ARC is sounding the alarm about an airline ticketing-fraud scheme that has reemerged over the past seven months after being dormant since 2014.
Through mid-September, fraud detectors at ARC had found approximately 80 instances of unauthorized ticketing, accounting for approximately $1.2 million.
On average, successful unauthorized ticketing attacks result in the issuance of five to 10 tickets using the GDS credentials of the unwitting travel advisor victim, says Doug Nass, ARC's manager of fraud investigations. The average value per ticket is between $800 and $1,200. Small and midsize travel agencies as well as large ticket consolidators have been the most frequent victims.
To get those GDS credentials, fraudsters are sending phishing emails to travel advisors that purport to come from a GDS. In an example presented by ARC in a webinar this month, the fraudster spoofed Sabre using a subject line that read, "Sabre System Upgrade Notification Letter."
"Sabre is adding a new level 3 of security at time of signing into the reservations system," the email says. "All users are required to enter a member login information (sic). Once you are logged in, Sabre will be notified that Sabre Red Workspace has been confirmed."
The recipient was then asked to click on a link to enter their Sabre credentials.
Nass says that thus far in 2021, fraudsters have been spoofing two of the three major GDSs. He didn't reveal the second GDS because it hasn't granted ARC permission to reveal that information.
Sabre and Travelport declined to comment for this story. Amadeus did not specifically address spoof emails or unauthorized ticketing.
"Since the outbreak of the Covid-19 pandemic, we are seeing a growing number of malicious attempts in the cybersecurity space," the company says.
"We are working hand in hand with our customers, guiding them with a set of practical security controls and measures they can easily take during these challenging times."
Nass, along with ARC director of revenue integrity Cornelius Hattingh, report that the unauthorized ticketing appears to be emanating out of West Africa, with flyers departing from airports in Casablanca, Morocco; Dakar, Senegal; Abidjan, Ivory Coast; and other locations.
A fraudster frequently gains access to an agent's credentials during the overnight hours in the U.S. By the time the agency has opened the following day, the scammer has issued the tickets to his or her customers. Often those customers have already taken to the sky, leaving the travel agency with a debit that the airline will expect it to make good on.
Hattingh says there are instances where it is possible ARC will work with the agency to try to void the fraudulent transactions.
"If a person is already flying, we ask the agent to engage with the airline directly for a refund. It becomes a tricky environment," he says.
Phishing scam dormant for years
The unauthorized ticketing scam's reemergence follows approximately seven years of dormancy.
ARC's fraud team was engaged on the issue from 2009 to 2014, but the scams came to a halt around the time three West African men were arrested in relation to the scheme, Nass says, including Eric Donys Simeu, a Cameroon citizen who in 2017 was sentenced to nearly five years in U.S. federal prison. Simeu was released in late 2018.
Nass said travel advisors can avoid falling victim to this scam by exercising caution. No one should click on a link unless it is in an email they were expecting. Also, travel advisors should pay close attention to the sender's address and be on the lookout for sloppy mistakes.
The Sabre spoof that Nass used as an example has numerous typos and was sent from the unfamiliar domain of @coinersoirex.com.
Nass also says that agencies should enhance training to make sure every employee who has access to the GDS is aware of this scam.
* This article originally appeared on Travel Weekly.