Cybercriminal. (photo via iStock/Getty Images Plus/ipopba)
The travel industry continues to be targeted by cybercriminals.
It’s more important than ever to ensure that your data is secure, and that includes data held by travel companies and loyalty programs.
Cybercriminals are targeting the travel industry more than ever. In 2021, Insikt Group observed approximately 4,000 references related to fraudulent activities targeting airlines and hotels worldwide.
Criminals are creative, and the fraudulent methods being used are often hard to detect.
These bad actors use several methods, including advertisements for fraudulent travel agency services, listings of compromised accounts that contain rewards points, phishing and scam websites used to harvest PII and travelers’ data, advertisements for counterfeit COVID-19 vaccination statuses and certificates and use of compromised payment methods to purchase flight tickets and book hotels and other services.
Travel advisors as well as consumers need to be careful. According to a report in Travel Weekly in 2021, ARC had found approximately 80 instances of unauthorized ticketing, accounting for approximately $1.2 million. In the report, it was also noted that criminals often use compromised account credentials from the travel advisor’s global distribution system (GDS).
Threat actors also pose as fake travel agencies to obtain information on travelers as well as money, in addition to using fake credit cards to purchase airline tickets. They also advertise tickets for discounted prices on social networks, according to a new report from Insikt Group, “The Business of Fraud: Travel, Hospitality, and Loyalty Fraud.”
Loyalty fraud is another way travelers are targeted by fraudsters. According to Insikt’s report, cybercriminals aren’t just stealing your personal data for identity theft purposes but are also stealing hard-earned rewards points. They use the points for airline tickets or merchandise or cash them out.
Fraud within loyalty programs is especially hard to police for security professionals. According to Insikt, poor security associated with these programs makes them easy targets. Fraudsters usually obtain enough information, through social engineering or other means, to get access to these accounts and appear to be the genuine user. Often the victims won’t even know that anything has happened.
There are many shops on the dark web that advertise compromised airline accounts containing miles, hotel accounts with bonus points, gift cards and credit cards with linked bonus miles or points. Bonus miles can fetch a hefty price tag, too. Depending on the number of miles and the airline, prices for stolen miles can range between $6 to $200.
No aspect of the travel industry is immune to these attacks. In 2021, threat actors used phishing techniques to defraud users of the Transportation Security Administration’s (TSA) PreCheck, Global Entry and NEXUS application service websites. The first evidence of these attacks was identified in March 2021, Insikt noted in the report.
TSA screens passengers for criminal history and more and charges a fee for passing quickly through airport security. Threat actors sent victims renewal reminders via email and urged them to submit an alleged application that hosted various domains and, as a result, stole their login account credentials.
Some of the domains that they used that were fraudulent include the following:
One of the newer scams, borne by the pandemic, is the sale of fake vaccine cards.
Fraudsters use both dark web forums and marketplaces to sell COVID-19 vaccination certificates, passports, pre-departure PCR tests or other relevant documents that permit a person to bypass security/border measures in order to travel internationally, according to data from Insikt.
In order to mitigate the chances of being a victim of fraud, there are several steps travelers and travel agencies can take.
—Purchase airline tickets and book hotel reservations only on legitimate airline or well-known service provider websites.
—Do not use social media for purchasing airline tickets
—Be aware of the common characteristics of and ways to identify a fictitious travel agency website. Many fake sites have URLs that use country-specific top-level domains (such as “.eu,” “.ru,” “.ua”) and sometimes display
inactive icons (for example, “AppStore” or “Google Play”).
—Do not reply to unsolicited emails, texts, social media or calls with holiday or other gift offers.
—Communicate directly with the property owner or their agent and ask them questions about the booking, room, location and area of the property.
—Check the terms and conditions before making a purchase, in particular the refund policy and processes.