Ecommerce presents tremendous opportunities for businesses and customers, but they go hand-in-hand with new threats. As technology advances, so do the methods of digital fraud. Payments that are made online in advance are particularly prone to attack.
Recent research from IBM showed that travel and transportation is the second-most targeted industry for online hackers. Fraudulent online activities cost the industry billions of dollars every year in direct losses, higher operating expenses, reputational damage, and other indirect costs.
Around 60% of travel intermediaries surveyed in a global study commissioned by eNett International in late 2017 recognized fraud as a major concern when making payments to suppliers. The three most-cited cases were stolen payment method details, cyber breach of online booking platforms, and stolen security credentials.
According to the Fraud Attack Index released by the ecommerce fraud prevention leader Forter in October 2019, fraud attack rates against airlines increased by 61% over the last year. This may be attributed to the rise in loyalty program issues and data hacks which made information of thousands of customers available for committing airline ticket frauds. Attacks against ground transportation have risen by 38%. The reason may be that car rentals and ride services have been removing some traditional barriers, such as proof of identity, from the customer journey.
Luckily, travel businesses can protect themselves with modern online fraud prevention tools without compromising the customer experience. Let’s examine some of the most common threats along with fraud management methods.
The methods which fraudsters use for extorting money and valuable information from travelers and companies include, but are not limited to:
A fraud attack typically begins with obtaining consumers’ credit card numbers and identifying information. Identity theft was the third-most-common type of fraud in the United States in 2018, accounting for 15% of the nearly 3M fraud cases reported to the Federal Trade Commission. Criminals are stealing cardholders’ information through data breaches, card skimming, or malicious programs installed on legitimate websites. The numbers of credit cards and other data end up in the black market, where others buy them to perpetrate online purchase frauds.
Scammers buy tickets to resell on darknet marketplaces or even for cash in the open. Vendors scan the numbers and since the cardholders have not reported their cards as stolen, the numbers clear. Stolen credit cards form a volatile combination with last-minute booking because it leaves airlines, hotels, or online travel agencies (OTAs) less than 48 hours for possible fraud detection. Scammers would often buy a ticket the day before departure and promptly check in for the flight online. They know that even if OTA detects the fraud, the airline would hardly deny boarding to a confirmed passenger.
Using stolen credit card data, scammers buy refundable tickets. Then, they call to cancel and cash in on the refunds. Particularly, they have been actively abusing ground transportation return policies, cashing in on stolen online train and bus tickets upon return at the stations. When fraudsters cancel airline tickets, they still earn the bonuses which they can resell or use to buy legitimate tickets.
Fraudsters create fake travel agencies, and then either purchase tickets or place holds on them with fake credentials. Travelers pay full prices for these fraudulent tickets only to find out that their airfare is fake or has been reported as fraudulent. When they try to seek reparation, the fake agency would not be there any longer.
Account fraud is one of the fastest-growing and costliest threats for ecommerce. Knowing that people often use the same email and password combination for multiple accounts, hackers use databases of stolen credentials in attempts to log into a travel website. Otherwise, they may apply large volumes of data to ‘guess’ the right credentials via trial and error. Both methods are used to take over accounts and steal customer information or resources, e.g., loyalty points and miles.
When fraudsters are able to obtain complete user information, they typically try to impersonate that individual for online purchase frauds. If only partial information is available, they create synthetic accounts by combining data from multiple cardholders.
Modern travel agencies are dependent on global distribution systems. Amadeus, SABRE, and Travelport are ‘motherboards’ for hundreds of computerized reservation systems for airlines, hotels, and other vendors. Unfortunately, criminals can acquire a travel agent’s booking system login on the dark web as well. They are usually obtained through phishing: the agent receives an email, apparently from an online payment processor or another trusted source. The phisher asks for email login data or other essential information. If they succeed, they can monitor the agents’ email, looking for a chance to interfere in a transaction.
Besides having their username and password stolen, a travel agent may willingly hand them over to a swindler. The latter can then make fraudulent bookings using the agent’s credentials and stolen credit cards.
The hotel, villa or chalet exists only online. The swindler creates a simple website and uses a burner phone number that allows individuals to book rooms and pay over the phone. The swindler may also use stolen credit cards to book the rooms on an OTA’s website. The OTA will receive chargebacks for bookings after making a payment to the fake hotel. By this time, the swindler will have withdrawn the funds and will ignore all contact attempts.
A collusion between a hotel and a fraudster using stolen credit cards may take place. The hotel would raise prices for its rooms, and the fraudster will book them through an OTA. The OTA becomes responsible for paying the chargebacks of the higher pricing. If they try to find out how the hotel booked non-existing people, the hotel would have all the false documentation.
Online shoppers can deliberately abuse the chargeback process to get something for free. Hotel booking chargebacks are rampant, and they can affect travel intermediaries as well. For example, a customer purchases an expensive vacation package through a travel agency, but even one aspect of the experience can make them demand a chargeback on the entire vacation.
In some cases, purchases are made with the intent to file a chargeback later. The fraudster would take a flight and deny it when the airfare appears on a credit card bill. They may persuade the card issuer to cancel the transaction, and since not every OTA will fight back, it would have to pay the bill for the flight.
Any tourism-related company that processes large quantities of customer data can be the target of an attempted breach. It can damage the company’s reputation and leave it open to possible legal action.
The increasingly sophisticated and frequent bot attacks on travel sites are intended to access sensitive customer data or to give an advantage to dishonest competitors.
For example, unscrupulous entrepreneurs may send bots to scrape pricing on competitor sites. Then they would automatically update their own website to show a lower price. Scalping bots buy up the entire supply of an offer on site to resell it at a higher price. Seat spinning bots hold or block multiple airline reservations without paying for them to prevent legitimate customers from doing so. Scraping bots can also copy a website’s entire contents to resell or reuse them for fraudulent purposes.
New tricks and techniques emerge regularly, and travel businesses are responding by developing new fraud protection methods and adopting new instruments.
Every transaction is examined for multiple fraud indicators, generating a composite score as a level of risk that the transaction represents. At checkout, companies focus on:
Combined with user verification, fraud scoring tools enable companies to reject transactions that raise too many red flags automatically.
Order rescreening is important too: all order modifications should be monitored and evaluated for fraud.
Getting a complete customer profile helps businesses avoid much trouble. OTAs and other companies garner tons of data from their customers and transactions, including:
User verification is done through:
Double-checking the suppliers before making payments helps mitigate the fake hotels problem. OTAs need to check their business license, online Google Business reviews, or just see the Google Street View of the supposed hotel location. It’s also important to check for a possible correlation between increases in hotel prices and booking activity, which may indicate hotel price spike scam.
Modern online fraud detection is primarily about pattern recognition, so machine learning (ML) becomes the backbone of fraud protection strategies. ML models learn to recognize patterns and predict outcomes. The method may help highlight behavior anomalies in real time, flag an ATO risk, help evaluate the transaction’s riskiness, and block it before it becomes a chargeback.
Within milliseconds between an online transaction and an automated decision, a fraud prevention system adds to each transaction record countless elements of data: all transactions and results associated with the transaction’s IP, email address, physical address, device, products purchased, number of tickets in the transaction, distance from purchase location to departure airport, the time between purchase and check-in and departure, and other travel-related data elements. This way, ML algorithms can identify thousands of signals for hundreds of fraud schemes and attack vectors, including inside fraud. For example, multiple departure/destination airport pairings are suspicious. ML algorithms also score the transactions based on learnings from other frauds. Transactions that raise certain combinations of red flags can be rejected outright or set aside for manual review.
The more data the company has, the better the algorithms will be detecting fraud signs. Over time, their speed and accuracy will be growing, and they will be learning to detect new signals to keep pace with new travel scams. Since companies find out scammers after the fact through bank account reconciliations, chargebacks, or empty seats, continuous feedback is essential. It’s beneficial to share databases with multiple travel agencies, airlines, and other travel firms. Once a network member identifies fraud, the perpetrator’s digital identity and history become available to all. More online and call center transactions, with more logged results from more companies, will generate more accurate fraud decisions.
Machine learning is beneficial for sales growth as well. Some airlines reportedly reject up to 25% of legitimate orders suspecting fraud. A good fraud prevention tool will pass a higher percentage of safe transactions.
Usually, companies notice bad bot activity due to abnormal spikes in traffic on their websites and apps, or when the amount of traffic during peak times is higher than expected. To curb illegitimate traffic, some implement infrastructure-level protections or, if the traffic levels are low, manual bot filtering. However, it is very resource-consuming. Real-time protection against bots requires an integration of various methods, such as:
Unfortunately, it’s impossible to prevent chargeback abuse. The only response is to fight back through chargeback representment. OTAs need to submit compelling evidence to prove the transaction was legitimate and should be upheld, including:
Online fraud is rampant in the tourism and travel industry. Manual review queues are not efficient enough to keep up with the growing online business. The cost of falsely declined transactions may exceed the total cost of fraud. As online fraudsters are shifting their efforts earlier in the customer journey, travel businesses need to respond by implementing a continuous fraud prevention approach that automatically assesses events and provides protection throughout the entire customer journey.
Travel businesses have been innovators and investors in pre- and post-transaction anomaly detection and risk-scoring. There are instruments that increase the efficiency of manual review teams and entire SaaS fraud detection platforms that can stop suspicious transactions at the booking request stage, flag them, and even cancel. With best practices in place, companies can also learn how to avoid disputes caused by merchant error and criminal fraud. However, innovative enterprises turn to fraud prevention solutions that combine technological advances to detect payment fraud, account takeover, phishing, and other threats across thousands of transactions in real time. Careful data analysis enables smarter fraud prevention, and machine learning algorithms applied to transactions not only recognize legitimate and fraudulent transactions but also reveal trends and developing threats. Systems that incorporate ML models and AI are equipped to deal with massive amounts of data and to improve overall decision results over time.
Fraud management mechanisms and a secure digital infrastructure are vital components of modern business management, and only coordinated, carefully planned adoption of different tools allows addressing online travel fraud effectively. A data-informed, multilayer approach helps to prevent fraud attacks without increasing false declines. Besides fraud reduction, an effective platform minimizes the number of transactions reviewed and the time required for each review. Automated fraud prevention does not add any friction to the customer experience regardless of the season. As AI and ML tools are evolving, companies are increasingly capable of reducing manual reviews and increasing margins. The integration of such solutions also facilitates simplified reconciliation, reduced risk of supplier default, and accelerated payment processes. It frees travel companies from infrastructure resource waste and lets them concentrate on business growth.