Are point sites dangerous? The core is starting with safe majors and protecting your data and money — cashback is a bonus

Poikatsu basics Published:2026-05-29 Updated:2026-06-21 15 min read

Are point sites dangerous? — No need to be overly worried if you start with major, reputable sites

Here is the conclusion upfront. Major point sites affiliated with listed companies — such as Moppy and Hapitas — can be used safely. The concerns you see online about "personal data being stolen" or "being unable to cash out" mostly involve small, obscure sites with no verifiable track record. As long as you choose a major site that meets five key criteria — a listed-company operator, a Privacy Mark (P mark), JIPC membership, SSL, and a long history of confirmed cash-outs — and you manage what personal data you share, there is no need for excessive worry.

That said, it would be wrong to say all point sites are safe across the board. You need to recognize and avoid real warning signs: suspiciously high cashback rates, reports of people unable to cash out, zero user reviews, and demands for excessive personal information. This article covers how to identify safe major sites, red flags of shady sites, phishing and fraud tactics, and practical steps to protect your personal data and inbox. For a broader guide on choosing a site, see the site-selection article and the getting-started guide.

Why do point sites give you points for free? — Understanding the model makes the doubt disappear

The biggest source of suspicion is the question: "Why do I get points for free?" The answer is simple: the funding comes from performance-based advertising fees paid by advertisers — credit card companies, e-commerce sites, insurance providers, and more. When a user applies for a credit card or makes a purchase through a point site, the advertiser pays the site operator a "success fee," and a portion of that fee is returned to the user as points.

StepWhat happens
① User completes an offer via the siteShops or applies through the point site
② Advertiser pays a success feeCard company or e-commerce site pays the operator
③ Operator awards points to the userA share of the ad fee is returned as points
④ User cashes out or exchangesConverts to cash, other points, or gift cards

This model is entirely legitimate — the same principle behind affiliate programs on Rakuten or Amazon. It is neither a scam nor a pyramid scheme; it is a model that passes advertising revenue on to users. However, a small number of sites abuse this model by shutting down before users can cash out, or by running registrations purely to harvest personal data — which is exactly why knowing how to tell sites apart matters.

Five criteria for a safe site — operator track record, Privacy Mark, SSL, JIPC, and cash-out reviews

There are five things to check when choosing a safe point site. A site that meets all five can be started with confidence, even by a first-timer.

Check itemSafety benchmarkHow to verify
Operating company / listed statusTSE-listed company or established corporationCheck the operator name on the site's "Company info" page
Privacy Mark (P mark)Obtained (P mark shown in footer)The certification number can be cross-checked on the JIPDEC website
JIPC membershipMember of the Japan Internet Point CouncilConfirm on the JIPC member list page
SSL (https)https on all pages; lock icon in browserCheck the https and lock icon in the address bar
Cash-out track record / reviewsMultiple confirmed reports of successful cash-outsSearch for "cashed out" mentions on SNS and review sites

Major sites — Moppy (Ceres: TSE-listed), Hapitas (Osvision), Point Town (GMO group), EC Navi (Kakaku.com group), and Gendama (NetMile group) — all satisfy these five criteria. Registering with multiple sites is fine, but starting with one or two major sites, learning the ropes, and then expanding helps prevent spam and management overload. For detailed comparisons, see the site-selection article and the Moppy complete guide.

💡

The "Privacy Mark" is a third-party certification issued by JIPDEC (Japan Information Processing Development Corporation), indicating that a site's personal data protection system meets a defined standard. Because the certification number is publicly verifiable, you can check whether a displayed mark is genuine.

What matters is not trusting the five criteria as "the site's self-declaration" but verifying them yourself. A Privacy Mark's certification number can be checked against the official body's site, and JIPC membership can be confirmed in the council's member list. SSL is obvious from the lock icon in the URL bar; for the operating company, confirm the corporate name and address in "Company Profile" and, if needed, search the company name to see whether it really exists and is listed. Whether you can cash out is gauged by whether third-party SNS and reviews carry multiple concrete reports of "actually cashed out." Conversely, even if a site writes "safe" or "Privacy Mark obtained" itself, don't take it at face value unless you can back it up with the number or member list. To compare multiple sites, see the site-selection article.

Red flags of shady sites — rates too high, can't cash out, zero reviews

When you are tempted by a site outside the major players that "looks like a good deal," avoid registering if even one of the following red flags applies. Sites matching multiple flags are especially risky.

  • Cashback rate several times the market standard: Sites offering far above the going rate for a single credit card application carry a high risk of shutting down before you can cash out, or disqualifying your points after the fact. "High rate ≠ good site."
  • Can't cash out; no one who has: If SNS and Q&A sites have no specific reports of users successfully cashing out, that is a danger sign. Sites with repeated posts like "I accumulated points but the cash-out button won't work" or "my request was rejected as invalid" should be avoided.
  • Virtually zero user reviews: A service that has been running for a while but shows almost no user feedback — or where reviews look suspiciously like planted content — warrants caution.
  • Suspiciously high minimum cash-out threshold: A minimum cash-out amount far above the standard seen on major sites may be designed to bore users into giving up before they reach it, so the site never has to pay.
  • Operating company details are vague or missing: No company overview, representative name, or address — or searching returns no results. The site may be run by an unregistered individual.
  • Asks for credit card numbers at free registration: Basic free registration on a point site only requires an email address and password. Asking for a card number or bank account at the outset is abnormal.
  • No findable way to quit or delete your account: Sites where the help pages have no withdrawal instructions, or where the cancellation form doesn't work, are a red flag.

If you have already registered with a shady site, submit a cancellation request immediately, change your password, and update the same password on any other services where you reused it. For details on prohibited conduct, see the NG-behavior article.

What danger signs share is a structure that rushes your judgment with "how good a deal it is." High cashback far above the going rate can itself be the classic bait of sites that "close before you cash out" or "remove conditions after the fact." The more your heart moves at "overwhelmingly better than elsewhere," the more you should pause to check the plain three—operating company, cash-out reviews, and how to withdraw—and that single beat prevents harm. Also, if you've already registered and entered information on a suspicious site, act early in this order: withdrawal procedure → change that site's password → change other services that reused the same password. You can also check specific NG actions in the NG-behavior article.

Fraud and phishing tactics — and how to spot them

There are several typical patterns of fraud and phishing tied to point sites. Knowing the tactics alone dramatically reduces your exposure.

  • "Your points are about to expire" / "You've won a prize" emails: These impersonate a legitimate point site, lure you to a fake URL, and steal your login credentials. Check the sender's domain to see whether the email is genuine. Make a habit of never logging in through an email link — always use a bookmark or the official app.
  • SNS "exchange your points at a premium" scams: DMs or posts like "exchange 1,000 points for ¥10,000" impersonate a non-existent exchange service and trick you into paying or entering personal data. "Special exchange" deals outside the official site do not exist.
  • Fake point sites (clones of major sites): Sites with a design nearly identical to a major site, differing only in the URL. They capture the login ID and password you type. Always access via bookmark or official app.
  • Fake "unauthorized access detected" alerts: Impersonating the official site with "your account will be suspended" messaging, driving you to a fake site to change your password. The important thing is to log into the real official app or site directly to check.
  • Referral-fee scams via "high-value offers": LINE messages or posts claiming "just sign up for XX and earn tens of thousands of yen," which are designed to funnel your personal data to dubious operators. Legitimate point sites do not make sudden high-value offers via SNS or LINE.
⚠️

Phishing basics: Never log in through a link in an email. Always check the URL via a bookmark or official app. Set a different password for each point site (reusing passwords is the entry point for fraudulent point conversions). If you notice a suspicious email, forward it to official support and report it.

The weakness these tricks share is that they all "try to move you from a link in an email, on SNS, or in LINE." Conversely, just one habit—"don't enter from a link; always access by yourself via a bookmark or the official app"—neutralizes most phishing. Also, remember that anxiety-stoking wording (expiry, winning, unauthorized access, account suspension) is a stock phrase of fraud. A genuine points site never suddenly pitches you individually with a high offer like "register and get tens of thousands of yen" on SNS or LINE. If you feel even slightly suspicious, forwarding it to official support to confirm before clicking the link is the safe move.

Protecting your personal data and inbox — a dedicated email address is your best defense

Even with major point sites, signing up means you will receive a certain volume of email. Completing offers also brings emails from individual shops and services. The single most effective defense is creating a separate email address dedicated to point activities.

  1. ① Create a free email address just for point activitiesUse Gmail's "plus alias" feature (e.g., [email protected]) or create a fresh dedicated account. Never register your main address with any point site. If spam arrives, you can filter or delete just the dedicated address.
  2. ② Review mailing settings right after you registerImmediately after registering with a point site, go to the "email notification settings" or "advertising email" section and opt out. Major sites that let you receive only campaign alerts are easy to manage.
  3. ③ Share only the minimum personal data each offer requiresShopping offers usually only need an email address. Financial offers such as credit cards, FX, or securities require official identity verification documents (e.g., My Number card) — that is a legally required and legitimate process. Being asked for a passport or bank account number outside a financial offer is a warning sign.
  4. ④ Set a different password for each siteReusing the same password across multiple services means a single leak can compromise everything (credential-stuffing attacks). A password manager is the practical solution.
  5. ⑤ Check your points and exchange history regularlyReview your point balance and exchange log about once a month. If you see an exchange you didn't make, contact support immediately.

For overall point management across multiple sites, see the household-app & management article. For NG behavior around multiple accounts, see the multiple-accounts & terms article.

Mini glossary — key terms for judging safety

Knowing the words used to identify safe sites and the words used in fraud tactics lets you stay neither over-fearful nor over-trusting. Whether a certification or scheme is in place can be checked on each site's footer and on official organization websites.

TermMeaningWhat to check
Privacy Mark (P mark)Third-party certification that a site's personal data protection meets a set standardCertification number verifiable on the official site
JIPCJapan Internet Point CouncilConfirm membership on the JIPC member list
SSL (https)Technology that encrypts communicationLock icon and https in the address bar
Performance-based advertisingModel where advertisers pay per result (the source of your points)Why getting points for free is not suspicious
PhishingFraud that steals your ID/password via fake emails or fake sitesNever log in through a link in an email
Credential stuffingUsing reused passwords to break into other servicesUse a different password for each site

Verify certifications, schemes, and track records on each site and with official bodies. For site selection see the site-selection article, for what not to do see the NG-behavior article, and for getting started see the getting-started guide.

Honest answers to common worries — FAQ

Are point sites really safe? Don't they seem shady?
Major sites like Moppy, Hapitas, Point Town, EC Navi, and Gendama are operated by TSE-listed-company groups, hold Privacy Marks, are JIPC members, and have long cash-out histories — they are safe. Most "shady" incidents involve small sites with no proven track record, or fake sites set up to commit fraud. If you verify the five criteria — listed company, P mark, JIPC, SSL, and cash-out reviews — before registering, there is no need for excessive worry. See also the site-selection article.
Is it safe to register my personal data? I'm worried about leaks.
Sites holding a Privacy Mark have passed third-party audits of their data-protection systems and will not sell your information indiscriminately. On top of that, three self-protection habits reduce risk dramatically: ① use a dedicated free email address; ② don't reuse passwords; ③ don't enter any personal data beyond what a specific offer actually requires.
I've heard you get flooded with spam — is that true?
Creating a dedicated email address for point activities keeps your main inbox protected. Gmail's "plus alias" or a fresh dedicated account is the easiest approach. If you opt out of advertising emails right after registering, major sites generate very little unwanted mail and are straightforward to manage.
What should I do if I receive a phishing email?
Do not click any link in the email. Instead, log in directly via the official app or a bookmark and check your account status. "Your points are expiring" or "You've won" subject lines are classic phishing tells. Forward suspicious emails to official support, report them, and change your password as a precaution.
Can you still be unable to cash out even on a safe site?
On major sites, you can cash out if you correctly fulfill the offer conditions — approval periods, usage requirements, and so on. Cases where cash-out fails almost always come down to: ① not meeting the offer's usage conditions (e.g., a credit card's annual-fee-waiver requirement); ② applying to cash out during the pending-approval window; or ③ a terms violation such as holding multiple accounts. Review the cautions in the NG-behavior article.
How do I quit a point site when I want to?
Major sites have a clear account-deletion process. Make sure to exchange any accumulated points before you quit — they expire when your account closes. Your offer history also disappears, so check your balance first, then proceed.
Why do I get points for free? Is there a catch?
The source of the points is performance-based advertising. When you apply for a credit card or make a purchase through a point site, the advertiser — a card company, an e-commerce site, etc. — pays the site operator a success fee, and a share of that fee is returned to you as points. It is the same healthy model as affiliate programs on Rakuten or Amazon: no scam, no pyramid scheme. The ones to be wary of are a small number of obscure sites that abuse this model — shutting down before you can cash out, or running registrations purely to harvest personal data. That is exactly why the five criteria — listed company, P mark, JIPC, SSL, and cash-out reviews — matter so much when choosing a site.
Is it okay to register with multiple sites? Won't the risk increase?
With major sites, registering with multiple is fine in principle. However, signing up with many sites at once makes managing emails, passwords, and offer conditions complicated, and raises the risk of spam and password reuse. Start with one or two major sites, get comfortable with the flow — earning via offers, meeting conditions, cashing out — and then expand. As you do, stick to three habits: ① use a dedicated email address for point activities; ② set a different password for each site (to prevent credential-stuffing attacks); ③ opt out of advertising emails right after registering. Following these steps keeps risk low even as you add more sites.
Is it okay to use it as a family, or create an account for a child (a minor)?
Each family member registering and using under their own name is fine at many major sites. But there are two cautions. One: a single person holding multiple accounts, or creating more accounts than the terms allow within the same household or on the same device, can be a terms violation; having one person effectively run multiple accounts by borrowing family members' names is also a no-go. Two: registration by a minor may be subject to an age limit or a guardian's consent set out in the terms. Before letting a child use it, be sure to confirm the age conditions and whether guardian consent is required in each site's terms of use. For account-count and name rules, see the multiple-accounts & terms article.
If the operating company shuts down the service, what happens to the points I've saved?
Even with major sites, the possibility of a business transfer or service shutdown isn't zero. Generally, how points are handled at service shutdown (advance notice period, an exchange grace period, etc.) is set out in each site's terms of use, so confirming it at registration or whenever you're concerned gives peace of mind. As a practical way to lower risk, don't hoard points beyond what's needed—cash out or exchange promptly once you hit a certain amount and consolidate into your main ecosystem. "Moving them to cash or common points little by little" is more resilient against any of shutdown, revision, or expiry risk than "hoarding a lot and exchanging all at once." If a shutdown notice appears, check your balance and be sure to exchange within the deadline.

This article was written from publicly available information on each point site as of 2026-06-21. Cashback rates, campaign terms, and redemption rules can change without notice — always check each site's official page for the latest. This site uses each point site's referral program, but going through a referral link never changes the rate you receive.