How to stop the travel scammers taking you for a ride
How to stop the travel scammers taking you for a ride

These days, you can find almost anything you need on the cyber-crime underground. From illegal narcotics to guns, false passports and even fake-news-as-a-service packages designed to sway elections — it's all there if you know where to look. Increasingly, so too are illicit travel services paid for via stolen credit cards, hacked loyalty programme accounts, and fraudulent redemption of coupons. With such enticing offers spanning both the dark web and legitimate social media, this has become big business for the scammers. 

The travel industry needs to act swiftly: the airline sector alone faces estimated losses of €1 billion a year from ticket fraud. It's time to improve fraud prevention and get better at attempts to hack back-end systems. 

Bargains galore

Today's consumers increasingly aspire to live the globe-trotting lifestyles of the rich and famous but simply don't have the income to do so. That's a gap in the market which some cyber-crime entrepreneurs are only too happy to fill. All over the world, dark web sites, underground forums, social networks and even Telegram channels are filled with incredible discounted offers. 

Everything from flights and hotel accommodation to theme park tickets, tours, taxi rides and even restaurant loyalty cards are available if you know where to look. Underground travel agencies typically offer flights and hotel rooms at 30 to 50 percent off the regular price. Flights are often booked via stolen frequent flyer miles or travel points, bought at the last minute so the airline doesn't have time to spot the fraudulent transaction before the customer boards.

Stolen membership card details also fuel the illicit trade in cheap car rental services, while hijacked loyalty card accounts are offered to users on dark web sites like Dream Market, giving them the chance to book luxury hotel breaks for up to 70 percent off the regular price. We've also observed hackers selling corporate employee discount codes. One underground seller even offers fake ID cards that bear the names of these corporates, in case they are requested on check-in. 

Hitting the industry hard

It's easy to see why even some well-meaning consumers might fall for some of the deals on offer. If you want to travel from LA to Moscow for the 2018 FIFA World Cup, you need only spend £350 for a return ticket — that's about half the normal price — and just £40 for a hotel; a 40 percent discount. Just £3.50 will cover airport pickup and departure drop-off — a discount of around 30 percent.

Perhaps you'd prefer to visit Walt Disney Resort in Florida? For two adults and two children travelling from Madrid, it would only set you back £800 for return flights, hotel accommodation, and tour passes. 

With prices like these on offer, it's not surprising that this illicit trade could seriously threaten the travel industry. Industry estimates suggest €1bn annual losses to the airline industry through ticket fraud. A crackdown by Europol last year over just three days in June resulted in 153 people being detained and denied boarding. Similarly, 55 million hotel reservations were booked on rogue websites in 2016, at a cost to the industry of £2.9 billion, according to the American Hotel & Lodging Association.

What you can do

So if you're an airline, hotel company, taxi service or any stakeholder in the sector at risk from the black market in illegal travel services, what can you do? The first important step is to raise awareness amongst consumers about these services. It's important that they understand the repercussions of buying from underground travel agencies. Whilst some get away with it, there's also a high risk that dream holiday could end in tatters, with zero prospect of compensation.

Next, follow best practices for fraud prevention to stop any bookings being made by imposters. Be particularly alert to ‘customers' who book outside normal working hours; foreign nationals who book on behalf of others registered in a different country; and customers transacting with different names but the same address.

Finally, it's important to ensure your organisation is fully set-up to deal with attempts to infiltrate corporate booking systems via malware and phishing attacks against employees. Ensure you keep staff training and awareness programmes regularly refreshed, ensure all servers are patched and up-to-date, and perform regular pen tests to see where any security gaps are. Best practices demand a layered defence model whereby technologies like Web Application Firewalls (WAFs) sit alongside network-layer (web proxy, firewall, IPS) and host based defences (anti-malware, behavioural monitoring, DLP). 

If those hackers also make off with customer or employee PII, you might also find yourself on the wrong end of a GDPR investigation after 25 May. So it makes sense to act now.

Contributed by Bharat Mistry principal security strategist at Trend Micro

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.