Who Is Behind The Top 4 Ota Fraud Threats

The employees of Tui Travel in Swansea, Wales, didn’t take Adam Griffith very seriously. He was just a “time-waster,” they thought — someone who would hang around the agency and tell stories of his travels and adventures, his private jets and celebrity friends. He’d never actually book any vacation rentals, but he seemed mostly harmless.

However, Griffith wasn’t who he seemed to be. While hanging around and fading into the wallpaper, he got a hold of computer passcodes, and he used them to book almost £39,500 in travel expenses ($48,500).

There is no such creature as a ‘typical’ con artist. However, Adam Griffith certainly was not atypical. He hit targets of opportunity, taking advantage of an agency where he had become familiar to the employees, who then let their guard down.

OTA Case Study [Download]: Top 5 OTA Slashes Travel Agency Fraud by 30% in less than 90 days

He repeated his trick (as fraudsters often do), hitting Burgess Travel, also in Swansea, Wales, later that year, again by obtaining their passcodes. “Insider” fraud, such as Griffith’s fraudulent access to computer systems, is just one of the top four travel agency fraud threats facing the industry today. The other three most frequent threats are payment fraud, phishing scams, and chargeback fraud. Typically, theft by any of these means becomes more likely when employees let their guard down.

Credit card theft

The vulnerability of last-minute bookings

A related challenge, though not one that Mr. Griffith employed, is that agencies are especially vulnerable to last-minute buyers. Fraudsters purchase tickets with departure times in less than 48 hours. Limited timeframes reduce an airline or an agency’s window of opportunity to detect the fraud. Once the traveler has checked in for the flight the deal is closed. This is often less than 24 hours after the booking, and once closed, the agency cannot cancel the ticket, resulting in a travel scam.

A much-publicized case of payment fraud arose in 2017, involving a legitimate travel agency in Gatineau, Quebec. It illustrates the volatile combination of stolen credit cards and last-minute booking in travel agent fraud cases. That agency, Voyages G Travel, lost $20,000 on ten fraudulent bookings. Scammers booked air travel using stolen credit card numbers, posing as the travel agency. They sold the airline tickets for cash at a steep discount, leaving the travel agency footing the bill.

The culprit(s) are still on the loose, and it isn’t clear how fraudsters stole the credit cards. They likely purchased them through the thriving black market in cards bought and sold on the ‘dark web.’ Cards initially get into that market many different ways. For example, criminals conceal malicious programs in legitimate websites (‘Angler Exploit Kits‘) that install malicious software, taking the card numbers as prey.

In the Gatineau case, airline and hotel vendors dealing with last-minute bookings didn’t pay much attention to the agency name, or other information aside from the credit card numbers themselves. The vendors scanned the numbers and, since the cardholders had not reported their cards as stolen, the numbers cleared.

Phishes

Phishing scams involve the receipt of an email, apparently from a trusted source: perhaps an online payment processor. The phisher, under the mask of that trusted source, asks for essential information; for example, email address log-in data. Bad actors can then monitor the agents’ email, looking for an opportunity to get in the middle of a travel transaction.

Friendly Fraud

In friendly fraud, the fraudster will, for example, take a plane flight to Maui. When the trip shows up on a credit card bill, the fraudster will say, “I never went to Maui.” He or she may persuade the card issuer to cancel the transaction so that the fraudster pays nothing for that trip. The issuers do not carefully vet every chargeback claim. Travel agencies grant some mistaken or blatantly fraudulent claims and then foot the bill for that trip to Maui.

Passwords

Returning to where we began, computer password security is a significant fraud vulnerability. Under present circumstances, travel agencies are heavily dependent on their global distribution system (GDS). A GDS system [typically Travelport, Amadeus, or SABRE] is a “motherboard” for dozens, if not hundreds, of computerized reservation systems, e.g., for airlines and hotels. Travel agents gain access to a myriad of different airline fares, while airlines gain access to bookings from the pool of agents booking travel. Unfortunately, this convenience creates opportunities for fraud for anyone who can access that system with malign intent, as did Adam Griffith.

As a final point, travel fraud can be geography-specific, exploiting specific airline-airport pairings, “hot routes,” that fraudsters identify as having the most significant vulnerabilities. For a travel agency or OTA to secure itself against fraud, it is not sufficient or sensible to close down the “hot routes.” The profitable course is to make use of travel fraud detection software to reduce vulnerabilities. We will be covering these more granular vulnerabilities in detail in a later post,