Fraud committed against travel agencies is on the rise, and industry organizations are warning the trade to be vigilant.
The World Travel Agents Associations Alliance earlier this month issued a global warning after perpetrators fraudulently obtained agency IATA numbers to access airlines' NDC systems and buy tickets with stolen credit card info. Cases were identified in North and South America, with attempts made elsewhere.
ASTA alerted members last month after the scheme hit a Canadian agency. It appeared to be coordinated activity, ASTA said, not an isolated incident.
Executive vice president of ASTA Corporate Mark Meader said, "Fraud targeting travel agencies is becoming more and more sophisticated, with criminals combining everything from stolen payment information to impersonation tactics to credential theft."
Meader said he sees five main types of fraud in the agency space today: payment fraud, like when a stolen credit card is used for last-minute, high-value bookings; impersonation fraud, when a fraudster poses as an agency, supplier or even a client; exploitation of business processes, where fraudsters attempt to misuse industry credentials; credential theft, when fraudsters steal login details via phishing or malware; and business email compromise, when fake invoices or payment instructions are used to redirect funds.
Mark Meader
"Travel relies on these trusted relationships and these interconnected systems," Meader said. "As distribution channels evolve, technology evolves; it's really important that verification processes evolve, too. Industry collaboration and information sharing help agencies stay ahead of these emerging risks."
Key to mitigating the risk of fraud is verifying new business contacts, monitoring ticketing reports and chargebacks and training staff to spot phishing and impersonation attempts, he said.
Cornelius Hattingh, ARC's director of revenue integrity, onboarding and compliance, said two kinds of fraud are most common right now in ARC's purview.
In the last six months to a year, he said ARC has seen a lot of imposter fraud. Bad actors will pose as an employee of a company, set up a corporate account with a travel agency and buy airline tickets. That can be prevented through vetting, he said, by a phone call to verify employment.
"It's just doing the necessary due diligence in that space," Hattingh said.
ARC said other fraudsters are using social engineering tactics like phishing scams to obtain credentials of legitimate agencies, then establish a GDS connection. They issue tickets for same-day or next-day travel, and by the time the fraud is discovered, it's too late.
ARC said it sends risk alerts to agencies if suspicious ticketing is suspected. At that point, Hattingh said, it's up to the agency to investigate. He said that ARC also has worked with GDSs to put safeguards in place.
IC perpetrators
Industry attorney and Travel Weekly's Legal Briefs columnist Mark Pestronk said he most commonly sees fraud committed by independent contractors (ICs) against their host agencies.
He outlined a typical scenario: An IC who is largely unknown to the host charges airline tickets to a credit card that's phony, unauthorized, expired or over the limit and does not get a signature or card imprint. The host's GDS gives an approval code, and the host issues the ticket without review by an employee. The ticket is used, then the credit card company issues a chargeback. The IC repeats those steps many times before the host receives a debit memo. Then the IC disappears.
Mark Pestronk
But Pestronk said he has seen varied forms of fraud, including some where an IC is a thief -- stealing a client's deposit, for example -- and some where the IC has been duped, mistakenly taking a phony or unauthorized credit card from a client.
He recommended that host agencies take a number of steps to prevent fraud, including reviewing ARC's list of red flags to assess credit card risk.
He encourages hosts to obtain an IC's employment history and check references; conduct background and credit checks; get a notarized signature on IC contracts and a notarized copy of a picture ID, verifying that the notary exists; review reservations and examine suspicious patterns like weekend spikes; require checks payable only to the host; prohibit ICs from using their own merchant accounts; and ensure checks clear before issuing tickets.
Meader said vigilance and verification are two of the most important factors in mitigating risks.
"Fraud tactics are evolving, but the travel agency is responding with strong safeguards, better verification processes and greater information sharing," he said.