New security requirements ARC has placed on U.S. travel agencies appear to be dampening the incidence of successful cyberattacks on agency systems.
However, overall fraud in the travel industry continues to rise, according to Mastercard and fraud-prevention tech company Riskified, while ARC cautions that the travel industry has more to do to counter ever-more sophisticated threats.
According to ARC, unauthorized ticketing, which involves the use by a cybercriminal of travel advisor credentials, is down 50% from 2024, year to date.
Criminals typically obtain those credentials through phishing schemes, in which they utilize email or other online communication channels to pose as a vendor, colleague or service provider, then entice or trick the target into giving up sensitive information such as passwords.
Cornelius Hattingh, ARC's director of revenue integrity, attributed the precipitous drop to a policy ARC put in place last year requiring ARC-accredited agencies to use multifactor authentication. ARC also instituted a requirement that agencies attend two ARC-run cybersecurity trainings per year.
Hattingh, however, is among the chorus of voices who say that fraud, more broadly, remains a major threat within the travel industry.
"Travel, including the airline industry, remains one of the top five industries for fraud," he said. "That has not changed. The space is still exposed. There is a lot to be done by agencies to make sure that they safeguard their environment."
As ever, a leading type of fraud perpetrated against travel companies involves the use of stolen credit card information to make purchases. Stolen loyalty points similarly can be used.
According to Riskified, the dollar-value proportion of fraudulent sales in the airline industry last year was nearly 2.5 times higher than the baseline proportion across a mix of retail, digital and travel-related industries. Flight bookings last year also saw a 14% year-over-year rise in fraudulent activity rate, Riskified said.
Hotels, too, were in the crosshairs in 2024, targeted at a rate 112% higher than the average across industries.
Mastercard's global 2024 figures tell a similar, though less drastic, story. Fraud rates for flights and train bookings were 98% above the global baseline across industries, while hotel transaction fraud was 49% above that baseline.
Riskified senior data analyst Lev Gal said that through the first half of this year the number of airline fraud incidents was up 9% and hotel fraud incidents were up 8%.
Travel is a naturally ripe target for fraudsters, she said. Order amounts are often large; products, manifesting as booking confirmations, can be delivered digitally; and there is constant demand.
"Routes and hotels are completely global," she said. "And it's very easy in this industry to draw customers with great prices. It's relevant to everyone."
Trends identified by Gal include an increase in account and email takeover by fraudsters, with access gained via phishing schemes.
Fake travel agencies, in which fraudsters mimic the logo and branding of well-known OTAs in order to steal credit card credentials, are also growing in scale.
And fraudsters using stolen credit card credentials are also moving more heavily into the actual customer service business, offering steeply discounted bookings on the dark web and relying on online reviews to bolster business, just like legitimate e-merchants.
Many of those criminals, said Gal, are getting more careful in their booking approaches in order to avoid easy detection. For example, they are more commonly matching IP addresses used for booking with the departure location.
To avoid a credit card chargeback prior to their customer's flights, last-minute bookings are preferred.
Hattingh said that new schemes are a constant. One that ARC has begun seeing over the past year involves a bad actor approaching a travel agency for a partnership. The only thing the agency has to do, the fraudster says, is ensure the partner has the authority to issue tickets through its system.
In return, the agency will receive fees for each booking plus the value of the ticket. But then, the fraudster doesn't turn over the funds.
One agency that fell victim to this scheme lost around $1 million, Hattingh said.
"Do all the proper due diligence. Know who you are doing business with. Normally, if it sounds too good to be true, it is," he said.