Airline Ticketing Fraud Scam Resurfaces After 7 Years

Airlines Reporting Corporation (ARC) is cautioning travel advisors that, over the past seven months, an airline ticketing fraud scheme has resurfaced after remaining dormant since 2014.

ARC said that its fraud detectors had identified approximately 80 instances of unauthorized ticketing through mid-September, together representing around $1.2 million in illegal sales.

ARC’s manager of fraud investigations, Doug Nass told Travel Weekly that successful unauthorized ticketing attacks typically see the scammers issuing between five and ten airline tickets using an unsuspecting travel advisor’s global distribution system (GDS) credentials. He said the average value of those tickets tends to be between $800 and $1,200. The targeted victims have most frequently been small and midsize travel agencies, he said, as well as large ticket consolidators.

To obtain the victim’s GDS credentials, the crooks send phishing emails to their travel advisor targets, which claim to be official communications from one of the three major GDSs—Travelport, Amadeus and Sabre. In a webinar earlier this month, ARC presented one example where the fraudsters impersonated Sabre using the subject line “Sabre System Upgrade Notification Letter”.

The counterfeit communication read: “Sabre is adding a new level 3 of security at time of signing into the reservations system. All users are required to enter a member login information (sic). Once you are logged in, Sabre will be notified that Sabre Red Workspace has been confirmed.” The recipient was then prompted to follow a link (a common phishing tactic) where they would enter their Sabre credentials.

Nass disclosed that the con artists have been masquerading as two of the three major GDSs, thus far; although he wouldn’t say which was the second being spoofed besides Sabre. Apparently, ARC hasn’t granted him authorization to release that information.

Travel Weekly reported that both Sabre and Travelport declined to offer any comment on the situation, while Amadeus did respond, but didn’t directly address the issue. “Since the outbreak of the Covid-19 pandemic, we are seeing a growing number of malicious attempts in the cybersecurity space,” the company said. “We are working hand in hand with our customers, guiding them with a set of practical security controls and measures they can easily take during these challenging times.”

Nass and ARC’s Director of Revenue Integrity, Cornelius Hattingh, agreed that the fraudulent activity appears to be based in West Africa, with tickets being issued for departures from airports in Casablanca, Morocco; Dakar, Senegal; Abidjan, Ivory Coast; and others.

Due to their location, the scammers often succeed in covertly selling tickets using a travel advisor’s credentials during what are the overnight hours in the U.S. By the time agents get back to work the next day, those buyers have already boarded their flights, and the travel agency is left holding the bag.

Hattingh said that, in some instances, ARC may work with the victimized agency by attempting to void the fraudulent transactions. “If a person is already flying, we ask the agent to engage with the airline directly for a refund. It becomes a tricky environment,” he said.

Nass said travel advisors should exercise increased caution to avoid falling prey to such scams. In particular, he advised that no one should ever click on an emailed link unless it’s part of an email they were already expecting. Also, it’s important to check the sender’s address to be sure it’s originating from a known URL.

Phishing emails will often come from an address containing an unfamiliar domain, or one that is misspelled or differs only slightly from the one belonging to the company they’re spoofing.

Nass also said that travel agencies should shore up their training and ensure that every employee with access to its GDS credentials is aware of this scheme.