Holiday Fraud and Popular Schemes

Posted on by Roderick Chambers, CISSP, CISM

“Don’t take any wooden nickels!”—a lighthearted reminder to be cautious and not get scammed. Fraud is a prevalent issue, especially in the retail, travel, and hospitality industries. LexisNexis® conducted a retail and e-commerce survey with risk and fraud executives in the United States and Canada. The results revealed that for US merchants—in store and online—the cost of fraud increased by 7.3% in 2020 from 2019. In financial terms, that means every dollar of fraud now costs US retailers $3.36 compared with $3.13 in 2019. We can all do our part to fight fraud in filing a report with the Federal Trade Commission. Every report filed helps investigations, and alerts others about current trends. Let’s review a few industries hit by fraud and how we can be safer with e-commerce.

Airline Fraud

Airline fraud touches every point along the booking process by coordinating with cybercriminals around the globe. Fraudsters who pose as fake travel agencies will provide supplemental travel and hospitality services, such as hotel bookings, car rentals and excursions, offering legitimate online user discounts on flight tickets of up to 60% off the actual prices. 

Data breaches are sources for cybercriminals to obtain the username and password information from compromised accounts on the dark web to access legitimate accounts. Fraudsters will review these databases to filter accounts with airline miles. After logging into a victim's targeted account, they change the email address, which has to be very similar to the original one. The next step is to change the secret questions and answers. Once these steps are completed, cybercriminals can navigate to the “My Rewards” and “Book a Trip” options to book trips. As many users realize, the reward sections of websites often redirect to an integrated vendor site that manages reservations with points. Fraudsters review the trip details, then select an option to pay using travel miles, the victim's first and last name, date of birth, fake email address and fake phone number.

Loyalty Programs

Loyalty programs are at the most risk for leaked credential collections. The prevalence of security breaches in the United States in the first half of 2020 reached 540 reported data breaches, which impacts loyalty programs. Loyalty programs and profiles have a wealth of personal information and, in some cases, financial information. Consider a customer in the checkout line who forgets his password to the loyalty account. A familiar scenario occurs during peak shopping rush hours at a long and frustrating checkout line. An unamused cashier waits while a customer struggles to log in to his loyalty account. To avoid an embarrassing moment, the customer resets his account on a mobile device, recycles a familiar weak password, logs in to the account, uses the points and forgets to change the password later. These lapses in credential security judgment enable fraudsters to successfully leverage data dumps to gain unauthorized access to customer accounts.  

Fraud that involves the theft of personally identifiable information (PII), customer identification numbers, usernames, addresses and payment card information (PCI), such as debit/credit card information and card verification value (CVV), lead to the exploitation of other sites. Exploitation of popular booking sites or customer service and fabrication of hotels allows fraudsters to launder money and utilize stolen payment card information to receive substantial discounts or refunds.

Honor among Fraudsters

On the dark web, fraudsters build credibility and legitimacy. False claims or unsuccessful transactions can lead to being banned. Satisfied customers will leave positive reviews on forums to confirm successful transactions in these fraud scenarios, boosting the fraud vendor’s reputation. To prevent fraud, businesses must protect themselves and design a fraud detection and prevention platform. Fraud prevention platforms use big data, machine learning technology and algorithms to assign fraud scores to users and their spending habits. Businesses can quickly identify which transactions are legitimate and fraudulent, and weed out scams effortlessly utilizing fraud intelligence.

The average person does not have a clue how easy it is to obtain sensitive information about them on the dark web. To perform identity theft, a cybercriminal needs only a person’s name, address and birth date, and social media is a treasure trove of information for fraudsters.

When shopping online, proactive customers can create a second birthday in profiles to protect a valid birth date. Ensuring privacy settings are correct on social media profiles will deter fraudsters from collecting likely answers to challenge questions. Always keep in mind, low-hanging fruit keeps barriers low and allows scammers in with little to no detection.

Roderick Chambers, CISSP, CISM

Information Security and Intelligence Advisor, New York State Department of Financial Services

Human Element

security awareness

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs