Thinking Like a Travel Agency Fraud-Buster, 2017
This is part 2 of a 2-part series!
(In case you missed it, check out part 1: Role Reversal: Thinking Like a Travel Agency Fraudster)
It’s fine and dandy now that you’re an expert on identifying potential fraud, but what’s next? For part II of this series, we’re going to look at strategies for how travel agents can prevent and—we hope it doesn’t come to this—report instances of fraud.
The Fraud Run Down
In our previous article we shared the not-so-good news that there’s 1 to 1.4 BILLION dollars of credit card fraud committed against the travel industry. And travel agencies are popular targets for fraudsters.
We also broke the bummer news that when fraud does occur, it’s the travel agency that’s responsible—not the airlines, not the vendor, not the card holder. It’s you who will be responsible to cover the cost of the entire trip.
In a card not present (CNP) era of travel transactions, and with the end of carbon copy credit card imprints (they’re no longer enough to appeal chargebacks), travel agents need to be hyper-aware of fraud risks. When we spoke with fraud-buster superstar, Doug Nass at ARC, he mentioned that each travel agency needs to decide how much risk they’re willing to assume when when selling to a new client who may (or may not) be a potential fraudster.
This article will help you assess that risk, take preventative measures and (worst case scenario) let you know what to do if a fraudster does target you.
Understanding the Risk of Fraud to Travel Agencies
As it stands, GDS systems don’t have a safeguards against protecting fraud (although there are scripts and third party services that can help agents flag suspicious tickets). However, there’s rumors of a movement for GDS to implement some fraud-detection measures. According to Doug, “GDS is looking into implementing 3-D secure, which is the ability to input a code that only you and your bank knows in the area where you’re filling out your payment/cc information is to pass along that code, which is verified by the bank instantly.”
If you’ve ever run across Verified by Visa, MasterCard SecureCode, or American Express SafeKey when making an online purchase, you’ve seen 3-D secure technology in action.
Proportionately, travel agencies stand to lose more to travel fraud. According to an about-fraud.com interview with Josep Bernat, CEO of Nuk Consultants, “If you are a travel site that distributes product, you are fully liable for the total amount of the fraudulently purchased ticket. If you have a margin of 4%, this would mean that you will need 25 good transactions to recover from one fraudulent transaction. By way of contrast, if you are an airline you’re accounting only marks the fraud for the amount of the cost of the taxes, that is a tiny fraction of the cost of the fraud.”
This means that travel agencies are hit harder when fraud occurs. And to make matters worse, even when a travel agency does issue a fraudulent ticket, the airline isn’t mandated to cancel that issued ticket when and if the travel agency asks. (Throw us a bone, airlines!)
Moral of the story? Fraud prevention is key. But don’t feel discouraged. We have oodles of resources for you to help toward this very cause.
5 Measures to Prevent Fraud
1. Sign Up for Fraud Alerts
You know how convenience stores used to hang up fake or bounced checks to shame fake-check writers and to publicly warn their customers? Well, your travel agency can be notified with ARC fraud alerts to warn you about fraud current fraud practices!
This is easy as pie. The first step to deter fraud is to know when it’s happening so you don’t fall prey to it too. Just follow this link here and get your dang self on their list so you can be notified . . . then tack up their name and fraud scheme info all over your agency office so others know about it too.
2. Free Internet Tools to Verify Customers
First thing to know, an approval code and address verification is NOT enough to identify fraud. I mean, you can still go ahead and do it, and we've written about how to do that here. But unfortunately, address verification by itself is not enough. In the words of Doug the fraud sage:
"[address verification] is a very basic level of checking on the validity of a card, but one of the problems that we have is that through all of these data breaches that have been going on over the years, so many fraudsters have the true card-holder’s name and their address and they sell that to other fraudsters. So it’s going to pass in an address verification because it’s real." -Doug Nass, Manager of Fraud Investigations at ARC
- BIN (Bank Identification Number): This helps protect against fraudsters who make fake credit card images. Verifying the BIN# ensures the bank that’s pictured on the credit card correlates with the credit card number of bank that issued said card.
- VoIP Reverse Phone Number Lookup: Is the phone number located in the same zip code as the billing address? If not, it's right for alarms to be sounding. A VoIP (Voice over Internet Protocol might also raise red flags. Basically it means you can have an internet-based phone number that pretends it's local. When you do a reverse phone lookup, you can see potential fraud/spam risk of a phone number. I entered my own phone number, and I’m happy to report I’m a low risk phone number! Admittedly, it’s a little creepy the info that they have, but the information provides the first letter of my first and last name, plus the city where the number was issued. You can pay for more info, but with a few other safeguards, the free info provided is pretty good. It will verify if a number is VoIP (from online). A VoIP number doesn’t necessarily mean it’s fraud (many businesses use them). It’s just something to pay attention to if there are other red flags.
- Reverse Address Lookup: Whitepages also has reverse address lookup. Again, I looked up my address and it (predictably) listed me as a resident. This may not be super helpful if the fraudster possesses the address affiliated with credit card, but it doesn’t hurt. You also want to ensure that their billing address is the same as their shipping address.
- Google Maps: If you did reverse address lookup, but your BS alarms are still ringing, you can always check Google Maps to make sure the address listed isn’t really an abandoned warehouse or vacant lot. This is a great tool for corporate fraud schemes, where fraudsters will invent websites for fake corporations.
- Whois.com: Fraudsters will create fake company websites and web addresses to try and dupe agents. Whois.com is a good tool to check if a web address is legit and is particularly helpful for corporate agencies. If the founder of Host Agency Reviews emails to book a ticket to Turkey, and you look up the web address included in the email on Whois, you can see that the company was not established within a few days of them calling (good sign).
- Check IP Address: Does the customer's IP address on their email match their billing address? If it doesn't, or if the IP is located in a different place that residence or company claims they're located, that could be an issue. Looking up an IP from an email is alarmingly easy (if I can do it, you can do it). The process will be a little different depending on what server is used, but here I use Gmail as an example:
Want to know if you can make the sale with a clear conscience? Take our quiz to find out the risk-level of your purchase(hint: you'll want to walk through the steps from the free internet tools before you take the quiz to get a more accurate result).
3. Tools to Protect your Agency: For Pay
Doug recommended about-fraud.com as a resource for agencies that want to purchase technology to safeguard their travel agency against fraud. The site has loads of options, and is broken down by programs that best fit your agency needs, whether it be a focus on chargeback handling or call center fraud (etc.). Most of the software can address the various types of fraud including internal errors (aka, not really fraud), friendly fraud (when a client uses the services but declines the charge), and criminal fraud.
I’ll just put it out there right now that most of the software listed comes with (what I would consider) a pretty high price tag for small businesses. Quite frankly, most of the sites don’t publish their pricing programs (I’ll take a wild guess that’s it’s to avoid sticker shock). But one that did listed their services as ranging from $1,000-$10,000/ month. These kinds of program are geared toward larger OTAs with high volumes of automated sales.
Unfortunately, there aren’t a ton of pay-based software options for agencies with smaller budgets. That said, the about-fraud crew is a friendly responsive bunch. So don't hesitate to reach out to them via their contact form with fraud questions even if you are a smaller/mid-sized agency.
4. Educate Your Front Line
You can possess all the fraud-busting knowledge on earth, but if you’re not the one booking the ticket then it really won’t matter at the end of the day. So if you’re not a one-person show, make sure you educate your front line—anyone who can accept new clients in a CNP environment—about being able to sniff out potential fraud activity.
If this is you, be sure that discussing fraud is a part of your onboarding or training process. If you have occasional staff meetings, make it a topic once or twice a year. It’s good to keep it fresh in their head.
Fraud is one of those things like driving . . . If you get into a little fender bender, chances are you’ll be a more careful driver for the next few weeks or months. But then, at some point, you’ll get comfortable and go back to your pedal-to-metal driving ways (I speak for myself). Same goes for fraud. After a training, agents will be really diligent and more attentive to indications of fraud. But after awhile they may get comfortable if indications of fraud are few and far between.
And if you are your own front line, make sure you’re educating yourself. (All biases aside, this article series and Doug’s webinar (embedded below), would make a pretty dang good curriculum :) ). Plus, this ARC link to best practices is also a great resource for both leisure and corporate agencies that use GDS.
5. Implement Policies
Okay, so rules are no fun a lot of the times. But implementing (and enforcing) staff-wide policies can be a good way to safeguard your travel agency against fraud and to keep your staff accountable to retaining all the great information that you’ll undoubtedly be training them on.
Here’s a few examples of policies you could implement:
- Don’t Sell to Non-Profiled Travelers (For Corporate Agencies): This advice comes directly from Doug. When it comes to issuing flights especially, the stakes can be higher for corporate agencies. So the strategy he recommends is to issue each client a password ID. “In their client profile, they have a password that only a true corporate client would have the password. The agent will bring up the corporate profile and see what the password is and request that the caller tell them the password.”
- Document, Document, Document: Leaving a paper trail will go a long way in fighting against chargebacks from friendly fraud. You can use waivers to protect yourself. If a client signs off on the fees, itinerary, the fact they want/don’t want travel insurance, and a basic understanding that a travel agency can’t stop it from raining on their Hawaii honeymoon, then it will be a lot easier for a travel agent to contest a chargeback if said clients decides to try and dispute the charges because they’re unhappy with their trip. We also have a Trip Details Confirmation form that can be a helpful tool to document a client’s intent to travel in addition to waivers. These signed documents can help agencies contest chargebacks from instance of friendly fraud.
- Always Verify Identity of a New Customer in a CNP Environment: An approval code is not enough. It’s counterintuitive to think that you’d ever say no to a sale, and in most cases you won’t have to. But verifying the identity of a new customer is crucial—even if they came as a glowing referral from another client. If a customer is particularly anxious to get their tickets purchased (hint: a sign of fraud), you can take steps to verify their identity while the ticket is on hold if that’s an option. You can check how to verify identify by using the tools in #2 listed above.
- Change Your Passwords: According to this WSJ article, the books on passwords has been rewritten, literally. Gone are the days of impossible-to-remember alphanumeric doozies. Abbreviated version, “Long, easy-to-remember phrases now get the nod over crazy characters, and users should be forced to change passwords only if there is a sign they may have been stolen, says NIST, the federal agency that helps set industrial standards in the U.S.” This means creating sentences like “My dog Ridley tried to eat an opossum!” might be harder to crack that F%]#![gh*&5NbV.
- Listen to Your Gut: It sounds pretty funny right? Mandate to your employees that they listen to their instincts when something just doesn’t “feel right?” But honestly, listening to gut instincts is about 80% of the challenge (I measured this very closely ;)). When something doesn’t feel right, let your employees know that you’d rather be safe than sorry—even if it comes at the cost of losing a sale. The tools are available to confirm your
- Then Repeat: When you train your clients it’s not a one-and-done deal. Check in at staff meetings to see how their fraud-prevention efforts are going to keep it fresh in their head.
Okay, so maybe you don’t want to be the person who’s like the chaperone at the middle school dance, making sure the kiddos dance at least three (or thirty) feet apart. My advice to make talking about fraud with your staff more fun? Donuts. Bring donuts. With sprinkles.
Sh*t. Fraud Happened Despite My Precautions. Now What?
Bummer is an understatement. But take a few deep breaths. Fraud can happen to the best of us. But there are steps you can take to help reduce the impact of fraud as much as possible, to get a few bucks back, and to help pay it forward and reduce potential fraud that might be committed against other agencies.
Deep breath. You’ve you got this. Here’s what you need to do:
1. Contact ARC at [email protected] or call 855-358-0393:
If fraud is happening to your agency, there’s a good chance that it is going to happen to others. So as you discover an instance of fraud, it’s important to report it to build up your great karma (even if it’s too late for you).
According to Doug, the more info you have the better when you call, “When you report a suspicious request, the more info you can give, the better. Including the email, the name of who made the request, the passenger name, who they were requesting it for, any documents purporting to be the cardholder’s . . . ARC will see if any other tickets for that passenger or card has been used anywhere and warn the next agent down the line.”
2. Call the Airlines to Cancel the Ticket:
Calling the carriers to cancel or exchange tickets will not work every time, but it’s still worth a shot. Doug recommend that, “If [the agent is] outside the void window they need to contact carriers directly to get them suspended so it can be flown, exchanged, or refunded. Do whatever you can to void as many tickets and get them refunded if you can. Not every carrier is going to do it, but some of them will.”
Unfortunately, most airlines don’t seem to have a line dedicated for reporting fraud. So you’ll need to reach out to them through your conventional channels. Doug’s other advice? “Don’t forget about the service fees.” As in, don’t forget to cancel the service fee to avoid chargebacks.
3. Press Charges
If you’re experiencing internal fraud from an IC or employee, oftentimes the impulse is to fire them and wash your hands of the situation. But just like criminal fraudsters, the offending agent will likely just drift over to a new agency and do the same.
So not only it is beneficial to contact ARC, but it’s also within your right to press charges against the agent. (Here’s a Travel Market Report article on an agency that did just that.)
4. Reexamine your policies
Okay, so maybe it’s not exactly like making lemonade out of lemons, or turning a barrier into an opportunity, but this would be a good time to look at what policies and procedures you have in place to make sure something like this doesn’t happen again.
Class is Dismissed . . .
That is, until Steph hosts her great fraud webinar with Doug Nass of ARC (so you can hear what he sounds like outside of these article quotations).
It will be held on Dec. 7th, 2-3pm, CST! You can register here and have your staff attend too (admit it, you need a topic for your weekly meeting!). We won’t be able to electronically send the sprinkle donuts I mentioned earlier, but you can BYO, settle in and become a stellar fraud expert.
Do you have any fraud horror or success stories you’d like to share? Precautions to take? Policies to implement? Comment below and share your experiences with us!