Fake credit card rewards / loyalty points expiring phishing — impersonates Chase Ultimate Rewards, Amex Membership Rewards, Citi ThankYou, Delta SkyMiles, or other reward programs claiming points will be forfeited unless redeemed via a link that harvests card credentials or account login; high conversion because victims fear genuinely losing their accumulated points

Phishing emails impersonating credit card rewards programs (Chase Ultimate Rewards, Amex Membership Rewards, Citi ThankYou Points, Capital One Miles) or airline loyalty programs (Delta SkyMiles, United MileagePlus, American Airlines AAdvantage) with fake expiration notices — claiming the victim's accumulated points or miles will be forfeited unless they "redeem now" via a link that harvests card login credentials or triggers a payment card form. Key facts: (1) The psychological mechanism is especially effective: unlike generic phishing emails, reward-points expiration notices exploit loss aversion — behavioral economics research shows that people feel the pain of losing something they already have ("their" 50,000 points) more acutely than the equivalent gain; victims act quickly without verifying the email's legitimacy; (2) Most major credit card reward programs (Chase, Amex, Citi, Capital One) do not actually expire points while the account is open and in good standing — the "expiration" premise is largely false; airline miles (Delta, United, American) do expire after 18–24 months of inactivity, which makes the lure somewhat more plausible for those programs; (3) FTC 2024: financial product and service impersonation (which includes rewards program phishing) is a growing category, with losses concentrated among consumers who hold premium travel credit cards — a demographic with above-average income and a higher willingness to act on redemption emails; (4) Legitimate rewards program communications always arrive from verified company domains, include the specific points balance on file, include a List-Unsubscribe header, and link to the official rewards portal — they never threaten immediate forfeiture with a countdown or include a standalone login form outside the official site. Warning signs: sender not the official card issuer or airline domain, "your points expire in X days" with no account-specific details, link to an unfamiliar domain, no List-Unsubscribe header, missing or generic points balance.