Today, consumers rely more than ever on ecommerce for their travel and airline purchases … but fraudsters rely on consumers and businesses not seeing them coming. In 2021, Insikt Group identified the following as the primary types of fraudulent methods and activities targeting airlines and hotels worldwide:
The upsurge in travel has also brought a commensurate uptick in the theft of airline mileage reward points, website credentials for travel websites and travel-related database breaches.
In addition, airlines and online travel agents, like all merchants, are challenged by account takeover (ATO) fraud, which occurs when a fraudster uses a piece of a victim’s identity, like their Social Security number or email address, to access and take over the victim’s account. ATO fraud can be accomplished through a number of means, including phishing, installing malware, stealing credit card data or hacking mobile phones.
Big-ticket and popular travel items — like vacation packages and last-minute airfare — put those in the travel industry at the biggest risk for chargebacks. The big price tags result in a heavy financial hit and merchants also bear the cost of the employee’s time and effort when customers file chargebacks. Fraud in the airline and travel segments is especially painful as margins are very low.
Products in the airline and travel vertical, such as airline tickets and hotel reservations, are at particular risk for fraud because they are sold in digital form.
Fraud related to these products is much more difficult to detect because there are fewer standard data points to review (e.g., there is no physical shipping address, and the same “product“ can have huge variations in price). In addition, many fraud prevention systems are based on detecting mismatches: incongruous data points within an order, such as a billing address in a country other than the origin of the IP address where the order was placed. However, such misalignments are common in the travel industry, even in legitimate orders; buyers book hotels and flights on the fly, resulting in unusual IP data, for example.
Travel service providers (card-accepting merchants) tend to separate the sales of flights or travel products from extra services (add-ons). Therefore, most of the reservations the consumer makes, along with other extras, come from different channels, payment methods, dates, etc.
As a result, what was once a single transaction is now a fragmented transaction encompassing different sets of validating information.
This increases not only fraud prevention complexity, but also the commercial disagreement risks, where customers take advantage of the gaps of this multi-channel system to debit the company with the excuse that the operation was unknown or questioned by the bank or the cardholder.
Loyalty fraud happens when a fraudster uses a customer’s loyalty points to redeem benefits. Similarly, coupon or promotion abuse involves a fraudster creating multiple accounts to take advantage of an offer or coupon multiple times. These types of policy abuse are tough to spot, especially when they stem from ATO fraud or are perpetrated by large-scale crime rings and mass registered fake accounts.
According to the Loyalty Security Association (LSA), 72% of loyalty program managers have experienced issues related to fraud. Fraudulently redeemed frequent flyer miles explain the reach of the problem: Research from the LSA found that 1% of redeemed miles are fraudulent, representing a $3.1 billion problem globally.
The CardNotPresent blog reports, “Loyalty points obtained through fraudulent means are also offered up for sale on the dark web for a fraction of their value. For example, in a Hilton Honors hack, 250,000 points sold for $3.50 on the dark web. Some experts say that ATO fraud is the most common type of loyalty program fraud.”
Fraudsters are persistent in looking for travel agency weak links. They will tirelessly explore differences in fraud screening practices between websites, between channels and between agencies. Common targets include mobile bookings, loyalty programs and ticket exchanges.
Online bookings are the largest vector for fraud, with phone bookings a close second.
The often last-minute nature of booking travel arrangements presents a major headache for agencies trying to detect fraud. The short timeframe and odd hours leave little leeway for a thorough fraud review.
The expression "fraud loss" can be defined as the incurred loss, cost or expense that is not reimbursed and arises out of the fraud committed. North America has been aggressive in fighting fraud, as the chart below shows. More vigorous efforts in other regions will reduce revenue loss in these areas.
Travel and airline ecommerce transactions come with some unavoidable risks by their nature. ClearSale Executive Vice President Rafael Lourenco points to some of the most common:
Most ecommerce fraud prevention systems rely on data mismatches to identify fraud, but those mismatches are as likely to identify legitimate customers as fraudsters. It is common in travel for legitimate consumers to buy tickets for third parties, and incongruous data is the norm rather than the exception. This makes distinguishing authentic transactions from fraudulent ones increasingly difficult.
“Fraudsters love to make their bookings after 6 p.m. or before 8 a.m. — exactly when many fraud analysts are off duty. Fraudsters also frequently make their purchases within three days of the actual travel date. This quick turnaround leaves little leeway for a thorough fraud review.”
When consumers book flights or other travel services, they often purchase “extras” for the same trip (like advance check-in, seat upgrades or checked luggage) as separate transactions, often through different channels, on different dates and even using different payment methods. These fragmented transactions make it harder for merchants to prevent fraudulent transactions.
As an airline or a cruise ship nears its departure date and finds itself with empty seats or cabins, the company may be more willing to accept risk and approve potentially fraudulent transactions. But word of easy targets spreads fast. Once a fraudster successfully commits online fraud against a travel company, they may take to the dark net to share their tips, increasing the volume of attacks.
The popularity of loyalty programs has attracted the attention of scammers who use ATO or identity fraud to steal and resell (or cash in) unused reward points. With travel off the agenda during the pandemic, most people weren’t checking their frequent flyer mileage — and fraudsters took the opportunity to steal points unnoticed.
Fraudsters purchase duty-free products while onboard using counterfeit credit cards, knowing onboard payment terminals are offline and no authorization request can be carried out. The goods are then re-sold at a markup.
One criterion fraud prevention tools use to identify a fraudulent transaction is whether the shopper’s geographic location is near the billing address on file with the bank. Obviously, travelers making purchases while on a trip can experience a lot of false declines if this test is used, creating major issues from a brand loyalty and reputation perspective.