Ticketing Fraud: An Overview & Best Practices for Prevention
Common Ticketing Fraud Methods
Fraudulent activity continues to be reported. There are sophisticated means to obtain agents' credentials. Fraudsters alter their methods frequently in order to adjust to security measures at targeted sites.
Unauthorized stolen tickets are issued when fraudsters obtain travel agents' global distribution system (GDS) credentials. Most tickets include either ABJ or CMN in the routing, although there are other airports. Outbound legs are typically used within hours of issuance. Once the transaction is identified as fraudulent, the agent attempts to void those tickets and cancel any bookings before notifying the validating carriers to prevent usage of any unvoided tickets.
In an effort to further reduce - and eliminate - this kind of activity, ARC has worked with representatives of GDSs, including Amadeus, Sabre and Travelport, to develop some preventative measures and best practices. Travel agents, including corporate travel departments and ARC accredited Verified Travel Consultants (VTCs), should consider implementing these best practices for IT security and to better identify and prevent future unauthorized tickets. Please note, however, that this list is not exhaustive and is meant to serve merely as a best practices guideline. ARC is not providing any legal advice and encourages travel agents to consult with their IT security team and legal counsel before taking any measures.
WHAT IS AN UNAUTHORIZED/STOLEN TICKET?
Agent states in writing that
1) they did not issue or authorize these e-tickets to be issued, and
2) they did not collect payment for these e-tickets.
Phishing or Spear-Phishing Emails
There are two main types of fraudulent emails. Phishing emails are directed toward a broad spectrum of recipients. Spear-phishing emails are aimed at individual email accounts.
A phishing email appearing to be from your GDS entices you to click on a link for additional information. You are directed to a convincing (albeit counterfeit) GDS login page where you are instructed to log in using credentials. The fraudster now has your login information to issue tickets, review data and perform other activities in your GDS. Once you have entered your credentials on the bogus login page, you will likely be redirected to the legitimate GDS login page. You will believe that you mis-typed your ID or password and must simply enter it again, convincing you that the link in the phishing email was legitimate.
The phishing email requests that you provide additional information for security by clicking a link. Once you click, there will be a multipart questionnaire, including fields for your agency name, address, telephone number, agency code number, login ID and password. Once you complete the form, the fraudster has your credentials to issue tickets, review data, and perform other activities in your GDS.
If you or your staff have clicked on a link and entered your GDS credentials, it is important that you change your password immediately using your known GDS bookmark or desktop icons, and notify your GDS and ARC. When in doubt, don't click on links in any email! Instead, use your own Internet browser bookmarks or desktop icons to access websites.
Phishing and spear-phishing emails:
HINT: Point your mouse over the link and hover, but don't click. A pop-up box will show the real URL.
Never give your agency code number, GDS login ID or password to a caller!
A fraudster, posing as a representative from a GDS or ARC, calls or emails an agent stating that there is a problem or error. The caller then asks for the agent's GDS credentials or agency code number in order to help get the issue resolved. This type of fraud is known as social engineering.
There may be a legitimate reason for someone to ask for your information, but never a valid reason to ask for both a login ID and password. If you ever feel uncomfortable about providing information, advise the caller that you will call the valid phone number to answer any appropriate questions.
How to Identify and Prevent Fraudulent Ticketing
Because fraudulent tickets are issued for immediate use, time is critical.
Provide contact information for 24/7 emergency notifications.
Develop or update your agency's information security policy.
Consider using a layered approach to security:
Develop or update your agency's policy for GDS access.
Take advantage of training and advisories.
We cannot guarantee that the implementation of these proposed preventive measures will serve to eliminate ticketing fraud. However, it has been our experience that agents who have taken the steps provided have realized the benefits of enhanced security and an educated staff able to recognize attempts to obtain unauthorized access to tickets. ARC and the GDSs remain dedicated to helping you enhance security and protect your agency from those who would commit acts of ticketing fraud.