What is travel data fraud?
Travel data fraud is when fraudsters take advantage of the online nature of the travel business to create fake bookings, bookings with stolen credit cards, and other scams for the purpose of personal gains. This means that they make bookings with stolen or fake credit cards, create websites to offer fake holidays or flights that don’t actually exist. This presents a big problem for OTAs and airlines because fraud can cause great reputational damage.
What are the most common frauds in the travel and tourism industry?
1. Fake travel websites
Fraudsters create a fake travel website to sell airline tickets, hotel rooms, vehicle rentals or package holiday deals. They can even clone apps and place them in third party websites, and use malware to take over the device once the app is downloaded.
Pro tip: Don’t book from a website you don’t recognize. Instead rely on a reliable TMC like GetGoing for all your business travel needs.
2. Cyber breaches
With the travel industry processing tons of sensitive data by the minute, cyber attackers use bots to target this information.
Pro tip: Cyber breaches are incredibly damaging to your reputation so be sure to have a strong series of protections in place. Hire an IT security professional, the investment is worth it.
3. Charges with stolen credit cards
Making travel puchases with stolen credit cards may be one of the easiest (and most damaging scams). Normally the scam starts by phishing for credit card information and identifying personal details. This can result in chargebacks and a tremendous loss of revenue for travel providers.
Pro tip: Monitor your credit card payments, and have a series of controls in place like captcha or one-time codes to avoid possible threats.
4. Account takeovers
An account takeover happens when an attacker manages to get a hold of a travel agent’s account and makes transaction posing as the travel agent.
Pro tip: Use a VPN and two-factor authentication for logging in to GDS and other travel platforms.
What travel managers and travelers should know about data fraud
Most travelers are not even aware of what happens to their travel data, when they book business or leisure trips. Don’t assume booking your trip through an online travel agency, ends your data journey there. In fact, your data may be forwarded to several suppliers, including airlines, hotels, rental cars, rail, loyalty program providers, and others.
Then whenever you book a ticket with a credit card, the relevant information is shared with the credit card company and billing office. Same if you make a duty-free purchase at the airport – the store captures details of your purchase, including your name, airline ticket information, destination and credit card number. And if you’re traveling to a destination where your travel data must be sent in advance, so that you may enter, your data is shared with authorities and organizations of the respective country.
You got the point, data fraud is a real threat – your data is being collected, processed, used, and stored multiple times. And it’s vulnerable to attack or to be compromised in each situation.
What can companies do to protect their employees
A best practice for companies is to always find out how the travel agency or travel management company protects data against three basic threats: loss of availability, integrity, and confidentiality. Companies should expect travel agencies to provide a fully integrated and audited Information Security Management System (ISMS) for threat protection.
Beware of data fraud from fraudsters posing as CEOs
Companies should be aware of so-called “CEO Fraud” messages. The sender poses as a member of management and tries to get an employee to perform a certain action, such as transferring a certain amount of money to a certain account. Sometimes they can pretend to be a CEO and use a phishing email to convince a travel agent to book multiple round-trip flights. Often, fraudsters are successful with their tricks by exploiting the willingness of an employee to help their boss.
Work with a TMC that has strong anti-fraud policies
It’s important for companies when looking with a travel management company (TMC) to work with that they consider the protections the TMC provides. In the case of GetGoing, we check bookings with IATA Perseuss, the world’s leading fraud intelligence platform, allowing airlines and other suppliers to work together to identify and combat fraudulent activity. If GetGoing detects a fraudulent booking, we initiate a cancellation and communication process.
Educate employees on how to detect emails from fraudsters
We all need to be on the lookout for phishing, fake emails or messages that try to trick us into falling for a scam. However, detecting the emails has become much harder. The scammers are intelligent and DarkNet programs are designed to bypass antivirus detection products. It remains a “cat-and-mouse game” between the scammers and the information security industry.
What should business travelers look for?
If you’re taking a business trip, keep these four tips in mind:
- Go secure: Don’t log in to corporate accounts over free public Wi-Fi hotspots. The information is vulnerable to interceptions.
- Go paperless: Keep itineraries and travel documents on your password-protected mobile device.
- Go humble: Don’t share travel dates and locations on social media. This information can be used by fraudsters for social engineering attacks.
- Go quietly: Don’t talk loudly about business in public places like the hotel bar or on the train on the phone. You would be amazed at the information one gets just by listening. And be on the lookout for “shoulder surfers” – anyone glancing over your shoulder to steal information.
Want to find a travel management platform that does the heavy lifting for you, while keeping your data safe?
Note to consumers or potential employees: Please do not respond to anyone asking for funds for remote work jobs since these are illegal phishing attempts not representing BCD Travel or its website getgoing.com. BCD would never ask for money in advance of employment. If you have been a victim of this phishing attack, please contact local law enforcement.