Fraud in the Travel Industry: Is Digital Footprinting the Solution?
Image Source: Pexels | cottonbro studio
Editor’s Note: “Fraud in the Travel Industry: Is Digital Footprinting the Solution?” is originally published in the latest edition of PERFORMANCE Magazine – Printed Edition. This article is written by Gergo Varga, Senior Content Manager / Evangelist at SEON.
Businesses in the travel and ticketing industry are seeing more and more customers buying travel tickets online rather than in person. With this convenience come some risks, creating the need to mitigate against established and emerging types of digital fraud alike.
Of course, fraud is not just an issue for ticketing companies but any industry that focuses on card-not-present transactions and services to streamline customer payments. However, there are different touchpoints and pain points in each sector, and you can only mitigate it if you know what kinds of fraud can hit your business and how you can deploy the right strategies to stop cybercriminals in their tracks.
According to Condor Ferries, online travel bookings now exceed $817 billion around the world in total worth, with an estimated 148.3 million individual bookings completed annually. Following this rise closely, travel and ticketing fraud has become an increasing problem for companies, with fraudsters usually targeting the online ticketing process itself.
Different Kinds of Fraud in Travel and Ticketing
Carding is one of the main types of fraud faced by companies. Carding involves the illegal acquisition of debit and credit card credentials and their use by fraudsters pretending to be the legitimate cardholder.
Tactics employed by fraudsters to gain this information from their victims include card cloning, RFID skimming, phishing, spyware, data breaches and BIN attacks, for instance. In the case of RFID skimming, for example, the public has been so concerned about this in recent years that companies like Duo have had to create guides explaining RFID blockers and similar devices to inform their customers. Fraudsters using a cloned card or stolen card information can then create an account on a website and attempt to buy tickets using it.
But why does this matter to companies selling travel and other types of tickets online? One concern is chargebacks. When the legitimate cardholder realizes a criminal has used their funds, they will ask the card-issuing bank for their money back. In these cases, the merchant ends up losing both the money and the ticket issued, as well as incurring certain admin fees to the bank.
Sometimes, fraudsters use ticketing websites to do testing – to test if the cards they’ve acquired illegally are still “live,” meaning that they haven’t already been frozen or canceled. This entails attempting a payment with each card number, usually small in value, before marking the live ones still in use and moving on to larger, more ambitious schemes with them.
Even when the money the ticketing service loses is small, this can have a knock-on effect because card-issuers keep track of what’s called a chargeback ratio, or how often a merchant incurs chargebacks. If it’s too often, they increase the standard processing fees the merchant pays for each payment — legitimate or not – and, in some cases, even ban merchants from using their networks outright. This means you can no longer serve customers paying with specific types of cards, such as Mastercard or Visa.
Criminals can also try to make a profit by reselling certain types of tickets (usually last-minute flight offers) on dark web marketplaces or via encrypted social media, such as Telegram, as explained in an article on the dark web on Peraton.
Other tactics that cybercriminals use on airline sites include booking a flight using card details that they’ve stolen and then cancelling them. This is so that their account can still be credited with any adjacent bonuses and miles, even if they have canceled the flight, which they will use for other fraud moving forward. Although not as common as they once were, bonus miles and other extras are advertised by airlines and other companies, such as United, as an incentive for travelers to choose them over competitors.
Ticket scalping is another pain point for travel as well as other types of ticketing websites. This occurs when fraudsters use bots to bulk buy tickets from ticketing or travel companies online, causing the flight or event to sell out.
First, they might use an auto refresher to spot when tickets have gone on sale. Then, they’ll employ scripts to automatically fill out forms and details during the transaction process. Fraudsters might also use pre-bots to create multiple fake accounts across many different websites. If a site requires customer identification, then fraudsters might attempt to provide this in the form of stolen or synthetic IDs.
Ticket scalping is a form of arbitrage, as they then resell tickets to customers for a marked-up price, generating a profit. This is also known as ticket touting or ticket reselling and doesn’t just affect travel companies but also music, entertainment, and sporting events.
One prominent case of ticket scalping in the travel industry was during the height of the COVID-19 pandemic, at the start of which airports canceled flights in the face of impending lockdowns. In a report, CNN describes how scalpers seized an opportunity to sell air tickets on the black market to Chinese students looking to travel from the US to China to join their families. With rumors of airlines slashing seats and inbound flights, agents turned into scalpers by putting up a premium on these now highly desirable tickets.
The CNN reporter found a $300-450 booking was hiked up to the equivalent of $1,650 by agents acting as scalpers. According to the report, the Civil Aviation Administration of China claims that it has lost $70,000 to ticket scalpers and has since rolled out price control and outright bans on some ticket exchanges and proxies.
How Digital Footprinting Can Address Fraud
With the right fraud prevention and detection software in place, organizations can spot and prevent fraudulent accounts before they have a chance to target your transaction process.
Digital footprinting can be part of that process, helping assess the true intentions of any customer looking to transact. Imagine a fraudster who has acquired card details stolen during a data breach and is looking to register an account to buy tickets fraudulently and then resell them for a profit.
It’s at this sign-up touchpoint that digital footprinting techniques, such as reverse email and phone lookup, can help. The digital footprint module will check this new user’s email address or phone number to see if they have social media or other web histories.
Why does this matter? Because reverse lookup tools, as a form of data enrichment, tell you a lot about a user. Starting with information the customer submits, such as an email or phone number, digital footprint analysis sources hundreds of data points to create an accurate, real-time profile of the person who uses the address or phone number, from which we can evaluate their intentions – or even automatically ban or approve them.
For instance, when a customer provides a phone number as part of their check-out process, you can use the resulting data points to find out if this phone number is a disposable or VoIP number, as well as any associated names and addresses. As SEON’s guide to phone lookup explains, using reverse phone lookup, you can find out whether the phone number is valid, the country the carrier is based in (which you can combine with IP analysis), and any connected social media or instant messenger accounts, among other information.
Real people, even those who aren’t techies, almost always have some sort of online presence. But if a new user’s phone or email address is not linked up to any social media or online platforms – for instance, accounts on Airbnb, Skype or Facebook – you have good reason to be suspicious and thus request additional verification and proof of their identity. Furthermore, each country has its own mix of popular digital services, so a customer that deviates from the norm could also signal an anomaly that warrants closer inspection.
It’s incredibly difficult and complex for fraudsters to fake a legitimate digital footprint. The email address they create to defraud you will not have a digital presence, instead having been created recently just for this purpose. Scalpers use bots to bulk buy tickets, and these are typically in control of multiple accounts at a time (multi-accounting). All these accounts, of course, will have registered using new, not-before-seen-online email addresses. This is a huge red flag.
Digital footprinting can be a good low-friction fraud prevention and detection option, as it can help keep the transaction experience for your genuine customers efficient and enjoyable. With risk ratings, each individual looked at can be assigned a risk score on the basis of their profile, and a customer with no digital footprint will have a much higher risk score than a user with one. Such risk scoring can help introduce friction only where it is needed, in what’s called dynamic friction that changes based on the customer’s score.
Although digital footprinting is an excellent, cutting-edge tool for spotting fraudsters, it works most effectively when combined with other fraud prevention and detection tools. Device fingerprinting involves collecting information about a user’s device, while IP analysis looks at where in the world they connect from and how. These help in multitude ways. For example, it is suspicious if several different users use the exact same device and IP, so an extra check can be introduced.
Another consideration of fraud prevention is velocity checks, which examine customer actions through the lens of time. For example, if a customer has attempted to purchase multiple tickets from your website for events at various locations over the course of just a few hours, then this will be flagged by the velocity-checking process. While some customers may do this for legitimate, non-fraudulent reasons, it can also be a sign of fraud. Other kinds of behavioral analytics include looking at abnormal interactions and a user’s typing cadence.
By combining data points from digital footprinting, device fingerprinting, velocity checks and more, through sophisticated fraud prevention software, travel companies can be better protected.
Some vendors allow the merchant to fully customize each of these elements to match their risk appetite and past fraud events, while others promote a set-and-forget approach, often making use of blackbox (non-transparent) machine learning.
Digital footprinting is a great tool to stop fraudsters from hijacking your ticketing and other transaction systems. Thanks to data enrichment, it crucially involves scaling, which means that you can introduce as many or as few checks as you need, from 100 checks an hour to one check an hour.
By adopting strategies such as dynamic friction, suspicious accounts will need to provide more information, while customers proven to be trustworthy will enjoy frictionless check-out – all keeping you safe from instances of carding, account takeovers, and ticket scalping, as well as every other type of fraud.
About the author
Gergo Varga has been fighting online fraud since 2009 at various companies – even co-founding his own anti-fraud startup. He’s the author of the Fraud Prevention Guide for Dummies – SEON Special edition. He currently works as the Senior Content Manager / Evangelist at SEON, using his industry knowledge to keep marketing sharp, communicating between the different departments to understand what’s happening on the frontlines of fraud detection. He lives in Budapest, Hungary, and is an avid reader of philosophy and history.