Travel managers should introduce a "no profile, no booking" policy after the U.S. Federal Bureau of Investigation warned that fraudsters are booking flights by posing to travel management companies as client employees, according to BCD Travel.
The FBI on Oct. 22 issued its warning to travel management companies, advising that "stolen credentials are … used to impersonate and build a traveler's profile to enable booking of international travel for fraudulent passengers. The stolen credentials include an executive's name, email address, cellular telephone number, or some combination thereof. Upon purchase of the fraudulent airline tickets, attempts are made by criminals to resell the airline tickets at a substantially discounted rate."
The memo reported two recent incidents of TMCs being taken in by the scam. In the first, in June 2019, a fraudster booked tickets for three passengers, including for one-way travel between Pakistan and Australia, after using a confirmation code from a previous genuine booking as their "convincer."
In July, a fraudster impersonated a client employee by providing the TMC with the employee's name, e-mail address and mobile number. "The fraudster alleged the travel booking was urgent," the FBI said. "As additional validation … the fraudster provided a group email address for a company business unit. During the 75-minute call, the fraudster made international travel reservations for at least seven fraudulent passengers for destinations primarily in the Middle East and Africa."
Andreas Decker, Netherlands-based SVP for global internal audit at BCD Travel, said fraudsters typically "fish for confidential information by first reaching out to the clients of a TMC in a certain country." The fraudster claims to be "a high-ranking officer of the client's organization from another region or country that needs to make an urgent booking while on a business trip outside their home region or country.
"The impostors use real names and titles of clients' employees they have gathered, for example, from social media sites. In some cases they even manage to have the client reach out to the TMC staff, informing them that shortly a high-ranking officer of the client organization from another region or country will contact them with an urgent booking request."
Decker said booking fraud can "in many cases only be avoided if a strong caller validation process is in place which is strictly adhered to. It is therefore recommended to have validated traveler profiles for all employees and apply a 'no profile, no booking' policy. If exceptions to the policy are required, a strong caller validation process needs to be in place. Clients should also warn their staff about the deceptive practices of these fraudsters."
According to the FBI warning, signs of suspicious activity TMCs should watch out for include individuals:
- Calling through a central reservation number rather than a concierge or dedicated team number.
- Claiming the reservation is time-sensitive or urgent, especially for departures less than 48 hours from when they call.
- Failing to provide specific details such as the final four digits of their credit card and subsequently terminating the booking upon questioning.
- Using group or business-unit e-mail addresses during booking.
- Booking one-way tickets primarily to destinations in the Middle East and Africa.