Whether it’s hitting the beach, heading to a big city to take in a show, or riding the new thrilling roller coaster- summer vacations are important to consumers and big business for the travel and leisure industries. Vacations aren’t exclusive to legitimate travelers, there’s a chance that some of the seats on that plane are taken by fraudsters, because guess what? They’re taking their summer vacations too. Except when a fraudster travels, they’re not taking a break- they’re on a mission.
When fraudsters travel, they touch nearly everything under the travel and leisure umbrella. In fact, it’s expected that by 2020 travel fraud will cost over $25 billion worldwide. As fraud becomes increasingly organized and sophisticated, these bad actors will be able to go on increasingly complex trips to theme parks or resort destinations undetected. In the past, they may have booked a fraudulent hotel room but rented the car under their name or used a rideshare app with legitimate credit card info. Not anymore.
Let’s take a trip with one of these bad actors to see the range of chaos they can bring while taking a short vacation.
Packing for the trip
Suitcase? Check. Camera? Check. Sunscreen? Check. Burner phone…check? Before we can set off on our adventure with a globetrotting fraudster, we’ll need the right tools for the trade. The key is to always be prepared while staying under the radar. Here’s our packing list, don’t worry everything will fit in your carry-on bag:
- A disposable email address– While pretty much any email address can be considered disposable, major providers like Yahoo and Google require more identity verification than we’ll want to give up for this trip. It’s better to use a service that provides a temporary email address we can use for this trip only. One way to prepare for booking travel fraudulently is to age the email address you plan on using by creating it in advance. Studies show that 91% of users have had their email addresses for 3 or more years. Some of the most sophisticated fraud prevention services use an email address as the most important data for predicting risk, so we should take precautions to slip under those radars.
- A burner phone– Much like a disposable email address, we’ll need a disposable phone. Pay as you go smartphones now are available from most big-box retailers at a reasonable price and require little to no personal information to use. Purchasing your new phone and setting up service with your matching disposable email address is a great way to age the address to appear more legitimate. While some fraud prevention services do utilize device data, it’s generally understood that users will upgrade or change devices more frequently than their email addresses.
- A VPN service– A VPN is one of those tools that seems very sophisticated but in reality, is easy to use and an essential part of the fraudster’s toolkit. A VPN service will encrypt and anonymize your internet activity across devices preventing fraud management software from discerning your true IP address or connecting it to fraud activity. Many VPN providers allow you to choose where your IP address appears to be coming from. For example, if you’re based out of Russia but want to buy tickets for a Broadway play in New York City, you can choose to appear from somewhere in the United States to make your purchase. VPNs help you fly under the radar and allow you to control how your IP address is seen by merchants.
- Fake documents- Arguably the most important part of any fraudster’s day out, you’ll need to have documents. Namely some sort of identification, either a passport or a driver’s license. You’ll also need stolen credit card numbers. These documents and the data to support them can all be purchased on dark web marketplaces thanks to large scale data breaches. For this trip, we’ll be using CNP fraud to get around though, so luckily we won’t need physical credit cards.
Now that your toolkit is packed, you’re ready to start booking the trip.
Planning the itinerary
The itinerary is simple, without spending a dime of our own money we’re going to fly to New York City and take in the newest sensation on Broadway before catching a rideshare ride to a theme park to ride the newest roller coaster. Oh and we’re going to do it all by leaving today. I know what you’re thinking, we haven’t booked yet and last-minute flights are hard to come by. Hear me out, though.
- Defrauding the airlines- Booking airline tickets at the last minute is a key piece of getting away with this scam. In order to travel by air without getting caught, you’ll need to find an airline or OTA that we’ve determined does not have a sophisticated risk assessment that can take key data points (like the time of your flight or destination) into account when identifying suspicious transactions. The closer to the flight time that we book, the less time the rightful owner of the credit card will have to see and stop the transaction from processing. Once you’ve boarded your flight, the airline has lost its opportunity to stop or recover that lost revenue. Be careful though some airlines work with fraud prevention solutions that will flag last minute bookings as suspicious and send them for manual review.
- Taking in a show– Buying event tickets is a hotbed for friendly fraud, so we could actually use our own credit card here. Just like the airline tickets, buying same day tickets is an easy way to stop credit card company controls from flagging and stopping your transaction. Spoil yourself, buy front row tickets. How often will we be in New York City on someone else’s dime? After the show, we’ll simply contact our banks for a chargeback on those tickets. There’s no other proof that we were ever in the city, making the transaction looking anomalous and fraudulent.
- Grabbing a rental car and getting to the pickup location-Here’s where our disposable phones will come in handy. By installing a rideshare app on your phone and signing up with the disposable email address and paying with one of the stolen credit card numbers, we’ll catch a ride to the park with no problem! Many rideshare apps only run fraud prevention checks on sign up. If you’ve matched your email address and information on your new phone you’ll be able to update the credit card info to a new stolen card without any further checks.
- Thrills and chills at the park– We’ll use the disposable mobile devices to purchase single day short notice theme park tickets upon arrival. They’re more expensive, but we’re not paying with our own money so who cares? Purchasing the tickets just before getting in line for the park means that by the time anybody notices the transactions on their credit card, we’ll already be in the park and away from the ticketing gate. Some parks even allow you to check-out as a “guest” with fewer verifications and fraud prevention measures that would be normally associated with creating an account. Take advantage of this to increase the likelihood of not getting caught.
What a whirlwind, right? This is a common portrait of how fraudsters impact the travel industry. Chances are if a fraudster wants to get around, they’re not simply touching one piece-but the entire industry one vendor at a time. It all starts with an email address that’s been artificially aged, some research and using vendors siloed from each other to avoid detection.
Protecting themselves and each other
The journey of the summer fraudster may sound like a thrilling spy adventure with intrigue and fast-paced scams, but it also highlights the importance of network intelligenceand holistic fraud management strategies. By sharing fraud markers with a risk assessment engine like the Emailage Email Risk Score, as soon as an email is detected and confirmed to have been associated with fraud, peers in the travel industry and beyond will see that address flagged as suspicious.
Are you ready to put an end to vacations for fraudsters? Learn more about how Emailage can take your fraud management to the next level, request a demo today.09