The growing challenge of travel industry email fraud

Published on the 27/11/2015 | Written by Theo Noel


The popularity of internet travel bookings is attracting attention from cybercriminals keen to nab a share of the proceeds…

Australians and New Zealanders love to travel, and increasingly we love to book our travel online. However, that opens up the potential for cyber criminals to compromise the process of making bookings and one of the biggest areas of threat is fraudulent email.  Using a variety of techniques, cyber criminals are attempting to trick customers into revealing personal information that can allow them to undertake false transactions.

The situation is exacerbated by a low level of action by travel companies. Recent research conducted by Return Path found that fewer than one in four of the world’s top travel companies is protecting customers from outbound email attacks such as phishing and spoofing.

The lure for fraudsters
The online travel sector is attractive to email fraudsters for a variety of reasons. One is the large volume of personal information involved. Regulations prohibit firms from selling products anonymously, so the sector is required to collect a variety of personal details which include full names, birth dates, mailing addresses, phone numbers and credit card details.

The value of travel booking transactions also makes the sector attractive to cybercriminals. Where other types of online purchases might be in the tens or hundreds of dollars, it is not uncommon for travel bookings to be in the thousands.

Growing security challenges
The online travel industry faces a range of security challenges including the risk of stolen data, the manipulation of loyalty schemes and phishing scams. Factors exacerbating these challenges include:

  • Reward scheme anonymity: Reward points are far less risky for fraudsters than credit cards because, once you exchange them for gift cards or products, they are harder to trace. Gift cards can also be exchanged for cash.
  • Lax security: Many reward schemes have limited security, requiring little more than an email address and PIN (which can be easy for a fraudster to acquire). With access, points can be used as virtual currency in a range of ways.
  • Fake booking sites:  Fake booking websites are being established by fraudsters. Phishing emails are used to drive consumers to these sites where credit card details can be harvested.

The role of outbound email
Many threats arrive in the form of emails that appear to have come from a legitimate source, minimising the potential for this to occur is vital. Travel operators can protect their customers by securing outbound email.

Two of the key email methods used by cybercriminals are brand spoofing and domain spoofing. Brand spoofing uses a range of tactics to trick customers into thinking an email is legitimate and has come from reputable brand. Messages are likely to include convincing logos and have the same look and feel as an authentic message.

Domain spoofing involves creating emails that appear to have come from a legitimate company’s email address. Customers replying to the message, however, will be unwittingly sent to a fake site where personal details can be stolen.

Overcoming the email challenge
With email a primary way for travel companies to interact with customers, implementing proper security to reduce the likelihood of fraud is essential. Best practices for secure email include:

  • Authentication using of a trusted and effective standard. Standards include SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication Reporting and Conformance). DMARC is the most effective as it ensures fraudsters cannot send emails from any illegitimate domains.
  • Email threat intelligence reports to be aware of new attacks and incidents of brand spoofing.
  • Customer education. Regardless of the tools put in place, some fraudulent email will make it through. Alerting customers about what to look out for is important in any security campaign.

By following these steps, travel companies can minimise the risk of their customers falling victim to cyber criminals. Customers will be able to continue making internet bookings while remaining confident that they are interacting with a legitimate business.

Theo NoelABOUT THEO NOEL//

Theo Noel is ANZ regional director at Return Path.

Post a comment or question...

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

No items found
Processing...
Thank you! Your subscription has been confirmed. You'll hear from us soon.
Follow iStart to keep up to date with the latest news and views...
ErrorHere