The travel industry is under siege. The enemy has a thousand faces: down-on-their-luck princes who just want to share their wealth, shady ticket sellers in WeChat rooms, coders making pixel-perfect copies of real websites, and even real customers, all conspiring to be part of a multi-billion dollar nightmare for travel providers and their guests.
According to the 2016/2017 Kroll Global Fraud report, 85 percent of companies in the transportation, leisure and tourism sector were victims of fraud at some point in the 12 months surveyed. That’s higher than the global average for all industries, and 10 percent higher than it was in 2015.
While a portion of that fraud is internal, tour and activity providers also face a great deal of fraud perpetrated by outside actors. According to Phocuswright’s research, some 40 percent of industry members cite fraud as one of their biggest challenges.
It’s nearly impossible to keep your company completely safe from fraud. It’s endemic in the industry. A cost of doing business, a line item on an annual budget. That said, there are steps you can take to protect your tour and activities company from the worst of it.
1. Use a Payment Gateway
Credit card fraud is both incredibly common and challenging to avoid, but there are steps you can take to minimize your risk. The first line of defense against online booking fraud should be your payment gateway.
Fraudsters don’t often have stolen credit cards physically in hand — they have data stolen from card skimmers, online databases and other digital sources. Because of that, they may not have all the information needed to make an online booking through a payment gateway. A payment gateway can verify the cardholder’s billing address with an address verification system (AVS) and the card’s Card Verification Value (CVV), among other security measures.
For people trying to make fraudulent bookings without a card present, email and phone bookings are a great target, as are web bookings that are manually processed after the booking is complete. While it’s convenient to be able to take bookings in any circumstances, verifying cards through a gateway can save a lot of potentially expensive headaches.
Using a payment gateway also helps prevent another unfortunately common type of fraud: employee theft. Because payment gateways don’t expose full credit card details to merchants, you won’t need to worry about junior employees making off with customers’ money.
2. Watch for red flags.
Fraudulent bookings are distressingly common. Airlines and hotels have been plagued by them in recent years, and tour and activity providers are starting to see their impact in a big way, too.
Sometimes these scams are sophisticated, but fraudsters often leave fingerprints you can spot if you’re thorough. Taken alone, any of these red flags might be safe, but when you see combinations of them at work in individual bookings, be wary.
Last-minute bookings: The more lead time a scammer leaves between the time of booking and the time of the activity, the more chances there are for something to go wrong. A credit card may be reported stolen. A victim may realize they’re being scammed. If you don’t have time to verify, you probably won’t catch the fraud before it’s too late.
New customers: Of course, every business wants new customers — but if a suspicious booking comes in from someone who’s never booked with you before, it’s worth giving an extra moment’s scrutiny.
Card details don’t match anything else: There are many innocent reasons a customer may book under a name that doesn’t show up in a booking’s guest details. There are also a lot of shady reasons. If the name on a credit card doesn’t match the email address being used or any of the guest’s names, you may have a scammer on your hands.
Unusual payment methods: If a customer goes out of their way to make special payment arrangements, give the transaction extra scrutiny. If they want to send you a check or wire transfer for more than the booking’s value and ask you to send back the extra, run — overpayment scams are common and costly.
Multiple payment attempts: Sometimes, customers have financial issues and need to try more than one card to complete a booking. Sometimes, scammers need to run through a few cards to see which ones work. If you’re already uncomfortable with the legitimacy of a booking, this can be a big warning sign.
Unknown travel agents: While you might be alert to red flags from customer bookings, providers are a lot more willing to ignore irregularities when a booking comes from a travel agent. Unfortunately, some scammers have figured that out. Last year, Voyages G Travel lost $20,000 after scammers used one the name and contact information of one of their agents to put through a number of fraudulent bookings. Take a moment to confirm that a booking agent is who they say they are — it might save you a lot of headaches.
3. Verify, verify, verify.
Recognizing a red flag is step one. Step two is doing the legwork to figure out if a booking is legitimate.
PAXnews recommends a comprehensive approach to verifying a booking:
- Check the issuing bank: Enter the first six digits of a credit card at Binlist.net to see where it was issued. Is it from the same country as the booking?
- Look up the address: Google Maps can show you if there’s anything irregular about the customer’s billing address.
- Look up the phone number: Is the area code in the right country? Does a reverse lookup of the phone number match the address provided?
- Scout social media: Does the customer exist on social media? Does their profile raise any further red flags?
- Verify the card: Credit card companies can verify information about their cardholders, if everything else looks aboveboard.
4. Audit procedures.
External fraud may be memorable, but internal fraud is more common. According to Kroll, junior employees are responsible for fraud 39 percent of the time. For cybersecurity issues, it’s more often ex-employees. Either way, the issue is the same: the fraud is coming from inside the house.
Opportunistic fraud is a huge issue, but you can do a lot to minimize it fairly easily. Step one? Make sure no employee has access to more sensitive data than they need.
Booking platforms like Rezgo allow you to eliminate a lot of security weaknesses. With strong password policies and granular security groups, you can ensure that no one can get into anything they shouldn’t. Paper records are easy for employees to skim. Data restricted to secure accounts is much safer. Rezgo’s activity logs can also help you track down any suspicious activity.
Customer credit card data is particularly vulnerable to employee theft, so keep it safe. Use a payment gateway if you can, or ensure that only trusted employees have access to stored data. Finally, be sure to revoke ex-employees’ access to your servers and software the moment they’re out the door, if not sooner.
We all want to be able to trust our employees, but the numbers don’t lie: employees are a major source of fraud. Eliminate their opportunities, and you eliminate a lot of future strife.
And even if you trust your employees and vendors implicitly, keep your passwords to yourself. Hacked or fraudulent email accounts are everywhere, and the credit card number or sensitive password you send to a partner or support agent may wind up in the hands of bad actors.
Despite our best efforts, fraud happens. It can be frustrating, it can be damaging, but it’s no cause for shame or recrimination. All we can do is move forward, better educated and armed against future attacks.