Alerts

ARC posts the latest information on fraud schemes, scams and criminals within the travel industry and tips on how to protect your business from fraud.

Urgent Updates: Phishing Email Impersonating Sabre

To address this issue, you should take the following steps:

• Verify the Authenticity: Make sure that communication claiming to be from Sabre is legitimate. Double-check the sender's email address, domain and other identifying information.
• Do Not Click on Suspicious Links: If you receive emails or messages with unfamiliar links or attachments, refrain from clicking on them. These could potentially contain malware or lead to phishing sites.
• Contact Sabre: Please reach out to Sabre's official contact channels to inform them of the impersonation issue. They may have resources and recommendations to address the situation.
• Educate Your Team: Ensure your team knows about the impersonation threat and how to recognize suspicious messages. Provide training on email security and best practices for identifying phishing attempts.
• Monitor for Similar Incidents: Keep an eye out for further instances of impersonation and document them. This will help in tracking the scope and pattern of the attacks.
• Report to Authorities: If the impersonation attempts involve fraudulent activities, consider reporting them to relevant authorities or cybersecurity agencies.
• Update Security Protocols: Review and strengthen your organization's email security protocols. This may include implementing email filtering, authentication measures and two-factor authentication (2FA).
• Internal Communication: Communicate the threat within your organization, especially those who handle sensitive information or access critical systems.
• Document and Preserve Evidence: If you suspect criminal activity, document evidence related to the impersonation attempts, such as email headers, message content and related information.
• Stay Informed: Keep yourself updated on the latest security threats and best practices for protecting your organization from email impersonation and phishing attacks.

Please email ARC at  StopFraud@arccorp.com  if you need assistance, and visit our  on-demand webinar page  to view the latest fraud awareness videos.

Tour Requests Scheme

ARC recently received, via an industry partner, raising concerns about an inquiry (via email) requiring your awareness and thorough assessment. The details of the request are as follows:

Request Origin: China

Inquirer: Mr. Carson

Tour Details:

Group Size: A total of 160 persons, divided into two groups of 80 each.

First Group: Scheduled from 15th November 2023 to 21st November 2023.

Second Group: Scheduled from 24th November 2023 to 30th November 2023.

Inclusions: Accommodation (four-star or five-star hotel), transportation, scenic spot costs, insurance, meals, translation services, tour guides, and arrangements for transportation to the airport.
Customization Request: The client wishes to customize the itinerary for their group.

This inquiry has raised several risk factors that require careful consideration:

• Large Group Size: The request involves a substantial number of participants, which can pose financial risks.
• Lack of Detailed Contact Information: The initial communication lacks essential contact information, making verifying the inquiry's legitimacy difficult.

Given these risk factors, we recommend the following actions:

• Verification: Attempt to verify the authenticity of the inquiry and the identity of Mr. Carson. Seek additional contact information and conduct due diligence on the prospective client.
• Security Measures: Strengthen your cybersecurity measures to protect sensitive client data and financial transactions.

We strongly suggest you exercise caution and conduct thorough risk assessments before proceeding with this inquiry. The high-risk nature of this request necessitates careful consideration to protect your company's interests and reputation.

Please keep us updated on your findings and decisions regarding this inquiry. If you have any questions or need more help, please don't hesitate to contact us at StopFraud@arccorp.com. Visit our on-demand webinar page to view the latest fraud awareness videos.

Phishing Email Schemes

Inter-Africa travel bookings and inquiries for future Africa-to-Europe routes

Schemes

Fraudsters are often creative in the schemes they devise to manipulate the customer service skills of travel agents who always want to help their clients. The information they provide makes them appear as legitimate customers with plausible reasons for ordering tickets for themselves and others with close-in departure dates. The fraudsters create a compelling story as to why an agent should help them or create a sense of urgency to get that agent to lower their guard and get the tickets issued. Once those tickets are issued, the fraudster alerts his own customers that they are ready to travel.

Below you’ll find schemes that are commonly employed by fraudsters.

Social Engineering Scheme

A social engineering scheme involves phone and/or email communication between the fraudster and a travel agent that will typically involve at least one of the following characteristics:

• Immediate departure: Often for the same day out to three days from today
• Social standing: Customer claims to be a doctor or minister
• Emergency travel: Someone in the “family” needs to travel immediately
• Fake referral: When asked how the customer found the agency, he/she claims their spouse used the agency a year ago, though no profile exists for that spouse in the system.
• “Straw purchase”: Customer claims to be local and requests a ticket for himself/herself with a departure from the nearest airport three weeks from today so there are few red flags to indicate it’s a risky transaction. This ticket is not meant to be flown, it’s meant to establish a working relationship with a specific travel agent within the travel agency. The next tickets he/she orders are for real passengers who will travel.
• VOIP telephone: The customer’s telephone number may mimic a local area code, though research on the internet can quickly reveal it to be a VOIP (Voice-Over-Internet-Protocol) telephone number.
• NOTE: VOIP telephone numbers are not necessarily bad or fraudulent; it merely means you cannot be sure where the person is really calling from.
• Digitally Altered Images: The customer emails images of their driver license or passport and the front and back of their credit card to make themselves appear legitimate. A review of such documentation can sometimes reveal mistakes.

Corporate Booking Schemes

Corporate booking schemes contain many of the same characteristics of a social engineering scheme but the fraudster targets agents with existing corporate clients or requests that the agency sign them up as a new client.

• Internet research: Fraudster conducts online research to find an executive’s name and title that he will use when communicating with their corporate travel agency.
• Similar email address: Fraudster creates an email address similar to the real corporate email address though with extra letters or numbers. Use the website WhoIs.com and refer to our Free Internet Tools page to find out when an email address was created.
  • True email address: john.doe@uofmcorp.com
  • Fraudster email address: john.doe@uofmcorp-uk.com
• Fake referral: Fraudster may attempt to socially engineer a corporate employee to unwittingly “refer” him by phone or email to someone at their corporate travel agency.
• Immediate departure: Often for the same day out to three days from today
• VOIP telephone: The customer’s telephone number may mimic a local area code, though research on the internet can quickly reveal it to be a VOIP (Voice-Over-Internet-Protocol) telephone number.
• NOTE: VOIP telephone numbers are not necessarily bad or fraudulent; it merely means you cannot be sure where the person is really calling from.
• After-Hours Services: Fraudsters may wait until the evening hours to contact a corporate travel agency so that an After-Hours travel agent will handle them. This travel agent may not have the ability to verify caller information with a corporate client.
• Fake website: Fraudsters may also try to dupe an agency into signing them up as a new corporate client by going so far as to create a fake website to showcase their company. The example below is a basic site and the links do not take you further into the website.

Fake website created by a fraudster:

Corporate Booking Tools

Many large corporations have corporate booking tools sitting on their corporate websites that employees can access to book travel. Unfortunately, fraudsters are quite aware of this and target these bookings tools to issue tickets for their own customers. The fraudsters target employees of the corporation with phishing emails or malware to obtain their corporate login credentials. Once the fraudster has this information he/she can access the corporation website and then go to the link for the booking tool. Refer to the Best Practices page for suggestions of how to limit exposure to fraud via these tools.

EDU Scheme

This scheme is similar to the corporate booking scheme and usually orchestrated by the same fraudsters. The targets in this scheme are the agencies that fulfill ticketing for universities and colleges.

Below is an example of a real EDU scheme email sent to an agency claiming to be from their university client. The fraudster used the free email service Outlook to communicate with the agency, but the agency had a policy to only communicate using the .edu address. In addition, the telephone number is a VOIP number so you do not really know where in the world they are calling from.

NOTE: Certain information removed by ARC

Ownership Change Scheme

Agents in the United States have been the victims of fraudulent ownership change schemes. These unauthorized ownership changes have usually involved situations where the ARC owner of record surrendered control of their agency to the prospective buyer or manager. The buyer promised to send the appropriate ownership change papers to ARC, but most times did not. The buyer or manager then conducted transactions that resulted in major financial losses to ARC participating airlines.

• Remember - Do not turn over the operation or control of your agency location, blank ticket stock, or access to driving electronic tickets to any third party (including the purchaser) until you have received written notification from ARC that your change of ownership is approved. Until that approval, the ARC agent/owner is responsible for all financial losses on ARC traffic documents and electronic tickets supplied to the location.
• Prior to executing any contract, meet with the prospective buyer face-to-face and obtain the following:
  • Original color photographs of purchaser and any representatives
  • Color replicas of passport and/or driver's license
  • Personal data of purchaser and any representatives, including home addresses, phone numbers, current and past employment
• Once you have obtained personal data of the buyer and personnel, confirm the data through internet searches or other types of records that can verify the data provided. If purchaser objects, you should think twice about going forward with the sale.
• Observe and record the make, model and license plate numbers of all automobiles driven by the purchaser and representatives.
• The owner of record should periodically check with ARC's Accreditation Department to ensure a Change of Ownership Application has been submitted and that it is complete to allow timely processing.
• Do not provide the prospective buyer with access to sensitive data or systems (i.e., credit card numbers, personal information of clients, bank accounts, combination to safe, access to safe deposit boxes, GDS ticketing ability, etc.).
• Owners of record who believe they have been solicited by insincere purchasers are requested to notify ARC Fraud Prevention at 855.358.0393 or StopFraud@arccorp.com.