(This article discusses a scam the impersonates the rewards program of a large grocery retailer in the UK. Neither the retailer nor its rewards program are involved in the scam, and this article should not be interpreted to state or imply any wrongdoing on their part.)

You get a text message. It says you have over 12,000 rewards points sitting in your account and they’re about to expire. You need to redeem them in the next three days or you’ll lose them. There’s a link to claim your rewards.

It looks official. It mentions a brand you actually shop with. And the timing makes sense because you vaguely remember hearing something about points expiring.

So you tap the link.

That’s exactly what scammers are counting on. Keep reading to check out how scammers are exploiting loyalty programs and real news headlines to steal your personal information:

What Our Researchers Found

We recently uncovered an emerging rewards points impersonation scam targeting consumers in the UK. The scam impersonates Tesco, one of the country’s largest grocery retailers, and its popular Clubcard loyalty program.

Victims receive an unsolicited text message claiming they have 12,739 points in their Tesco Clubcard account that are about to expire. The message urges them to redeem their points immediately through a “2026 Reward Program” and includes a link to what appears to be an official Tesco rewards page.

But here’s the clever part: the scammers timed this campaign to coincide with real news. In late February 2026, millions of pounds worth of genuine Tesco Clubcard vouchers actually were due to expire. The scam first appeared in the last week of February, right as that news was making headlines, and spiked sharply in early March. Scammers weren’t just inventing a story. They were hijacking one that was already true.

How the Scam Unfolds

This scam follows a carefully designed four-stage process that walks the victim deeper into the trap at each step.

• Stage 1: The text message. The victim receives an SMS that looks like an automated loyalty program notification. It uses Tesco’s brand name, references the Clubcard system by name, and includes a specific point balance (12,739) along with a precise expiration deadline. The formal tone and specific details make it feel like a routine account alert rather than a random message.
  
  
• Stage 2: Building trust. The message is designed to feel like something Tesco would actually send: a friendly reminder that your hard-earned rewards are about to expire. By framing it as the company proactively looking out for you, the scammer makes the victim feel like they’d be losing something they already own if they don’t act.
  
  
• Stage 3: The fake website. Once the victim clicks the link, they land on a website built to look like a Tesco rewards redemption page. It displays their point balance and shows a selection of products available for redemption, such as phone chargers, blood pressure monitors, and furniture. After choosing a product and clicking “redeem now,” the victim is asked to verify their mobile number and then enter personal details including their full name, email address, and home address.
  
  
• Stage 4: The disappearing act. After the victim submits their information, the website displays a confirmation that the reward has been successfully redeemed or that an order is being processed. Shortly after, the website either becomes inaccessible or redirects to the real Tesco website. The victim assumes everything went fine. Meanwhile, the scammers now have a package of personal information that can be used for identity theft, account takeover, or future scam targeting.

Why This Scam Works So Well

This scam is effective because it layers multiple psychological triggers on top of each other.

• Loss aversion. The message doesn’t offer you something new. It tells you that something you already have is about to be taken away. Research consistently shows that people are more motivated by the fear of losing something than by the prospect of gaining something of equal value. A message that says “your points will expire” hits harder than one that says “earn bonus points.”
  
  
• Real-world timing. By launching the campaign alongside genuine news about Tesco Clubcard vouchers expiring, the scammers gave their story built-in credibility. Victims who had seen the real headlines were primed to believe the text was legitimate.
  
  
• Brand familiarity. Tesco is a household name. The Clubcard program has millions of users. The scammers didn’t pick an obscure brand. They picked one that a large portion of the UK population has a genuine relationship with.
  
  
• Gradual commitment. The scam doesn’t ask for sensitive information upfront. It starts with a text. Then a click. Then a phone number. Then browsing products. By the time the victim is entering their name and address, they’ve already invested several minutes and made multiple small decisions that all felt reasonable. Each step makes the next one feel natural.

This pattern of impersonating trusted brands and using urgency to push quick action is exactly what Trend Micro’s 2026 Scam Predictions report warned about. Delivery, billing, and loyalty scams now dominate by sheer volume, and scammers are increasingly borrowing real brand logos and messaging styles to appear authentic.

How to Protect Yourself

• Go directly to the source. If you get a message about expiring points or rewards, don’t click the link in the text. Instead, open your browser and go to the company’s official website directly, or check your account through their app. If the points are real, they’ll show up there.
  
  
• Check the sender and the URL. The scam messages in this campaign came from random phone numbers, not from Tesco’s official channels. The links pointed to domains like “tesco-env[.]cn” and “tesco-shop50[.]uk[.]cc”, which are clearly not tesco.com. A quick glance at the URL before tapping can save you from a lot of trouble.
  
  
• Be suspicious of specific, unsolicited numbers. A text telling you that you have exactly 12,739 points feels precise and therefore believable. But legitimate companies don’t typically send your exact point balance via SMS with a redemption link. That precision is a trick to make the message feel automated and real.
  
  
• Pause when you feel urgency. “Expires in 3 days” is designed to stop you from thinking carefully. Any legitimate loyalty program will give you reasonable notice and multiple ways to manage your account. If a message is pushing you to act right now, that pressure is the warning sign.
  
  
• Use scam detection tools. Tools like Trend Micro ScamCheck can detect and block scam texts before they reach you, and can analyze suspicious links and messages to identify threats that look legitimate on the surface.

What to Do If You’ve Been Impacted

If you think you may have entered your information into a scam site like this, the most important thing is to act quickly:

• Change your passwords. If you used the same email and password combination anywhere else, change those passwords immediately. Consider using a password manager to create unique passwords for each account.
  
  
• Contact your bank. If you entered any payment information, call your bank or card provider to let them know. They can monitor for suspicious activity and may issue a new card.
  
  
• Monitor for follow-up scams. Once scammers have your personal details, they may use them to target you again with more personalized attacks. Be extra cautious about unexpected messages in the weeks that follow, especially anything referencing your name, address, or recent activity.
  
  
• Report it. In the UK, report scam texts by forwarding them to 7726 (which spells “SPAM” on your keypad). You can also report it to the relevant authority in your region, such as the FTC (US), Report Fraud (UK), the Canadian Anti-Fraud Centre, or ScamWatch (Australia). Reporting helps authorities track campaigns and warn others.

It’s Not Just Tesco: This Scam Is Going Global

The Tesco Clubcard scam isn’t an isolated case. The same rewards-points playbook has surged across multiple countries and brands in recent months.

In the US, AT&T customers were hit with near-identical texts claiming they had 11,430 reward points about to expire. The Bartlett Police Department in Tennessee issued a public warning, and AT&T itself published guidance confirming that the messages were fraudulent. In December 2025, security journalist Brian Krebs reported that the same phishing groups behind widespread toll-fee scams had pivoted to rewards-points lures, mass-registering domains impersonating T-Mobile.

The UK has been hit beyond Tesco too. The mobile carrier EE has been repeatedly impersonated with fake points-expiry texts throughout early 2026. EE published a dedicated scam warning page confirming that the company doesn’t even offer a points program where balances expire. The entire premise is invented. In Australia, Macquarie Bank customers were targeted with fake SMS and email notifications claiming their banking reward points were expiring, directing them to fraudulent login pages designed to steal account credentials. And in the Philippines, the carrier Smart warned that criminal syndicates were using fake cell site devices to push similar messages directly to subscribers.

The pattern is the same everywhere: a trusted brand name, a specific point balance, an expiration deadline, and a link to a convincing fake website. What changes is the logo. The playbook never does.

The best defense is a simple habit: whenever money, personal information, or urgency is involved, go directly to the source. Don’t follow the link. Don’t call the number in the text. Open the real app or website yourself. That one step breaks the entire scam.