The FTC issued a 2024 alert about a wave of fake "your rewards expire today" texts and emails copying the urgency of real hotel-program warnings. Most are phishing. Here's how to tell them apart, and why a reminder you set yourself is the only one you can fully trust.
Done in seconds. No sign-up required.
Real programs don\'t do any of these.
Real programs send warnings 30 to 90 days before expiration, not the same day. Manufactured urgency is the most reliable scam signal.
Real programs tell you to log in to your account, not to redeem through a one-tap link in the email.
"marriott-rewards.co", "hilton-points.support", "ihg-bonus.net". Look like the real thing at a glance, not on inspection.
Real programs have your name, your member number, and often your status tier. Generic greetings are a tell.
No legitimate hotel program will ever email you to ask for your password or your full credit card number. Ever.
Hotel programs rarely use text messages for expiration warnings. A text demanding action within hours is the scam pattern the FTC flagged in 2024.
Each major program has a recognizable pattern. The cadence and the sender domain matter more than the wording, since wording is the easiest thing for a scammer to copy.
Marriott Bonvoy: warnings come from email.marriott.com or
marriott.com, typically 60 to 90 days before expiration, addressed to your name,
with your member number visible. Action is "log in" or "see your account", not "click here
to save your points".
Hilton Honors: from email.hilton.com or hilton.com.
Similar cadence. Often references your last stay or last activity date.
IHG One Rewards: from ihg.com. Tighter window, since the
12-month inactivity clock means warnings can land 30 days out. Still no "expires today" text.
World of Hyatt: from hyatt.com. Calm tone, account-link CTA.
If a message doesn\'t fit one of these patterns, treat it as suspicious. Don\'t click. Open a new browser tab and log into the program directly to check your real status.
If you opened the link but didn\'t enter anything, you\'re probably fine. Close the tab and
clear the browser cache. If you entered your password, change it on the program\'s real
site and on any account that shares that password. If you entered a card number, call the
bank and reissue. Then check your loyalty account for unauthorized redemptions, new payment
methods, or shipping addresses that aren\'t yours, and report the message to the program\'s
abuse address (Marriott: abuse@marriott.com; similar at the other programs).
The reason scams work is that they look exactly like real warnings, and you have no fast way to tell them apart. The fix isn\'t learning to spot fakes faster. It\'s setting your own reminder, on your own schedule, well before the program\'s warning window opens. When you know the email is from you, you don\'t have to verify anything.
See when each program\'s points expire to find the right date, then set a reminder for 30 days before. Anything that arrives sooner than that, with urgency, demanding a password, can be ignored on principle.
Yes, but cautiously. They usually send one or two warnings, typically 30 to 90 days before the expiration date, from the program's real email domain. They rarely send "expires today" messages, and they never ask for your password or full payment details by email.
Check the sender's full email address, not just the display name. Real Marriott emails come from a marriott.com domain (typically email.marriott.com). Hilton uses hilton.com. IHG uses ihg.com. Hyatt uses hyatt.com. Anything close-but-not-exact like "marriott-rewards.co" or "hilton-points-expiry.com" is a scam.
Almost certainly not. The FTC issued a consumer alert in 2024 about a wave of fake "expiring rewards" text-message scams. Hotel programs rarely use SMS for expiration warnings, and never with a "click within 24 hours" link. Don't click. Log into your account directly to check your actual expiration date.
Don't enter any credentials on the page that opened. Close the tab. Change your loyalty-program password and the password of any account that uses the same password. Watch for unauthorized point redemptions or new payment methods on the account. Report the message to the program's phishing address (e.g., abuse@marriott.com).
Because you know exactly who sent it: you. A reminder you set yourself, from a sender you control, is impossible to confuse with a phishing message. The link goes to your own dashboard, not to a fake login page. You don't have to inspect the sender domain or hover over URLs to verify it.
Forward the message to the program's abuse address (e.g., abuse@marriott.com, phishing@hilton.com), to reportphishing@apwg.org, and to the FTC at reportfraud.ftc.gov. Then delete it. Don't reply, don't click, don't download attachments.
Free email reminder, no account needed. The link goes to your own dashboard, not a fake login page.
Set My Hotel Points ReminderLast modified: