further.
One more thing: You’ll want to monitor your account carefully after a theft. Keep a close eye on your account for any additional unauthorized activity. Hackers may try to strike again if they still have access.
In Bloom’s case, he reported the fraud to Chase within days of discovering it. He also changed his password and documented his interactions with the company. But despite his quick action, Chase’s response was slow, and its demand for evidence left him frustrated.
“It felt like they were putting the burden of proof on me,” Bloom said. “I did everything I was supposed to do.”
How can you prove fraud when the evidence is digital?
Proving digital fraud can feel impossible, especially when the stolen assets — like rewards points — are intangible. But with the right approach, you can build a strong case to support your claim.
Take screenshots. Take images of any unauthorized transactions, including dates, amounts, and descriptions. They’ll serve as visual proof of the fraud and can be invaluable when disputing charges.
Gather third-party verification. Contact any companies involved in the fraudulent transactions. For example, if your rewards points were used to purchase gift cards, reach out to the retailer to document that the cards were never sent to you.
Check your account activity logs. Many online accounts track login attempts and IP addresses. If someone hacked your account, this information can help prove that someone else accessed it.
And if that doesn’t work, you may have to look for outside help. A complaint with the Consumer Financial Protection Bureau or a consumer advocate can help.
Bloom sent Chase screenshots of the fraudulent transactions. Despite this evidence, Chase refused to restore his points, demanding even more proof.
Here’s the frustrating reality: Companies often place the burden of proof on consumers, even when the fraud is obvious. Also, many disputes are never seen by a person but processed by an AI bot. These systems fail to adequately review the case or can’t see an obvious sign of fraud.
The key is to be thorough and persistent. Digital fraud may be hard to prove, but with the right evidence and a proactive approach, you can fight back.
What should you do if your credit card account is hacked?
Under federal law, consumers are protected from unauthorized transactions on their credit cards. The Fair Credit Billing Act limits your liability for fraudulent charges to $50, and many credit card companies offer zero-liability policies.
But rewards points are in a gray area. They’re not considered cash or currency, so they’re not always covered by the same protections.
In other words, if someone steals your loyalty points, there’s probably no law that specifically protects you. Instead, you need to lean on the bank or credit card company to fix the problem as a goodwill gesture. (Technically, the points don’t even belong to you; the bank owns them. I have details on this bizarre rule in my guide to loyalty programs.)
So are the 200,000 points lost forever?
I reviewed Bloom’s paper trail, and it looked like someone from Chase had assured him by phone that this was “obviously” fraud and then promised a refund of his points, but then reneged.
Something about this case seemed strange. I asked Bloom if he’d shared his password with anyone. He said he hadn’t. So unless his password had somehow been exposed in a breach, it seemed as if the hack happened on Chase’s side.
Chase must have also known that he had provided all of the evidence he could. Asking for more just seemed like another way of rejecting his case, even though it had initially promised a refund.
Enough was enough. I contacted Chase on his behalf. Separately, Bloom also wrote to the CEO of Chase and appealed his case.
“Great news!” he reported. “Chase has finally agreed to restore the award points to my account. I think your intervention must have helped.”
Christopher Elliott is an author, consumer advocate, and journalist. He founded Elliott Advocacy, a nonprofit organization that helps solve consumer problems. He publishes Elliott Confidential, a travel newsletter, and the Elliott Report, a news site about customer service. If you need help with a consumer problem, you can reach him here or email him at [email protected].
