Thought Leadership Sponsored by ARC Preventing Fraud Tools to protect your agency from fraud December 23, 2016 Share 1 -- It's late in the day when the travel agent picks up the ringing phone. The caller ID on her display shows the call is local, but it's not from a number she recognizes. The man on the phone identifies himself as a doctor who needs four tickets for an international flight that night due to a medical emergency. The travel agent has heard of these stories before and is wary of the man's request, but he happily agrees when she requests he email her copies of his driver's license and credit card. With that, she agrees to sell the tickets, wanting to assume the best and not delay him in the event his tale of an emergency is true.It isn’t. The caller isn’t local at all; he isn’t even in the same country. The driver's license had been digitally manipulated and the credit card stolen. The travelers, however, are real, even though the emergency isn’t. The caller had already taken cash from the innocent travelers, with the promise of providing tickets. They didn't know that the tickets he would provide them would be purchased with a fraudulent card—and that he would pocket the cash. And the travel agency is on the hook for the expense. While this is a scenario of which most travel agents are well aware, today's fraudsters aren't simply repeating the scams that have worked in the past. They are developing increasingly sophisticated methods of trickery to present fake identities, including untold amounts of pilfered or fake credit card numbers as well as technological tools like digital document manipulation and call-masking protocols. And they are doing so with the hope that agents, known for the importance they place on good customer service, will be reluctant to accuse them of anything untoward."Unfortunately there are fraudsters all over the world that are targeting agencies on a daily basis," says Doug Nass, manager of fraud investigations at the Airlines Reporting Corporation (ARC). "There are lots of compromised credit cards out there. These fraudsters are using that data to dupe the agencies into issuing tickets.” Nass notes that some fraudsters seem to spend more time targeting the online agencies, but others remain old-school. “They continue to try to use social engineering schemes by phoning and emailing agencies to represent themselves as legitimate customers,” he says. “The goal is to deceive that agent into issuing tickets."The Tools of the Trickster’s TradeFueled by high-profile hacks of credit card data from retailers' and other online platforms, the Internet is rife with stolen and otherwise fraudulent card numbers. It's these numbers that form the foundation of many scammers' efforts to target travel agencies, almost always via email or by phone. "The underground Internet is awash with potentially millions of compromised accounts," Nass says. "Through those underground Internet forums, scammers are selling compromised credentials or compromised accounts to other fraudsters all over the world. We're seeing a lot of that."With those purloined numbers in hand, the scammer's next step is to contact the agent. Face-to-face interaction at a brick-and-mortar agency to set up a fraudulent transaction is rare, Nass says, especially with the advent of chip-enabled payment cards—so a significant majority stick to the telephone and email.Technological advances have helped scammers make their phone calls appear more like legitimate business to agents. Specifically, using Voice over Internet Protocol (VoIP) technology allows scammers to make contact in a manner that assigns the agent's own area code to their incoming call."When the call pops up on the travel agent's caller ID, they're thinking, 'OK, somebody local, no big problem,' " Nass says. "But the reality is they are likely sitting in a cyber café in Ghana or Nigeria; Bogota, Columbia; or Lima, Peru—all places where we see a prevalence of VoIP telephone numbers."Playing Mind GamesCaller ID, though, is but a sliver of the subterfuge scammers bring to their dealings with agents. Many of today's fraudsters know that a stolen credit card number won't be enough to trick an experienced travel agent, so they have additional ploys to gain the agent's trust or at least temper any skepticism about the new customer."Fraudsters are using their manipulation and social engineering skills to take advantage of the customer service skills that each travel agent has, because every agent wants to be customer-focused," Nass says. "They want to grow their businesses. They want to hope that everyone who’s contacting them is who they say they are and is legit.”To that end, Nass notes that fraudsters specifically "prey upon that customer service skills the agents have” by coming up with legitimate-sounding reasons for why they need tickets for immediate departures. "They'll come up with stories that there's been a death in the family or there's a medical emergency in the family, and I need tickets for these one, two or three people to travel tonight or tomorrow” he continues. “And of course, those things do happen in the real world."Further layering on the deception, scammers will add detail to their stories to exploit the agent's emotions and natural inclination to help a customer in a tough spot.Fraudsters "want to bring travel professionals into the story of what they're doing," Nass said. "Some of them will say they're a doctor—this is a classic one that's been going on for decades. 'I'm Dr. So-and-So or Rev. So-and-So'—someone with perceived social standing. They'll use that moniker to make themselves appear as someone important in society, someone who you would want to help.” In fact, some scammers won't rely merely on an in-the-moment sob story to win the agent's compliance. They'll lay the groundwork weeks or even months before with smaller, legitimate purchases to establish their bona fides as real customers before running their ruse."Often, the fraudster will order what we call a straw purchase just to make himself look even more legitimate," Nass says. "He'll order a ticket in his own name or his alias name for, say, a standard Dallas to New York flight in three weeks, something that agents do on a daily basis. But that straw purchase is never meant to be flown. It's merely an attempt to establish a relationship with a specific travel agent who's going to create a customer shell or profile, so that now they're in the system. That fraudster then may call back later that day or the next day, or he might wait a week, and he tries to get to the same agent. This is when he’ll start to order tickets for other passengers."Fighting BackThat scammers have become more sophisticated and have a wider array of tools hardly means agents are powerless to counter their traps. The internet may be a powerful tool for credit card fraud, but it also hosts several resources that can help skeptical agents verify if their customers are genuine."There are a lot of places you can go on the internet in about five minutes of quick searching to get a better feel for whether you're dealing with someone legitimate or not," Nass points out. "These searches on free sites can back up your gut feeling as to whether you're dealing with someone credible or not."Those tools include reverse telephone and address directories, which agents can use to help clarify the customer's location. Using online map sites can help show whether a given address is a legitimate home or place of business. Additionally, a close examination of the customer's documentation can reveal enough inconsistencies to raise red flags. "We encourage travel advisors to get copies of the cardholder's driver's license or passport, and of the front and back of the credit card, because often these fraudsters are overseas," Nass said. "Often English isn't their first language so sometimes in the photoshopped documentation, they'll have misspellings. Other times, their Photoshop skills are terrible. Often the quality of the photoshopped document is really poor, with some areas fuzzy and other parts very clear. Especially if it's coming through as an attachment in an email, enlarge the image. It should all be fuzzy or it should all be very clear—but not a combination."But the most important indicator, Nass emphasizes, is a travel agent's own sense that something isn't right. "I get people all the time, after they've encountered a fraudster, who say, 'Gosh, I didn't feel right about it, but I didn't have enough information to follow my gut feeling,' " he says. "These guys sit in that sweet spot of looking just legitimate enough, saying the right things and offering up what appears at a basic level to look legitimate. But if you start looking at it a little bit closer, then things start to fall apart. It's the old adage: ‘Trust, but verify.’ Trust that you are really dealing with a person who is who they say they are, but especially for new customers you want to verify it as well."ARC's Role in Fraud Prevention The financial consequences of a fraudulent travel booking can be significant, especially for smaller, independent travel agencies. To that end, ARC not only takes an active role in providing resources and training to the agency community to combat fraud but also maintains a record of successful and potential attempts at fraudulent bookings and works with law enforcement to prosecute offenders. "We try to be very aggressive with these fraudsters and make it difficult for them to operate," says Doug Nass, ARC manager of fraud investigations. "We try to do what we can to mitigate the fraud in the agency channel. We talk to many travel agents about fraud in general and what they should be doing." ARC's website currently includes a fraud prevention section ( www.arccorp.com/support/fraud-prevention.jsp) with information and tips on spotting credit card red flags and details of common travel agency fraud ploys. Nass says ARC is expanding its website to include more information on fraud-prevention best practices. Nass also encourages any agent who has been the victim of fraud or a foiled fraud attempt to contact ARC at 1-855-816-8003 or email@example.com with the details of the transaction, even if no tickets actually were issued. "We look at every single email that travel agents send in, and we look for connections between all of these attempts," Nass says. "Fraudsters change their aliases, their VoIP telephone numbers and their Yahoo, Gmail and Outlook accounts, but often we can still make connections to previous incidents. My team takes all of the information and tries to build it into an actual case that can be worked by law enforcement." In fact, in several cases in recent years, ARC has worked with law enforcement to identify and successfully prosecute individual scammers in the United States. Even absent a formal investigation or prosecution, ARC can identify trends among scammers' attempts and notify the agency community of any common threads. "It's the frontline agency staff who are the neighborhood watch,” Nass says. “They're the ones who are going to be the eyes and ears of what's going on and what they're facing." To help with that, ARC issues fraud alerts to travel agencies with details of new or increasingly popular scams. “Agents need to know what to look for and so do what we can to get the word out into the community," Nass says.