ARC is sounding the alarm over a plane ticket fraud scheme that has resurfaced in the past seven months after it has been dormant since 2014.
As of mid-September, fraud detectors at ARC had found about 80 cases of unauthorized ticketing, worth about $1.2 million.
On average, successful unauthorized ticketing attacks result in the issuance of five to 10 tickets using the unwitting victim’s travel advisor’s GDS data, said Doug Nass, ARC’s manager of fraud investigations. The average value per ticket is between $800 and $1,200. Small and medium travel agents and large ticket consolidators are the most common victims.
To get those GDS credentials, fraudsters send phishing emails to travel consultants claiming to be from a GDS. In an example ARC presented in a webinar this month, the fraudster forged Saber using a subject line that reads “Sabre System Upgrade Notification Letter”.
“Sabre adds a new level of security at the time of logging into the reservation system,” the email reads. “All users are required to enter a member’s credentials (sic). Once logged in, Saber will be notified that Saber Red Workspace has been confirmed.”
The recipient was then asked to click on a link to enter their Saber credentials.
Nass says fraudsters have counterfeited two of the three major GDSs so far in 2021. He has not disclosed the second GDS because the ARC has not authorized the disclosure of that information.
Saber and Travelport declined to comment on this story. Amadeus did not specifically address spoof emails or unauthorized ticketing.
“Since the outbreak of the Covid-19 pandemic, we have seen a growing number of malicious cybersecurity attempts,” the company said.
“We work hand-in-hand with our customers, guiding them through a range of practical security checks and measures that they can easily take during these challenging times.”
Nass, along with ARC director of revenue integrity Cornelius Hattingh, report that the unauthorized ticketing appears to be coming from West Africa, with flyers departing from airports in Casablanca, Morocco; Dakar, Senegal; Abidjan, Ivory Coast; and other locations.
A fraudster often gains access to an agent’s credentials during nighttime hours in the US. By the time the agency opens the next day, the scammer has issued the tickets to his or her clients. Often those customers have already taken off, leaving the travel agency with a charge that the airline expects to make up for.
Hattingh says there are instances where it is possible that ARC will work with the agency to try and nullify the fraudulent transactions.
“If a person is already flying, we ask the agent to contact the airline directly for a refund. It’s going to be a tricky environment,” he says.
Phishing scam has been inactive for years
The resurgence of the illicit ticketing scam comes after about seven years of dormancy.
The ARC fraud team worked on the matter from 2009 to 2014, but the scams came to a halt around the time that three West African men were arrested in connection with the scheme, says Nass, including Eric Donys Simeu, a Cameroonian citizen living in 2017 was arrested. sentenced to nearly five years in US federal prison. Simeu was released at the end of 2018.
Nass said that travel advisors can avoid falling victim to these scams by being careful. No one should click on a link unless it’s in an email they were expecting. Also, travel advisors should pay close attention to the sender’s address and watch out for careless mistakes.
The Saber spoof that Nass used as an example contains numerous typos and was sent from the unknown domain @coinersoirex.com.
Nass also says agencies should improve training to ensure that every employee who has access to the GDS is aware of this scam.
* This article originally appeared on Travel Weekly.