Fraud Alert

Ticketing Fraud: An Overview & Best Practices for Prevention

Common Ticketing Fraud Methods

Fraudulent activity continues to be reported. There are sophisticated means to obtain agents' credentials. Fraudsters alter their methods frequently in order to adjust to security measures at targeted sites.

Unauthorized stolen tickets are issued when fraudsters obtain travel agents' global distribution system (GDS) credentials. Most tickets include either ABJ or CMN in the routing, although there are other airports. Outbound legs are typically used within hours of issuance. Once the transaction is identified as fraudulent, the agent attempts to void those tickets and cancel any bookings before notifying the validating carriers to prevent usage of any unvoided tickets.

In an effort to further reduce - and eliminate - this kind of activity, ARC has worked with representatives of GDSs, including Amadeus, Sabre and Travelport, to develop some preventative measures and best practices. Travel agents, including corporate travel departments and ARC accredited Verified Travel Consultants (VTCs), should consider implementing these best practices for IT security and to better identify and prevent future unauthorized tickets. Please note, however, that this list is not exhaustive and is meant to serve merely as a best practices guideline. ARC is not providing any legal advice and encourages travel agents to consult with their IT security team and legal counsel before taking any measures.

WHAT IS AN UNAUTHORIZED/STOLEN TICKET?

Agent states in writing that
1) they did not issue or authorize these e-tickets to be issued, and
2) they did not collect payment for these e-tickets.

Phishing or Spear-Phishing Emails

There are two main types of fraudulent emails. Phishing emails are directed toward a broad spectrum of recipients. Spear-phishing emails are aimed at individual email accounts.

Scenario #1
A phishing email appearing to be from your GDS entices you to click on a link for additional information. You are directed to a convincing (albeit counterfeit) GDS login page where you are instructed to log in using credentials. The fraudster now has your login information to issue tickets, review data and perform other activities in your GDS. Once you have entered your credentials on the bogus login page, you will likely be redirected to the legitimate GDS login page. You will believe that you mis-typed your ID or password and must simply enter it again, convincing you that the link in the phishing email was legitimate.

Scenario #2
The phishing email requests that you provide additional information for security by clicking a link. Once you click, there will be a multipart questionnaire, including fields for your agency name, address, telephone number, agency code number, login ID and password. Once you complete the form, the fraudster has your credentials to issue tickets, review data, and perform other activities in your GDS.
If you or your staff have clicked on a link and entered your GDS credentials, it is important that you change your password immediately using your known GDS bookmark or desktop icons, and notify your GDS and ARC. When in doubt, don't click on links in any email! Instead, use your own Internet browser bookmarks or desktop icons to access websites.

  • Use your judgment and experience as a guide. For example, if you have just received help from any help desk, or completed a webinar or training, it would not be unusual to receive a survey or other request for feedback. You can always contact your GDS for verification of an authentic email.
  • Identify exactly where the link will take you. Is the URL for the official GDS website? Point and hover your mouse over a link in the suspect email to determine the true URL. Hover, but don't click. A pop-up box will show the link's real URL. Pay close attention to the results to see if the destination is the real GDS website or only looks like it. A GDS may provide verification of all legitimate emails on its website, so also be sure to check suspicious emails there.

Phishing and spear-phishing emails:

  • Include the names and logos of trusted sources (e.g., Sabre, Travelport, Amadeus)
  • May be rudimentary, with spelling and grammar errors
  • OR may appear very professional with graphics from your GDS's website and signatures of recognized GDS executives
  • Almost always include "From" fields with masqueraded addresses
  • Are addressed directly to an individual employee and may include the employee's first name and other personal information (spear-phishing emails)
  • Entice the reader to click links for additional information (e.g., monthly activity or data reports, account activation, notifications, security information, new rates)

Screenshot of a phishing email

HINT: Point your mouse over the link and hover, but don't click. A pop-up box will show the real URL.

Social Engineering

Never give your agency code number, GDS login ID or password to a caller!

A fraudster, posing as a representative from a GDS or ARC, calls or emails an agent stating that there is a problem or error. The caller then asks for the agent's GDS credentials or agency code number in order to help get the issue resolved. This type of fraud is known as social engineering.

There may be a legitimate reason for someone to ask for your information, but never a valid reason to ask for both a login ID and password. If you ever feel uncomfortable about providing information, advise the caller that you will call the valid phone number to answer any appropriate questions.

How to Identify and Prevent Fraudulent Ticketing

  • Review ticketing through your GDS throughout the day... including weekends and holidays. Check with your GDS to determine how to easily list daily ticketing.
  • Review bookings daily... including weekends and holidays.
  • Look for red flags like high-dollar tickets, international cash (sometimes credit) sales, and itineraries including destinations in Africa (commonly ABJ or CMN).
  • If your bookings regularly include high-dollar tickets to and from ABJ or CMN, review for known passenger names.
  • If your GDS has the ability to do so, you may want to consider turning off ticketing after hours or on weekends, and restricting specific carriers, airports, and forms of payment, in order to meet your business and security needs.

Because fraudulent tickets are issued for immediate use, time is critical.

  • If you identify unauthorized ticketing or access, or attempted access, immediately attempt to void such tickets and cancel bookings through the GDS. If a ticket cannot be voided, contact the carrier and advise them of the fraud.
  • Deactivate the compromised GDS login ID and change the password.
  • File a report with local law enforcement.
  • Document your actions.
  • Refer to ARC's instructions at https://www.arccorp.com/support/fraud-prevention.jsp
  • Report any suspicious emails and activity to ARC at fifp@arccorp.com and to your GDS help desk.

Provide contact information for 24/7 emergency notifications.

  • If ARC identifies a possible unauthorized ticket(s), they will attempt to confirm it with the travel agency. Since many of these incidents occur on weekends, overnight or on holidays, it can be difficult and time-consuming to find valid after-hours telephone numbers.
  • Consider putting emergency contact information on your website or voicemail, or forward your work number to a home or mobile number during off-hours.
  • Confirm or update your information with your GDS.

Develop or update your agency's information security policy.

Consider using a layered approach to security:

  • Use and monitor a firewall.
  • Regularly use active and updated malware, spyware and virus protection.
  • Update your operating systems with current security updates.
  • Update applications with all current security patches.
  • Enable anti-phishing ability through your browser.
  • Mandate complex passwords (e.g., upper/lower case letters, symbols and numbers, no proper names, initials, words, etc.).
  • Secure your network to prevent unauthorized access to proprietary and sensitive information including names, addresses, dates of birth, and credit card information. As a starting place, research the following websites:

CIS http://cisecurity.org/
SANS http://www.sans.org/
NIST http://csrc.nist.gov/

Develop or update your agency's policy for GDS access.

  • Disable employee accounts upon termination of employment.
  • Perform an annual audit of active user accounts and make adjustments as necessary.
  • Restrict a GDS user's level of access to only necessary privilege. For example, cruise-only agents may only need access to view or book only.
  • Require complex passwords.
  • Require password changes more frequently than every 90 days.

Take advantage of training and advisories.

  • Fraud alerts are sent by email, posted on websites and on social media sites, and are provided by ARC, the GDSs and other industry experts. https://www.arccorp.com/support/fraud-prevention.jsp
  • Share information with anyone who has access to a GDS.
  • Follow ARC on Facebook and Twitter to receive fraud related messages from ARC.
  • Fraud prevention training is often provided by ARC, the GDSs, and industry groups through webinars and seminars; check individual websites for more information, and urge your employees to take advantage of these offerings. https://www.arccorp.com/support/fraud-prevention.jsp

In Summary

We cannot guarantee that the implementation of these proposed preventive measures will serve to eliminate ticketing fraud. However, it has been our experience that agents who have taken the steps provided have realized the benefits of enhanced security and an educated staff able to recognize attempts to obtain unauthorized access to tickets. ARC and the GDSs remain dedicated to helping you enhance security and protect your agency from those who would commit acts of ticketing fraud.