Have you had a problem with a company? Email helen.crane@thisismoney.co.uk
I frequently travel and am an avid collector of British Airways' Avios points, having amassed close to 1million over many years.
In late January I was in a taxi travelling to the airport in Bangkok when I started receiving hundreds of emails to the Gmail address connected with my Avios account. This continued for several days.
I changed the email password and checked my bank accounts. No money had been taken so I assumed whatever scam this was had been unsuccessful.
But on 1 March, l was browsing flights on the BA app and noticed I only had around 5,000 Avios in my account. On the same day I received all the emails, approximately 950,000 Avios had been transferred out to an account with the Spanish airline Iberia.
I reported it to BA and my account was frozen. I still don't have access to it.
However, that was more than two months ago. Despite chasing up BA several times, I still don't know if I will get my points back, and when I will be able to get into the account again. N.R
Shock: This reader was in a taxi in Bangkok when he started receiving a flood of emails
Helen Crane, This is Money's consumer champion, replies: You are a committed Avios collector, and given the value of your points I can see why you are irked by BA's lackadaisical response.
You told me: 'It's taken many, many years to build up that amount of Avios, and whilst there's much worse that can happen in life, it's still stressful to find that it's all been stolen and BA seems uninterested in resolving the matter.'
Based on the standard calculation of 1p per point, your total Avios are worth £9,550. If you spent them strategically, though, they could be worth more than £14,300.
You pay £300 a year for the Amex Premium Plus credit card, which lets you earn Avios on your spending, and also £899 a year for an Avios subscription which tops up your account with a certain number of points each month.
But despite almost being an Avios millionaire, it never occurred to you to check your account on the day your email account was spammed. You assumed the faceless fraudsters had tried, and failed, to access your bank accounts and moved on.
Until now, you say, you weren’t even aware stealing air miles was possible.
But sadly it is, and it has proved a lucrative line of business for criminals lately - as I have previously covered in this column.
So how does this happen? As with most scams of this nature, one option is that the fraudster hacked into your emails, giving them the ability to find your Avios details, reset the account password and gain entry.
The other is that your Avios login - or the login for another account you hold with the same username and password - was compromised through a data leak, and then acquired on the dark web.
The email-bombing that you received on the day of the theft was a bid to stop you noticing any emails about your Avios account password being changed, which would have alerted you to the fraud.
It’s a good idea to change change the password regularly, and make sure it is not the same as the password you use for any other websites.
Many phones will now generate secure, hard-to-guess passwords automatically and store them for future use.
You reported the theft to British Airways the day after you noticed the points were gone. It said it would pass your case on to the fraud team to investigate and that someone would get back to you.
You say the person you spoke to couldn't give you a time frame, and wouldn't let you speak to the fraud team directly.
When you hadn't heard back more than three weeks later, you called again and were met with the same response, and then again two weeks after that.
At one point, you were told the 'normal turnaround' for such matters was between 24 and 72 hours - which was laughable given how long you had already waited.
It could be that the fraud team is overrun with cases like yours. But if it is, that suggests that BA needs to find a way to beef up its security and stop this from happening.
I went into my own Avios account to check what happened if I tried to transfer some of my (comparably tiny) points balance to someone else.
Before allowing me to do so, it made me set up two-factor authentication, meaning I had to generate a text message code which was sent to my mobile phone and type it into the BA website.
But that is little use to protect against theft, as the fraudster can simply enter their own phone number when prompted.
I did notice that, when transferring Avios, the gifter must supply the full name, executive club number and email address of the recipient.
Names on Avios (or other points programme) accounts should be real, because if they are not the same as the name on the traveller's passport this can cause issues with bookings.
That suggests BA knows the identities of those stealing Avios points, and I would hope that they are being passed to the authorities.
I contacted BA to ask why it had taken so long to re-credit your balance.
It quickly got in touch with you to confirm your identity and then, once you changed your password again, your Avios were restored.
A spokesman for BA said: 'We're very sorry for our customer's experience and we thank them for their patience while we resolved the matter.'
I asked whether the firm was considering any extra security measures to combat Avios fraud but it did not respond directly.
It said customers should use strong passwords, and not repeat the same password across multiple accounts.
BA does have a page on its website giving security advice and listing common scams relating to the company, but it does not mention the Avios thefts.
I am glad your Avios riches have been restored -and after all this,I think you deserve a holiday.