Fraud is an unfortunately common thing, affecting corporations and consumers alike, and travel agents are no exception.
But there are some best practices that agents can employ to help reduce the likelihood that they or their agency will become victims of fraud.
This article is the first in a two-part series that looks at real-life travel agency fraud, and how agents can minimize future risk.
"Fraud Prevention & Solutions: Learning from Each Other's Pain" was the topic of a panel at last month's ASTA Global Convention in San Diego.
Robin Sanchez, chief operating officer of Montecito Village Travel, a host agency and Virtuoso member based in Santa Barbara, Calif., the panel's moderator, presented several scenarios that have faced Montecito Village Travel, the first having to do with its GDS access.
One of Montecito's agents received an email that appeared to be from Sabre asking her to verify her credentials, which the agent did on a Friday afternoon. She followed a direct link from the email to what looked like an official Sabre website and verified her credentials. Everything seemed to be fine.
It wasn't. The next day, a fraudster used that agent's credentials to log in and run $25,000 worth of Royal Jordanian airline tickets.
"In this scenario, Sabre and ARC shut us down, thank goodness, in the middle of the night," Sanchez said.
In the end, the perpetrator was arrested and is currently serving a prison term, she said.
Since the incident, Montecito has informed all agents and ICs that requests to verify credentials will only come from within the company, an executive or an IT person.
It's important not to do as the agent in this case did, and click on the link in the email, although the fraudster's attempt was convincing.
"It looked just like the Sabre page, and as you log in, they're just collecting your credentials," Watkins said.
Being alert to phishing emails like the one Montecito's agent received is a key best practice.
"A financial institution, or that kind of an organization, will never ask you for complete details on your account, never," said Nigel Hobson, sales director for AFEX, a global payment and risk management solutions company.
The second scenario Sanchez addressed had to do with wire transfers.
The person in Montecito's accounting department responsible for wire transfers received an email that looked like it came from one of the agency's ICs. The email asked for $18,000 to be transferred to a legitimate bank account number. The financial person went back and forth with who they believed to be an IC, asking for an invoice number, and transferred the money. Then, Montecito found out it was not a legitimate transfer.
Montecito filed a report with the FBI, and within two weeks was able to get the money back.
"We've now put safeguards in place," Sanchez said. "No wire transfer can be done via email. When you email the accounting department, they then have to either call you or text you... and have a verbal OK that it's correct."
Often, Hobson said, fraudsters are smart, like the one in this case: They do research and target the correct person in a company. In this case, someone in accounting.
"It's really down to vigilance," he said. "You've got to train your people, and you've got to highlight that these sort of things could happen."
Next week, a discussion on credit card chargebacks, and vetting potential employees and/or ICs.