Role Reversal: Thinking Like a Travel Agency Fraudster 2017
This is part 1 of a 2 part series! (Part 2 has since been published - check out Travel Agency Fraud Buster)
Recently, my credit card was compromised and the Visa fraud dept. froze my card, called me within the day, and cancelled it once I verified that, no, I didn’t spend $.93 at a specialty store called “Tropican Express” or a few hundred bucks at a department store that I haven’t set foot in since I worked there in my hometown when I was 16.
It was pretty simple. But it’s not that simple for travel agencies. Oy. Not even close. We’ve written on the site about fraud prevention here, and much of that information holds true today. But fraudsters evolve with the times, and their tactics refine and change. I chatted with Doug Nass, Manager of Fraud Investigations at ARC to get info on how travel agencies continue to be impacted by fraud.
First, The Bad News
1. Credit Card fraud costs the travel industry between 1B and 1.4B per year.
Fraud is a 9-5 job . . . for the fraud-busters, and for for fraudsters. The ARC fraud department receives approximately 10 emails and 2-4 calls on their hotline pre day, with reports of suspected fraud. When fraudsters are caught, they don’t just pack up their bags and begin their retirement. Travel agency fraud is an ongoing and ever-evolving issue, so even when fraud detection is successful, fraudsters refine their methods and find new fraud targets.
For this reason, it’s really challenging (if not impossible) to get ahead of fraud. According to Doug, ARC was “concerned about all the credit card fraud that’s going on in the industry. There’s one stat out there from IATA that there’s anywhere between 1B and 1.4B dollars a year of cc fraud worldwide in the travel industry.”
The good news is that ARC’s fraud department has saved travel agencies $265,125,90 of fraudulent charges in 2017. ARC’s approach is to, “spend our time going after the serial fraudsters posing as black market travel agents . . . they [serial fraudsters] just need to find that one agent a day who’s willing to accept their card in a card-not-present environment.” (But don’t worry. After reading this, you won’t be that agent.)
The good news is that ARC can identify fraud and warn agencies against serial fraudsters (yes, that is a bittersweet phone call to receive). In 2017, ARC saved affected agencies $265K+ of the amount of fraud they detected.
But In order for ARC to help travel agencies they need agents to help them stop fraudsters by identifying and reporting instances of fraud—and this article will help you do just that.
2. The travel agent is responsible for fraud
At the end of the day, the travel agent is responsible to pay for fraudulent charges—not the GDS, not the airline, not the cardholder. It falls on you, the agent. Ouch. So if a chargeback appeal doesn't go through or an airline won't cancel fraudulent ticket, it's the travel agency who foots the bill. The onus of responsibility to detect fraud also falls on you, the travel agent—since the entities not financially responsible for fraud are less motivated to nip it in the bud. (At this point, there are few systems in place for fraud detection among GDS programs.)
To complicate matters, many E&O insurance won’t protect a travel agency against fraud and it can difficult to challenge an insurers denial of coverage for debit memos. If this coverage is important to you, be sure to check with your E&O provider.
Once fraud occurs, there’s a slim chance that a travel agency will be able to recover a substantial amount of those losses. Bummer. But you’re not alone. The good news is that, while you can’t eliminate the risk of fraud, there are tons of ways to safeguard against it. And one of them is to understand how fraudsters operate.
Fraud Prevention is Key
There’s a silver lining to losses due to fraud. When a travel agency reports fraudulent activity to ARC, they not only become less vulnerable to future fraud (lesson learned) but they can also prevent the domino effect of fraud, saving other travel agencies hundreds of thousands in fraudulent purchases.
In 2017 alone, ARC estimated that their fraud detection efforts generated a projected $210,378 Loss Prevention Amount (LPA)—the amount saved to agencies who would otherwise be impacted by continued fraud.
One way to help mitigate the impact of fraud is to think like fraudster, understanding the kind of vulnerabilities they prey on. So here goes the role reversal . . . you’re about to enter the mind of a fraudster.
Credit card fraud is the numero uno culprit for fraud, and an enduring strategy for fraudsters. Credit card fraud is more common in a card-not-present (CNP) transaction. But really, when is a card present these days? This includes any transaction online, over the phone, fax, or mail—so unless you’re a storefront with customers walking in and presenting their card, there’s a good chance this applies to your agency.
Unfortunately, credit card fraud has evolved over the past few years. If a fraudster gets ahold of a client’s credit card info, there’s a good chance they will also have access to the cardholder’s name and address, so a simple address verification (which we recommended a few years ago) may not do the trick to detect fraud.
Taking a moment to think like a fraudster will help you understand ways to detect and prevent fraud. So for a minute, please indulge me while I think like the villain. Fraudsters have a few tricks up their sleeve—some old, some newer.
Here’s a few of them:
1. Bank Loyalty Fraud
Fraudsters know that a cardholder might be suspect if a random ticket purchase to Accra appears on their billing statement. And it’s a likely bet that that card will be shut down (ahem, after the travel agency foots the bill).
But fraudsters have found a newer workaround, targeting cardholders who have accrued a lot of points on their account, then siphoning off those points and converting them into tickets rather than making a direct purchase. This can make it more difficult to detect the fraud until it’s too late (says someone totally guilty of not keeping track of her credit card points whatsoever).
This helps fraudsters bypass securities credit card companies create around their site, or alerts that cardholders may receive when their card is being used. Bank loyalty fraud is relatively new, but get this, it accounted for 10.8M of fraudulent activity in from Sept. 2015 to Oct. 2017.
2. Corporate Booking & EDU Fraud
Phishing never gets old. That’s when fraudsters will set up bogus, yet realistic-looking email accounts with one added (or omitted) letter or number to the domain so the recipient of the email will reply, thinking the fraudster is someone they know, and compromise potential login information to a backend corporate booking site (which is gold to a fraudster). So be wary of anyone claiming they represent a university, but are using a free domain for their email such as outlook, gmail, yahoo etc.
ARC has received reports from corporate agencies experiencing approximately $250,000 of fraudulent tickets in 9 days before they realized they were not dealing the person they thought they were over a false email account. Though they were able to void some of those tickets, the agency was still left to pay a hefty bill. Ouch.
These phishing tactics are also used for fake emails of educational institutions (hence the term “EDU fraud”), in attempt to appear more legitimate or respectable. Combined, Corporate Booking and EDU Fraud accounted for 3M of fraudulent purchases.
Moral of the story? Even if you think you recognize the sender, be sure that the email is legitimate, especially if you’re sending sensitive information
3. Corporate Referral & Booking Fraud
Corporate referral and booking fraud is like the land of milk and honey for fraudsters. The kind of corporations most susceptible to this form of fraud are larger international corporations. According to Doug, “They’ll do their [online] research on a corporation, and pose as an executive, someone higher up in the corporation and then sometimes they’ll even make a phone call to the corporation trying to get a lower-level person to tell them which travel agency is their corporate agent. Then [they] dupe the employee, the corporation employee, into referring them to someone at the corporate travel agency. So [at the agency] it’s viewed as a referral, an inside referral . . . Some of these guys, they’ll know to wait to get ahold of the after hours service. They’ll wait later in the day in order to specifically get to the after hours service because here’s fewer people to ask around if it’s a legit request”
"They’ll do their [online] research on a corporation, and pose as an executive, someone higher up in the corporation and then sometimes they’ll even make a phone call to the corporation trying to get a lower-level person to tell them which travel agency is their corporate agent. Then [they] dupe the employee, the corporation employee, into referring them to someone at the corporate travel agency."
Since the referral would be coming from a trusted corporate customer, it’s unlikely a travel agent would ever decline to do business with the fraudulent account. Moral of this story? Check into validity of a new client, even if it's a referral.
4. The Straw Purchase/ Grooming Agents
Just like you’re really good at your job, some fraudsters are great at their job too, and they will try to groom travel agents to allow them to purchase tickets over the phone. The first ticket they will try to buy is called the “straw purchase.” Equipped with their compromised card (and the cardholder’s valid name and address), they will call an agent and purchase a ticket that wouldn't raise any red flags. According to Doug, they will purchase “a boring domestic ticket, say from Washington D.C. to Miami three weeks from now.” Harmless, right?
Once that agent issues the ticket and it goes through, they continue to call the agency and try to get to the same agent they spoke to before. Doug mentioned that when they call again, “oftentimes they get very upset on the phone if the agent isn’t in the office that day. They’re grooming the agent. They’re socially engineering them . . . oftentimes the agent isn’t on the guard because they’re viewed as someone they already dealt with. They love to cultivate relationship with a specific agent.”
5. Insider Fraud
Insider fraud is when an agent, subagent, or independent contractor within the agency commits fraud against the agency they work for. This could entail stealing credit card info to book tickets, or starting loyalty programs on cards that don’t already have them and leaching those points for their personal use.
The tricky thing with insider fraud is that agencies probably trust most of their agents and independent contractors, and when they catch an insider fraudster, they likely just fire the agent, revoke the ICs access, and move on. But Doug recommends pressing charges against the offending agent, and reporting the person to ARC. Otherwise, they will likely just jump to another agency and commit the same fraudulent acts again.
Once a fraudster gains control of a travel agency’s GDS system, they will go one step farther by trying to find a link or bridge into another agency. So if Mary Stein travel agency has a bridge to an inactive subagent or IC account, Supernova travel agency, the fraudster will try to book under Supernova travel to avoid detection.
ARC’s tip to prevent GDS bridging issue are to:
- Validate bridge agreements on a regular basis
- Close off any inactive bridges
- Ensure you have a liability agreement in place between your Agency and any other Agency not directly linked with your network.
- Review with your GDS for additional guidelines
7. Friendly Fraud/ Chargebacks
It's kind of a funny to call fraud friendly, if you ask me, but this term refers to recreational fraudsters. Friendly fraud is committed when the travel fulfills a booking, but the traveling client then reports to the credit card company that they never took the vacation in the first place. Back in the "olden days" of 2014 (circa blockbuster Birdman and Beyoncé's hit album, Beyoncé), it was enough for travel agents to prove friendly fraud with a credit card imprint. Unfortunately this is no longer the case (but let's be honest, almost no one does that anymore anyway).
But there are other ways for agents to leave a "paper" trail (more likely an electronic document trail) so agents can build a case for the customer’s intent to travel. Here are a few ways to create that paper trail:
- Copies of Tickets
- Forms such as waivers, terms and conditions, etc. signed by the client
Red Flag Destinations & Departures
ARC has found trends in terms of risky destinations to sell—cities of departure/arrival that you want to look out for. Here’s an infographic of some of these fraud hot spots in 2017:
Of course this doesn’t mean you shouldn’t sell to these places. It’s just something to pay attention to—especially if you don’t have an existing client profile on the purchaser.
Congratulations! You’re a Criminal Mastermind.
Now that we’ve got you thinking like a fraudster, I don’t want you to feel like we’re leaving you stranded. Pretty soon, we’ll be publishing an article about thinking like a fraud-buster, going into depth about how you can stay one step ahead of their slippery ways. But we won’t leave you hanging. Here are some tools to get you going, ASAP!
- Steph’s earlier nifty article about fraud:Steph wrote a great article about fraud with a ton of great visuals about to identify bogus email addresses and nifty tips like ensuring that the callers area code matches the address on the credit they intend to use.
- ARCs treasure trove of fraud-prevention resources: ARC has tons of resources to help agencies detect and prevent fraud, including fraud alerts, an email to report fraudulent activity to, free internet tools, and visuals on how to identify fake documentation. It’s really a goldmine. Fraudsters will hate it.
- About-fraud.com: Recommended by Doug, this is a resource that provides a comprehensive list of 3rd party fraud-prevention software that typically caters to higher-volume OTA agencies. These programs are a little costly, running about $1,000-$10,000/month depending on the software and package.