While fraud happens in every industry, we’ve found that there are certain industries in which it tends to carry an outsized impact. In our experience, that’s especially true for businesses in the travel and hospitality industries. That’s because when your customers or users experience fraud, it doesn’t just have a financial impact — there’s also an emotional component that has to be considered.
Travel is, for many of us, an aspirational activity, and making a trip work can require months or even years of planning, budgeting, and research. When a customer logs into their account and finds that the loyalty points they’ve been saving for years have been stolen, for example, that could mean the difference between them being able to take their trip or having to cancel it entirely.
This mix of finances and emotions means that when a customer experiences fraud within the travel industry, they often feel it a lot more than they might in other industries. And that means that businesses operating in the industry are particularly susceptible to damaged trust and brand reputation when fraud does occur.
That’s why it’s so important for businesses operating in the industry to have a comprehensive anti-fraud strategy. Here, we take a look at the different types of fraud that occurs in the travel industry and the steps you can take to better protect your business and your customers from these threats.
Data breaches
Over the past few years, there have been a number of data breaches linked to travel companies. A handful of recent examples include:
- A November 2023 incident, in which a Melbourne travel agency’s database containing more than 112,000 customer records — including customers’ travel visa certificates, passport images, and partial credit card numbers, amongst other details — was leaked online.
- A vulnerability identified in 2020, which resulted in the records of millions of guests (including users of Expedia, Hotels.com, and Booking.com) being left exposed and unprotected. While it is unclear if the records were ever improperly accessed, they included details such as customers’ names, ID numbers, payment details, and reservations.
- A 2014 incident, discovered in 2018, in which Marriott’s system was hacked and the records of more than 300 million of the company’s guests was leaked. Stolen details included names, dates of birth, contact information, addresses, gender, travel information, credit card details, and passport numbers. The company was ultimately fined just under $24 million (in 2020) for improper security measures under the GDPR, the EU’s privacy law.
Data breaches allow bad actors to access personal information, which they can then use to steal an individual’s identity, create a synthetic ID, or sell to others looking to do so. This can cause immense harm to both your customers and brand. Knowing that your customers and their data are targets, it’s crucial to safeguard against intrusion.
Account takeover attacks and loyalty fraud
In an account takeover (ATO) attack, a bad actor gains access to a legitimate customer’s account — typically by using credentials that have been compromised in some way. Once in, they will quickly “take over” the account by changing the password and security questions in order to lock the legitimate customer out.
They can then use the account to engage in a variety of different types of fraud — for example, using the customer’s stored payment details to make a fraudulent purchase. Or they might engage in loyalty fraud by stealing or transferring the user’s loyalty points or miles, by redeeming them for rewards directly from that account, or by transferring those points to another account they control. They might even blackmail the legitimate account holder, offering to return access to the account in exchange for a ransom.
For online marketplaces that connect travelers with merchants, such as hotels, it’s important to recognize that the threat of ATO attacks is present on both sides of the marketplace.
To illustrate this point, consider a recent incident impacting users of Booking.com in which hotels’ accounts on the platform were taken over by fraudsters. This enabled bad actors to access the contact information of hotel guests and use that information to engage in phishing attempts.
Promo abuse
If your business is like most, promotions play a fundamental role in your marketing efforts — serving as a means to not only attract new customers and users, but also to keep existing users engaged.
Unfortunately, these promotions are often abused by both legitimate users as well as bad actors. You need a clear sense of the impact that abuse might have on your bottom line. A few common examples of promo abuse include:
- Abusing sign-up bonuses: A bad actor creates multiple accounts on a platform or website in order to repeatedly claim a sign-up bonus offered by the business, such as a discount or cash reward.
- Referral fraud: A bad actor creates a single account on a website in order to get access to a referral link, which promises some type of reward if they get others to sign up through that link. They then use the link themselves to open multiple fraudulent accounts and claim the referral reward illegitimately.
- Loophole exploitation: Most promotions carry certain limits designed to prevent the business from paying out too much money to a single user. Bad actors can, however, sometimes identify and exploit loopholes that allow them to skirt around these limits or otherwise take advantage of the promotion.
For just one example of promotions abuse in the travel space, consider this 2019 report about a joint promotion between Citi and American Airlines. In that promotion, when users opened an account with AAdvantage and accepted an offer for a Citi credit card, they would receive up to 70,000 miles that could be redeemed for flights. As you might expect, it didn’t take long for some customers to open multiple accounts in order to take advantage of the promotion.
How you can fight identity fraud in the travel industry
With so many opportunities for fraud, it’s important for businesses in the travel and hospitality space to have mitigation strategies in place. Some strategies you may want to consider include:
Conducting a risk assessment
It’s easy to make assumptions about the kinds of fraud risk your business might be exposed to. But making assumptions like this can lead to blind spots and potential loopholes for bad actors to squeeze through. That’s why we recommend starting with a thorough risk assessment designed to uncover the specific ways your platform might potentially be leveraged by fraudsters.
A risk assessment commonly includes:
- Who a legitimate customer is for your business and the risks they might intentionally or inadvertently expose you to
- The different ways customers are able to legitimately interact with your platform and the potential for those interactions to be abused
- The different fraud trends that exist in the geographies you serve
- The regulations you are required to comply with, especially with regard to customer data and privacy (GDPR, CCPA, etc.)
Once you’ve identified the fraud risks your business is exposed to and the degree of that exposure, you can then prioritize these risks and put mitigation measures in place. While a risk assessment will not, in and of itself, solve any of the problems listed above, the insights you gather from the exercise can support you in tackling all of them.
Verifying identity during onboarding
Verifying a customer’s identity during the account creation and onboarding phase of your relationship can help you protect your platform in a number of ways.
First, it makes it more difficult for a bad actor with stolen identity and payment information to open a fraudulent account on your platform. Through data breaches, bad actors can easily gain access to an individual’s name, date of birth, and even their debit or credit card number. But it’s often more difficult to acquire proof of identity, such as a driver’s license or passport. Making IDV a part of your account creation process can be incredibly effective at preventing these bad actors from gaining a foothold on your platform.
Second, verifying a customer’s identity at the moment of account creation also creates a baseline understanding of who that person is, which is crucial for reverification.
Whichever verification measures you implement should be informed by the results of your risk assessment. Government ID verification, document verification, selfie verification, and database verification can all play a role.
Reverifying during high-risk moments
Once you have verified your customer’s identity during the account creation process, it’s possible for you to reverify their identity — for example, by requiring a selfie check — in the future to ensure their account has not been compromised.
Many businesses trigger reverification when a customer takes a high-risk action, such as:
- Updating or changing their contact information, address, or payment details
- Completing a high-value transaction, such as booking an expensive flight or hotel room that appears to be anomalous to their trip history
- Redeeming or transfering loyalty points/miles
- Engaging in other forms of suspicious activity
That being said, risk doesn’t need to be present in order for you to require reverification. Other times it may make sense to reverify a user’s information include:
- When a document (such as an ID) has expired and needs to be updated
- When a previously dormant account is reactivated
- When a customer makes a large number of purchases or bookings in a short period of time
Adding multi-factor authentication
If you are concerned about account takeover attacks, it’s important to put equal resources into securing account access and capturing onboarding information. Implementing multi-factor authentication (MFA) during the log-in process is one way to accomplish this.
Worried about introducing too much friction into the sign-in process? While you can require MFA during every single sign in, you don’t need to. Many businesses only require MFA when certain risk signals are present — for example, when a customer tries logging into their account using an unrecognized device or when they try logging into an account after a long period of dormancy. How and when you require multi-factor authentication should be informed by the results of your risk assessment.
Additional password-related best practices to implement during onboarding include:
- Requiring strong passwords during account creation
- Disallowing users from opening an account with easily guessable passwords
- Regularly screening for leaked credentials
- Requiring periodic password updates
- Limiting the number of log-in attempts allowed in a short period of time
Collecting passive and behavioral signals during sign in
Passive and behavioral signals provide additional insight into who your customers are, and can help you prevent fraud during both the account creation process as well as subsequent log-ins.
For example, during sign up, passive signals such as a user’s IP address, browser fingerprint or device fingerprint, and location data can all help you build a risk profile of the customer, empowering you to prevent known bad actors (or others with a high degree of risk) from opening an account on your platform in the first place. Likewise, behavioral signals such as the use of developer tools, mouse clicks, and keystrokes can help you tell the difference between a human who is opening an account and an automated bot engaging in account creation fraud.
During sign in after onboarding, these same signals can help you identify instances of potential account takeover. If a customer hesitates while inputting their password, for example, or tries logging into their account using an unrecognized IP address or device, it could be a sign that the account has been compromised and that reverification is needed to rule out this risk.
Using link analysis to identify fraud on your platform
Link analysis is a data science technique you can use to understand how different accounts on your platform are connected to one another. It works by analyzing the details — or signals — shared by accounts, and can be a powerful tool in uncovering fraudulent accounts.
It’s not uncommon for accounts on your platform to share some details, but it is suspicious for accounts to share certain details. For example, if multiple accounts share the same IP address, device fingerprint, browser fingerprint, physical address, contact information, or payment details, it may be indicative that these accounts are fraudulent.
Link analysis empowers you to quickly analyze your database of accounts, looking for suspicious links and surfacing questionable accounts — which you can then flag for manual review or take immediate action against. It can be particularly helpful in identifying instances of promo abuse, loyalty fraud, and account takeover.
Keeping seasonality in mind
Travel can be highly seasonal, with peaks at different times of the year, especially around the holidays, spring break, summer vacation, etc. Because spikes in activity often correlate to spikes in fraud, it’s important to understand what these peaks look like for your business.
The lead-up to these spikes is also often a great time to revisit your anti-fraud strategy in order to make adjustments and continually optimize your processes.
Ask yourself: What’s worked in the past? What didn’t? What can be adjusted? What do you want to try? How can you better support your staff by ensuring they have the tools necessary to keep up during peak season?
Fighting travel fraud with Persona
As the travel and hospitality industries continue to consolidate and push what can be accomplished digitally, fraudsters will continue looking for ways to take advantage of the vulnerabilities that exist.
Here at Persona, we understand just how damaging identity fraud can be to your customers and business. That’s why we’ve developed a flexible suite of identity solutions you can use to mitigate these risks.
Pick and choose from government ID verification, document verification, selfie verification, and more to build the verification and reverification flows that make the most sense to your business. Collect passive and behavioral signals to enrich your understanding of who your customers really are and leverage address lookups, phone and email risk verification, and other risk reports to paint a more vivid picture of your customers’ risk profile. Plus, using our link analysis tool, Graph, will empower you to conduct identify potentially fraudulent accounts, and get more proactive about fighting fraud.
Interested in learning more about how Persona can help you address the identity challenges unique to the travel industry? Start for free or get a demo today.