Fraud Schemes

Fraud Prevention

Fraud Schemes

Alerts

ARC posts the latest information on fraud schemes, scams and criminals within the travel industry and tips on how to protect your business from fraud.


Urgent Updates: Phishing Email Impersonating Sabre

There is an increase in phishing emails impersonating or pretending to be from Sabre. These emails are not from Sabre.

Sabre will never:

  • Send an email with an embedded link to a login page.

  • Send an email ‘threatening’ loss of access to your account.

  • Send an ‘unsolicited’ email notifying you to click on a link to validate or update your account.

If you receive a suspicious email from Sabre, report it immediately by emailing Sabre (customer.care@sabre.com) first and then ARC (stopfraud@arccorp.com).

October 25, 2023 Alert: Below is a screenshot of a fraudulent email with the subject line “Sabre Technology Upgrade Notification.”

A screenshot of a computer

Description automatically generated

If you receive a suspicious email from Sabre, report it immediately by emailing Sabre (customer.care@sabre.com) first and then ARC (stopfraud@arccorp.com).

October 19, 2023 Alert: The new fraudulent email format may have a different call to action than previous messages, along with the naming convention of the notice from Sabre to RED CENTRAL. The subject line contains a nonstandard letter "a.”

Below is a screenshot of a phishing email with the subject line "Account Update Request," urgently requesting agents to click a link for profile updates. Notably, the upgrade timeframe is 10/19/23, with a finish date of 9/5/23, raising an urgent red flag.

If you receive a suspicious email from Sabre, report it immediately by emailing Sabre (customer.care@sabre.com) first and then ARC (stopfraud@arccorp.com).

A screenshot of a computer

Description automatically generated

To address this issue, you should take the following steps:

  • Verify the Authenticity: Make sure that communication claiming to be from Sabre is legitimate. Double-check the sender's email address, domain and other identifying information.
  • Do Not Click on Suspicious Links: If you receive emails or messages with unfamiliar links or attachments, refrain from clicking on them. These could potentially contain malware or lead to phishing sites.
  • Contact Sabre: Please reach out to Sabre's official contact channels to inform them of the impersonation issue. They may have resources and recommendations to address the situation.
  • Educate Your Team: Ensure your team knows about the impersonation threat and how to recognize suspicious messages. Provide training on email security and best practices for identifying phishing attempts.
  • Monitor for Similar Incidents: Keep an eye out for further instances of impersonation and document them. This will help in tracking the scope and pattern of the attacks.
  • Report to Authorities: If the impersonation attempts involve fraudulent activities, consider reporting them to relevant authorities or cybersecurity agencies.
  • Update Security Protocols: Review and strengthen your organization's email security protocols. This may include implementing email filtering, authentication measures and two-factor authentication (2FA).
  • Internal Communication: Communicate the threat within your organization, especially those who handle sensitive information or access critical systems.
  • Document and Preserve Evidence: If you suspect criminal activity, document evidence related to the impersonation attempts, such as email headers, message content and related information.
  • Stay Informed: Keep yourself updated on the latest security threats and best practices for protecting your organization from email impersonation and phishing attacks.

Please email ARC at  StopFraud@arccorp.com  if you need assistance, and visit our  on-demand webinar page  to view the latest fraud awareness videos.


Tour Requests Scheme

ARC recently received, via an industry partner, raising concerns about an inquiry (via email) requiring your awareness and thorough assessment. The details of the request are as follows:

Request Origin: China

Inquirer: Mr. Carson

Tour Details:

Group Size: A total of 160 persons, divided into two groups of 80 each.

First Group: Scheduled from 15th November 2023 to 21st November 2023.

Second Group: Scheduled from 24th November 2023 to 30th November 2023.

Inclusions: Accommodation (four-star or five-star hotel), transportation, scenic spot costs, insurance, meals, translation services, tour guides, and arrangements for transportation to the airport.
Customization Request: The client wishes to customize the itinerary for their group.

This inquiry has raised several risk factors that require careful consideration:

  • Large Group Size: The request involves a substantial number of participants, which can pose financial risks.
  • Lack of Detailed Contact Information: The initial communication lacks essential contact information, making verifying the inquiry's legitimacy difficult.

Given these risk factors, we recommend the following actions:

  • Verification: Attempt to verify the authenticity of the inquiry and the identity of Mr. Carson. Seek additional contact information and conduct due diligence on the prospective client.
  • Security Measures: Strengthen your cybersecurity measures to protect sensitive client data and financial transactions.

We strongly suggest you exercise caution and conduct thorough risk assessments before proceeding with this inquiry. The high-risk nature of this request necessitates careful consideration to protect your company's interests and reputation.

Please keep us updated on your findings and decisions regarding this inquiry. If you have any questions or need more help, please don't hesitate to contact us at StopFraud@arccorp.com. Visit our on-demand webinar page to view the latest fraud awareness videos.


Phishing Email Schemes

Cybercriminals continue to target the agency community through phishing emails, which appear to be from various organizations across all business sectors, including GDSs. These emails entice agents to click on an embedded link and enter their login credentials.

No service provider should request login credentials through email. If you receive such a request, it is essential to validate it with your service provider.

Fraudsters can manipulate your reservation systems and cause financial harm to your agency if they compromise your credentials. It is critical to train your staff to avoid entering their login credentials into any links provided in emails and to be vigilant and suspicious of any webpage requesting authorization.

Safeguard your IT environment by implementing policies and procedures such as updating passwords and login credentials every 30-90 days and validating email senders and hyperlinks before clicking and engaging (i.e., opening, forwarding and replying to emails).

Please contact your service providers or email ARC at StopFraud@arccorp.com if you need assistance.

Visit our on-demand webinar page to view the latest fraud awareness videos.


Corporate Booking Tool Accounts Targeted by Fraudster

ARC is tracking a fraudster who gains access to Corporate Booking Tool accounts through unknown means.Once remote access is obtained, the fraudster issues tickets for his customers using compromised credit cards.

Characteristics of this fraud activity include:

  • One-way travel

  • Immediate departures: 0-3 days from ticket issuance

  • Departures or return tripsusually include airports inMoscow

  • Travel destinations include Southeast Asia, especially Bali, Phuket and Bangkok

  • Additional travel destinations include Europe and the Persian Gulf

  • Reservation may include the true accountholder in the booking to make it appear legitimate

Using the information available, ARC aims to notify Agent customers about potential exposure to fraudulent transactions and suspicious requests. We offer this information as an option to help mitigate any potential losses. Agents are responsible for making business decisions aligning with their risk management strategies.

Agents and agencies have a support network to help reduce risk and financial losses associated with unauthorized ticketing. Visit the support section of the ARC website to view our  fraud prevention resourcesandon-demand webinars. Contact our revenue integrity team by calling 855-358-0393 or emailing  stopfraud@arccorp.com.


Inter-Africa travel bookings and inquiries for future Africa-to-Europe routes

ARC has received reports of a fraudulent email solicitation scheme. We’re alerting you about requests for assistance with corporate travel from an alleged oil and gas company whose name does not show up in a Google search but has a similar spelling to an actual company. Please be cautious when handling such requests since they typically involve inter-Africa travel bookings and inquiries for future Africa-to-Europe routes. Prioritize verifying unfamiliar inquiries to prevent potential fraud.

Please review the example of a fraudulent email below to familiarize yourself with typical signs of suspicious requests:

  • Grammar and spelling errors

  • Urgency in the request

  • Unusual or questionable routings

  • Statements demanding immediate payment

  • Promises for future business


Dear Agent
How are you today, hope you are fine, i got your contact from directory when we are shopping for a travel agency that can be handling our travel needs like Air Ticket, Hotel and Transfer

Kindly let me have the flight options and the fare quote of the below itinerary  for our guest that want to depart  from Various destination  to various destination.

Below is the itinerary, kindly go ahead and check the availability and send the fare quote plus options.

Below is the itinerary request.

[1] PASSENGER NAME:
[2] PASSENGER NAME:
ROUTES:            LAGOS/NAIROBI/LAGOS
DEPT:              10/06/ 2023
RETURN:            AFTER TWO WEEKS
CLASS:             ECONOMY
AIRLINE:           ANY AVAILABLE.
---------------------------------------------------------------------
Also check Lagos/London/Lagos for five passengers that want to depart from Lagos to London on 10/06/2023 and to returns to Lagos After two weeks, i will send passengers names as soon as you send fare quote and flight options for bookings
................................

Treat as soon a possible and send the flight options for immediate payment.

Let me know the bank charges if i pay with visa card or master card.
Looking forward to hear from you asap

Regards
Purchasing Manager
Oil And Gas

Using the information available, ARC aims to notify Agent customers about potential exposure to fraudulent transactions and suspicious requests. We offer this information as an option to help mitigate any potential losses. Agents are responsible for making business decisions aligning with their risk management strategies.

Agents and agencies have a support network to help reduce risk and financial losses associated with unauthorized ticketing. Visit the support section of the ARC website to view our  fraud prevention resources  and  on-demand webinars. Contact our revenue integrity team by calling 855-358-0393 or emailing  stopfraud@arccorp.com.


Schemes

Fraudsters are often creative in the schemes they devise to manipulate the customer service skills of travel agents who always want to help their clients. The information they provide makes them appear as legitimate customers with plausible reasons for ordering tickets for themselves and others with close-in departure dates. The fraudsters create a compelling story as to why an agent should help them or create a sense of urgency to get that agent to lower their guard and get the tickets issued. Once those tickets are issued, the fraudster alerts his own customers that they are ready to travel.

Below you’ll find schemes that are commonly employed by fraudsters.

Social Engineering Scheme

A social engineering scheme involves phone and/or email communication between the fraudster and a travel agent that will typically involve at least one of the following characteristics:

  • Immediate departure: Often for the same day out to three days from today
  • Social standing: Customer claims to be a doctor or minister
  • Emergency travel: Someone in the “family” needs to travel immediately
  • Fake referral: When asked how the customer found the agency, he/she claims their spouse used the agency a year ago, though no profile exists for that spouse in the system.
  • “Straw purchase”: Customer claims to be local and requests a ticket for himself/herself with a departure from the nearest airport three weeks from today so there are few red flags to indicate it’s a risky transaction. This ticket is not meant to be flown, it’s meant to establish a working relationship with a specific travel agent within the travel agency. The next tickets he/she orders are for real passengers who will travel.
  • VOIP telephone: The customer’s telephone number may mimic a local area code, though research on the internet can quickly reveal it to be a VOIP (Voice-Over-Internet-Protocol) telephone number.
    • NOTE: VOIP telephone numbers are not necessarily bad or fraudulent; it merely means you cannot be sure where the person is really calling from.
  • Digitally Altered Images: The customer emails images of their driver license or passport and the front and back of their credit card to make themselves appear legitimate. A review of such documentation can sometimes reveal mistakes.

Corporate Booking Schemes

Corporate booking schemes contain many of the same characteristics of a social engineering scheme but the fraudster targets agents with existing corporate clients or requests that the agency sign them up as a new client.

  • Internet research: Fraudster conducts online research to find an executive’s name and title that he will use when communicating with their corporate travel agency.
  • Similar email address: Fraudster creates an email address similar to the real corporate email address though with extra letters or numbers. Use the website WhoIs.com and refer to our Free Internet Tools page to find out when an email address was created.
    • True email address: john.doe@uofmcorp.com
    • Fraudster email address: john.doe@uofmcorp-uk.com
  • Fake referral: Fraudster may attempt to socially engineer a corporate employee to unwittingly “refer” him by phone or email to someone at their corporate travel agency.
  • Immediate departure: Often for the same day out to three days from today
  • VOIP telephone: The customer’s telephone number may mimic a local area code, though research on the internet can quickly reveal it to be a VOIP (Voice-Over-Internet-Protocol) telephone number.
    • NOTE: VOIP telephone numbers are not necessarily bad or fraudulent; it merely means you cannot be sure where the person is really calling from.
  • After-Hours Services: Fraudsters may wait until the evening hours to contact a corporate travel agency so that an After-Hours travel agent will handle them. This travel agent may not have the ability to verify caller information with a corporate client.
  • Fake website: Fraudsters may also try to dupe an agency into signing them up as a new corporate client by going so far as to create a fake website to showcase their company. The example below is a basic site and the links do not take you further into the website.

Fake website created by a fraudster:

Fake Website

Corporate Booking Tools

Many large corporations have corporate booking tools sitting on their corporate websites that employees can access to book travel. Unfortunately, fraudsters are quite aware of this and target these bookings tools to issue tickets for their own customers. The fraudsters target employees of the corporation with phishing emails or malware to obtain their corporate login credentials. Once the fraudster has this information he/she can access the corporation website and then go to the link for the booking tool. Refer to the Best Practices page for suggestions of how to limit exposure to fraud via these tools.

EDU Scheme

This scheme is similar to the corporate booking scheme and usually orchestrated by the same fraudsters. The targets in this scheme are the agencies that fulfill ticketing for universities and colleges.

Below is an example of a real EDU scheme email sent to an agency claiming to be from their university client. The fraudster used the free email service Outlook to communicate with the agency, but the agency had a policy to only communicate using the .edu address. In addition, the telephone number is a VOIP number so you do not really know where in the world they are calling from.

Scheme Email

NOTE: Certain information removed by ARC

Ownership Change Scheme

Agents in the United States have been the victims of fraudulent ownership change schemes. These unauthorized ownership changes have usually involved situations where the ARC owner of record surrendered control of their agency to the prospective buyer or manager. The buyer promised to send the appropriate ownership change papers to ARC, but most times did not. The buyer or manager then conducted transactions that resulted in major financial losses to ARC participating airlines.

  • Remember - Do not turn over the operation or control of your agency location, blank ticket stock, or access to driving electronic tickets to any third party (including the purchaser) until you have received written notification from ARC that your change of ownership is approved. Until that approval, the ARC agent/owner is responsible for all financial losses on ARC traffic documents and electronic tickets supplied to the location.
  • Prior to executing any contract, meet with the prospective buyer face-to-face and obtain the following:
    • Original color photographs of purchaser and any representatives
    • Color replicas of passport and/or driver's license
    • Personal data of purchaser and any representatives, including home addresses, phone numbers, current and past employment
  • Once you have obtained personal data of the buyer and personnel, confirm the data through internet searches or other types of records that can verify the data provided. If purchaser objects, you should think twice about going forward with the sale.
  • Observe and record the make, model and license plate numbers of all automobiles driven by the purchaser and representatives.
  • The owner of record should periodically check with ARC's Accreditation Department to ensure a Change of Ownership Application has been submitted and that it is complete to allow timely processing.
  • Do not provide the prospective buyer with access to sensitive data or systems (i.e., credit card numbers, personal information of clients, bank accounts, combination to safe, access to safe deposit boxes, GDS ticketing ability, etc.).
  • Owners of record who believe they have been solicited by insincere purchasers are requested to notify ARC Fraud Prevention at 855.358.0393 or StopFraud@arccorp.com.