a case study by the fraud intelligence network, and the

A CASE STUDY BY

THE FRAUD INTELLIGENCE NETWORK, AND

THE NATIONAL FRAUD INTELLIGENCE BUREAU

AVOIDING PAYMENT FRAUD WITHIN THE UK TRAVEL INDUSTRY

RISK FACTORS A case study to help eliminate credit card charge-backs

2

Fraud Intelligence Network – Travel Fraud Case Study

CONTENTS

About This Case Study 3 Foreword 4 NFIB & PROFiT 5 Key Findings 6 Payment Fraud 7 Travel Fraud Case Study 8 The Case Study Results 9 How to Use the Case Study Results 18 Third Party Facts 19 About the FIN Intelligence Tool 20 About the NFIB 21 Contact us 22

© Copyright 2013

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, nor translated into any human or computer language, in any form or by any means, electronic, mechanical, optical, chemical, manual or otherwise without the prior written consent of FI Network, 23 Wansbeck Court, Waverley Road, Middlesex. EN2 7BS .

Copyright © FI Network www.finetwork.co.uk

3

ABOUT THIS CASE STUDY This case study is based on over 50,000 booking records from 52 leading travel companies within the UK. The participants included accommodation providers, airlines, financial institutions, hotels, holiday lettings, online travel agencies, retail travel agencies, and tour operators. The study was carried out during November and December 2012 by F I Networks Ltd using the FIN counter fraud Intelligence Tool to analyse the data.

The data has been analysed in th is report , wi th detai led commentary. The key f indings are that t ravel f raud has moved onl ine and is most ef fect ively perpetrated remotely. Fraudsters are general ly wel l organised working col laborat ively and rarely at tacking a s ingle t ravel company at any one t ime so that businesses which share f raud data are in a bet ter posi t ion to resist at tack than those working a lone. Common indicators exist in f raud bookings that ident ify h igh r isk factors these can be used to bui ld a ‘matr ix’ of threats which can be used to re ject attempted f raudulent bookings. Our expert ise a l lows us to provide t ravel companies with a pract ical and commercia l approach to protect ing revenue in the context of today’s chal lenging marketplace. This report expla ins the issues in a stra ightforward way to help you to f ind pragmat ic solut ions so that you can form an ef fect ive counter f raud strategy.

Financial Fraud Action UK

Payments made by credi t and debi t cards accounted for the vast major i ty of f raud transact ions. During 2012 across the whole t ravel industry Financia l Fraud Act ion UK reported that domest ic f raud was more prevalent than cross border t ransact ions.

4


FOREWORD

Very few frauds are chance actions; the vast majority are organised and carried out deliberately and systematically by people who make a career from cheating others. Many fraud case studies and reports have been published over the years; this is the first case study that looks within the travel industry in conjunction with the Police. This report looks at payment fraud within the travel industry. The cost to business because of fraud is growing both in terms of actual losses and the systems companies deploy to prevent fraud. Every company should identify the elements of high risk transactions so that they can recognise them and apply additional checks to avoid being caught. This snapshot of the UK travel industry has been made using the FIN Intelligence Tool and it shows how fraudsters will deploy the same elements against a number of different businesses. This allows companies to work together to pick up these repeated factors and defend against the attack. Sharing fraud data is essential if companies are to minimise successful fraud attacks, and it is clear that the parameters identified in this report will be a valuable resource to travel companies in their fight against payment fraud.

David Rose Operations Director and Owner FI Network Ltd

Find out more about the FIN Intelligence Tool and how you can take part in a case study on p20


5

Barry Gooch Chairman PROFiT Ltd www.profit.uk.com

Detective Superintendent David Clark Director of the NFIB

NFIB & PROFiT

National Fraud Intelligence Bureau

I am delighted that the travel industry and NFIB relationship is growing from strength to strength. Working alongside PROFiT and making best use of harvesting and sharing of intelligence between the FIN intelligence tool and the NFIB ‘Know Fraud’ database, marks significant progress in public private intelligence sharing for the greater good of protecting UK citizens and businesses from fraud. These ground breaking efforts make a giant step towards making the UK a more hostile place to commit fraud, and a safer place to live and conduct business, which has to be our ultimate aim.

Prevention of Fraud in Travel

The travel industry is one of the largest sectors within the UK by turnover. Long ago fraudsters recognised the vulnerability of this vast industry to fraud. The move from shop transactions to remote ones has made companies more vulnerable and increased the value of successful fraud attempts.

Travel companies have invested in counter fraud software of the 3rd party verification type, and adopted 3D secure in order to tackle fraud. However many find that the only way of effectively reducing fraud is to set the rules for high risk transactions very high so that the company rejects a large number of good bookings causing loss of revenue. In many cases payment fraud experienced by the industry derives from Organised Crime Groups that are continually testing and probing company’s defences in order to find a way through. Once successful these groups share the knowledge with other groups.

Systematic sharing of fraud data is essential if the industry is to effectively tackle fraud as this case study demonstrates.

www.cityoflondon.police.uk/CityPolice/Departments/ECD/NFIB/

6


KEY FINDINGS

76% of telephone

numbers linked to two or more

records

53% of payment

cards linked to two or more fraudulent

transactions

85% of Post Codes

used for fraud were in

London

99% of fraud

bookings were online

33% of IP addresses linked to two or more records

10% of fraudulent

email addresses

linked to two or more records

183 email

addresses were in three or more

fraudulent transactions

75% of domains

used for fraud were .com or

.co.uk


7

PAYMENT FRAUD Payment fraud occurs when a company processes a pay ment from an individual in return for a product or service but t he ‘customer’ has no intention of honouring the payment. The company provides the product or service but the payment is rejected.

IDENTITY THEFT Commonly payment fraud in travel occurs when a persons’ identity is taken over. The true owner may have paid for something elsewhere and unknowingly had their identity cloned. Alternatively they may have had their payment card stolen or misused by someone who knows their identity. The fraudster who has taken on the person’s identity uses it to make payments for travel using the true person’s identity. 3rd party verification tools help prevent this type of fraud, but are not fool proof.

DISHONEST INTENT Another form of fraud that occurs within travel is where a group of individuals make travel arrangements paying through one person’s credit card. When the group returns from the holiday the payment is cancelled and received as a ‘charge back’ by the travel company. The group will do exactly the same thing against other travel companies with a different person within the group making the payment and ‘charge back’ each time.

In this case the person making the payment is the legitimate owner of the identity and payment method, but they never intend to pay for the product. No 3rd party verification tool will pick this type of fraud up as they concentrate on the person making the payment who in this case has no genuine intent to pay.

INTERNAL FRAUD Where companies do not set up systems adequately, homeworkers and employees are able to note down the payment card details of a consumer when taking or processing payment and subsequently use the harvested details to commit fraud, or, to sell them onto Organised Crime Groups for fraud use.

Perhaps the most difficult payment frauds to detect are those that occur within the company and against the employer. This fraud arises because processes allow payments and refunds to be made by the same employee. It is relatively common in these circumstances to find that the employee will ‘refund’ passengers to their own or a friend’s bank account. Similarly an employee may take a booking which is not recorded on company systems requiring cash payment at ‘the door’.

8


TRAVEL FRAUD CASE STUDY Participants provided records of payment fraud that arose during the previous 18 months. The data was loaded into the FIN Intellige nce Tool which carried out the detailed analysis that is the subject of this repor t. The data was ingested via the FIN Intelligence Tool into the NFIB. All of the da ta was collected and processed in accordance with the Data Protection Act and its principles.

Fraud data is not commercial data. The results from this case study confirm that the best way to tackle payment fraud in travel is to work collaboratively with other organisations and share data amongst each other and the police. The travel industry can do much to help itself by working with the police through bodies such as PROFiT, enforcement action becomes a possibility. The case study proves that fraudsters make use of the same payment cards; IP addresses; email addresses; and telephone numbers to make multiple transactions against different companies. Once this is understood, the sharing of fraud data amongst companies in order to thwart the fraudsters makes sense. The FIN Intelligence Tool used for this case study has been designed and built to process and analyse data for any industry and to facilitate data sharing from sector to sector. FIN distinguishes between suspicious activities and confirmed frauds and is set up to automatically report confirmed frauds into the NFIB taking data sharing beyond the industry using it.

In addition to providing the findings for this report; all of the fraud data gathered for this case study has been ingested into the NFIB and is being processed to identify Organised Crime Groups that meet the criteria for enforcement action.

Fraudsters share data, are organised and persistent, their organisation and big money mean that individual companies will find it almost impossible to resist them indefinitely. Typically Organised Crime Groups will continually test a company’s systems, unknown to the company, until they find a way through. Once they find a way in they will either go on to commit further fraud, or more typically share the gateway path with others. This is why a travel company can trade without fraud for a period of time, but when a fraud does occur it is often accompanied by several others. The average booking value of a fraud transaction identified in this study is £407. But when accompanied by several others the value will be several thousands.


9

TOP TIP: Call centre bookings are usually reviewed by a sale s consultant during the booking process, so why not apply the same checks to online bookings? Review online and manually processed bookings

THE RESULTS

Set out on the following pages are the results of the case study classified by the following subjects: Order Type; Payments; BIN Number; Destination & Dep arture Points; Emails and Domains; Location; and Other Data .

Each section begins with a brief commentary setting out the salient facts whilst the majority of sections list the top 10 entries within that category. Generally there will be a large number of records in each category, but the report concentrates on the top 10 most prevalent records in their class. The top 10 are ordered with the most prominent record at the top colour coded and identified by a letter of the alphabet that together identify their corresponding representation on the accompanying ring graph. The ring graph gives the reader an idea of the relative prevalence of each class within the top 10 to each other. Every section also has a ‘TOP TIPS’ Card which has practical advice on measures to reduce the risk from the respective element it is referring to.

ORDER TYPE Although there are signs that the traditional package holiday is recovering in the marketplace, it is no surprise that flight only and hotel only bookings make up 92% of overseas fraudulent bookings in the case study. The FIN Intelligence Tool identified that 99% of fraud bookings took place online.

• Hotel (Overseas) only booking: 64%

• Flight only booking: 29%

• Hotel (UK) only booking: 7%

• Car Hire booking: 0.2%

• Package Holiday booking: 0.05%

99% of fraud

bookings were online

10


Flights

HotelsOverseas

Car Hire

Hotels (UK)

A

B

CDE

F

GH

I J

TOP TIP: When reviewing potential bookings as well as consid ering the potential profit; remember that any chargeback will be for the total value of the booking and not just the profit. £100 profit on a £1000 booking sounds good, but a £ 1000 chargeback equals a bad decision

PAYMENTS The total value of fraudulent bookings identified by the FIN Intelligence Tool in this study was £19,665,152.

The case study identified that:

• Average flight booking : £472.32

• Average hotel booking (overseas): £461.76

• Average car hire booking: £302.98

• Average hotel booking (UK): £124.52 The average fraudulent booking was £407.11

Over 1400 different BIN codes were associated with fraudulent transactions by the FIN Intelligence Tool within the case study. The top ten BIN codes were all from within the UK.

The top 10 BIN’ were: A. 529930 – MasterCard (HSBC) B. 465943 – VISA (HSBC) C. 492181 – VISA (Lloyds/TSB) D. 454313 – VISA (Nationwide) E. 465942 – VISA (HSBC) F. 542011 – MasterCard (HSBC) G. 446278 – VISA (Bank of Scotland) H. 543460 – MasterCard (HSBC) I. 518652 – MasterCard (RBS) J. 412985 – VISA (MBNA)

BANK IDENTIFICATION NUMBER (BIN)


11

A

B

CD

E

F

G

HI

J The top 10 Overseas BIN’ s were:

A. 424631 – VISA (JP Morgan) (USA) B. 426588 – VISA (United Overseas Bank) (Singapore) C. 446272 – VISA (Barclays Bank) (Gibraltar) D. 515599 – MasterCard (HSBC) (USA) E. 439225 – VISA (China Merchant Bank) (China) F. 451297 – VISA (HSBC) (Singapore) G. 456605 – VISA (UFJ) (Japan) H. 517805 – MasterCard (Capital One) (USA) I. 458097 – VISA (Israel Credit Cards) (Israel) J. 513141 – MasterCard (Europay France) (France)

The FIN Intelligence Tool identified that the highest risk came from UK payment cards with the top overseas payment card originating from JP Morgan (number 15 overall). There was a MasterCard/Visa split of 63%/37%.

Top 5 Overseas BIN Origin Countries

• USA • Singapore

• Japan

• Israel

• China

53% of payment

cards linked to two or more fraudulent

transactions

12


A

B

CDE

F

G

HI J

A

B

CD

E

F

G

HI J

Over 185 different flight destinations were associated with fraudulent transactions by the FIN Intelligence Tool.

The top 10 Overseas Flight Destinations were: A. Tenerife B. Dalaman C. Antalya D. Lanzarote E. Banjul F. Fuerteventura G. Sharm El Sheikh H. Gran Canaria I. Hurghada J. Tunisia

The top 10 Hotel Destinations were: A. Egypt B. Morocco C. Turkey D. Tunisia E. Tenerife F. Germany G. Dubai H. Spain I. Cyprus J. Ibiza

TOP TIP: Analysis of the destinations of your fraudulent boo kings will show they reflect your top selling destination s, but there will be some hotspots where vigilance is requ ired, consider flagging such bookings for review.

Consider flagging high risk destinations for review .

DESTINATIONS AND DEPARTURE POINTS


13

A

BC

D

E

FGH I J

A

BC

D

EF

GH I J

The top 10 UK Departure Points were: A. Manchester B. Gatwick C. Glasgow D. Birmingham E. Newcastle F. East Midlands G. Bristol H. Belfast I. Cardiff J. Stansted

EMAILS AND DOMAINS 999 unique domains were associated with fraudulent transactions by the FIN Intelligence Tool of which 90% were .com and .co.uk. 10% of the domains were based outside the UK. 75% of domains were Yahoo, Hotmail or Google email

accounts.

The top 10 Domains were: A. yahoo.com B. hotmail.com C. gmail.com D. hotmail.co.uk E. yahoo.co.uk F. aol.com G. yahoo.fr H. btinternet.com I. ymail.com J. live.com

The most common

email address was found in

54 records

The Most Common Top Level Domains are: • 35% - Yahoo – 44 million users in Europe

• 25% - Hotmail – 108 million uses in Europe

• 24% - Other

• 16% - Google – 75 million users in Europe

14


A

B

CDEFGHIJ

The top 10 Top Level Domains were: A. .com B. .co.uk C. .fr D. .es E. .it F. .net G. .de H. .ca I. .br J. .org

TOP TIP: 10% of fraudulent email addresses were used in anot her fraudulent booking making it clear that attention n eeds to be paid to email addresses when reviewing a booking . Have a system in place to monitor duplicate email a ddresses against new bookings

LOCATION DATA When processing the data through the FIN Intelligence Tool IP addresses originating in 88 different countries were found, but 72% of them were linked to the USA and UK. 64% of UK IP addresses originated from London. The most common IP address was found in 46 records.

66 IP addresses were found in 5 or more records

185 IP addresses were found in 3 or more records.

33% of IP addresses linked to two or more records


15

A

BCD

EFGHI J

A

B

CDEFGHIJ

The top 10 UK IP Addresses were: A. London B. Maidenhead C. Manchester D. Birmingham E. Ipswich F. Newbury G. Ilford H. Northampton I. Berkshire

J. Leicester

TOP TIP: Cross reference location data such as Post Codes, IP addresses and Bank Identification Numbers (BIN).

UK Post Code + Spanish IP address + USA BIN = High Risk Booking

The top 10 IP Address Countries were: A. United States of America B. United Kingdom C. Mexico D. Netherlands E. Malaysia F. Spain G. South Africa H. Canada I. France J. Indonesia

The FIN Intelligence Tool confirmed that UK Post Codes are the most frequently used for travel fraud. In the case study UK Post Codes accounted for 94% of records with 17 of the 20 most frequently occurring Post Codes/Zip Codes being in the London Area.

16


A

B

C

DE

F

G

H

IJ

A

B

C

DE

F

G

H

IJ

The top 10 Post Codes/Zip Codes were: A. Stratford – E15 B. South Woodford – E18 C. Harlesden – NW10 D. Kidderminster – DY12 E. New Cross – SE14 F. Sleaford – NG34 G. Streatham – SW16 H. Archway – N19 I. Barking – IG11 J. Broxbourne – NW19

The top 10 UK Post Code Areas were: A. East London B. Birmingham C. North London D. South East London E. Manchester F. Glasgow G. North East London H. Nottingham I. South West London

J. North West London

OTHER DATA The time lag between the booking and the fraudster actually taking the service is the booking lead time.

• The Average booking lead time was 3.5 days

• Flight only booking lead time was 10.5 days

• Hotel (Overseas) booking lead time was 5.5 days

• Car Hire booking lead time was 5 days

• Hotel (UK) booking lead time was 2.5 days

85% of Post Codes

used for fraud were in

London


17

TOP TIP: With the trend of fraud booking being booked last minute establish a system to review such bookings.

Identify and check last minute bookings

Fraudsters will often vary their IP address and email address to hide who they are but they tend to use the same telephone number.

• 90% of records were for mobile telephones

• 10% of records were linked to landline telephones

• 76% of telephone numbers were linked to 2 or more records

• The most common telephone number was found in 57 records

TOP TIP:

Fraudsters tend to use the same telephone number repeatedly Have a system in place to identify duplicate teleph one

numbers

76% of telephone

numbers linked to two or more

records

18


HOW TO USE THE CASE STUDY

The FIN Intelligence Tool has identified a number o f parameters that were found to be connected to fraud in data from 52 unconnected busi nesses within the travel sector. Time and again the same piece of data was repeated in other companies records related to a fraud. This shows how organised and m ethodical the attacks on business really are. So how do you make use of that informa tion?

Every company needs to be aware that it is under attack in relation to payment fraud. The results from this case study confirm that the best way to tackle payment fraud in travel is to work collaboratively with other organisations and share data amongst themselves and the police. However as well as sharing the fraud data with other travel companies and the police, businesses can take a number of steps themselves to defend themselves. The good news is that these steps need not cost much money to implement. The first thing every company should do is to carry out regular fraud audits on its transactional data. Specifically, companies should try and identify unusual transactions such as a number of repayments to a single payment card. Use the fraud audit to identify fraudulent bookings and to analyse each one to see whether any of the parameters we have used show up. For travel companies the case study data can be used to supplement this information. Company policies should ensure that no single staff member can make payments and also process bookings. All staff that deal with money should be properly managed and supervised.

Use the parameters we have identified to identify what a high risk is booking. Make sure you are then reviewing high risk bookings to recognise potential frauds. Do not take unnecessary risks. The profit margin on a booking is less than the cost of a fraud. Use the same parameters that we have to identify the areas that you should monitor and share with the police and industry partners. Use 3rd party verification tools to help you identify genuine customers from fraudsters. Do not place over reliance on this technology as there is no single solution to payment fraud. Report all fraud to the police using Action Fraud via www.actionfraud.police.uk. If you do not report it, the police cannot see the complete picture of fraud activity and identify the major crime networks and organised crime gangs. Make sure you are joined up to a free fraud alert service. www.profit.uk.com offers free alerts which are used by organisations worldwide. Train your staff to identify fraudulent activity and high risk transactions.


19

THIRD PARTY FACTS

“£87 billion was spent online during 2012, representing a 14% increase year on year.” Marketing Week

“48% of people that booked an overseas holiday during 2012 booked it as a package holiday.” ABTA

“Slough was the ID fraud hotspot in the UK during 2012, with residents being four times more likely to be targeted by fraudsters than the national average.” Exper ian

“During 2012 total fraud losses on UK cards was £388 million, of which £245 million related to card holder not present (CNP) fraud” UK Card Association

“In 2012 UK residents made 50.3 million visits abroad.”

Office of National Statistics

“65% of all fraud cases reported in 2012 by CIFAS members required ID theft to enable them.” CIFAS

“During 2012, 7p in every £100 was lost to fraud as a proportion of the amount spent on cards during 2012”

UK Card Association

“The total fraud loss in the UK during 2012 was £73 billion”

National Fraud Authority

“Between April 2011 and September 2012 77% of reported fraud related to banking and payment fraud.”

NFIB

“4.5% of UK Card owners were victims of credit card fraud during the year ended September 2012.” Crime Survey for England & Wales

“Cybercrime could cost small UK firms £785 million a year” Federation of Small Businesses

20


ABOUT THE FIN TOOL Most counter fraud tools on the UK market rely upon third party data of varying quality. The FIN Intelligence Tool is a tr ue intelligence tool which ingests information and then applies analytical pro cesses to identify fraudulent data. Designed to handle payment data a nd much more besides FIN has been specifically built to be the hub into the NFIB for any industry.

Existing fraud detection services typically use only a small subset of the information available from a multitude of sources to combat fraud. FIN is capable of analysing all data in real time. The most effective counter-fraud approach relies on the largest possible reporting community providing a known standard of data that can be relied upon 100%. The FIN counter fraud tool is a true intelligence tool which has a number of unique features making it the only truly ‘next generation’ solution to fraud and crime. This tool is now available to protect your organisation. To find out how FIN can help you contact us at: [email protected]

FIN works to the same intelligence gathering standards as the Police and can automatically report crime directly into Police systems. In addition it is compatible with the architecture of the National Fraud Intelligence Bureau (NFIB). Within the tool is a secure community environment where users can seek help from other users and explore unusual patterns of events in confidence. The system features very secure links between the systems and users and also the National Fraud Intelligence Bureau. All users are trained to ensure integrity and security is maintained. As a true intelligence tool FIN is capable of acting as a secure hub for any industry sector. This means that organisations can work cooperatively using the FIN tool to protect their industry sector safe in the knowledge that they will obtain advance notice of issues arising in other sectors.

NETW ORKS

SECURITY

INDUSTRY HUB

UK POLICING


21

ABOUT THE NFIB

The National Fraud Intelligence Bureau (NFIB) is th e national fraud intelligence hub which accepts fraud data from a wide range of p rivate and public sector sources, police forces and the public. This data i s processed using data analytics and a skilled team of data analysts who g enerate a wide range of outputs used for prevention and enforcement. The NFIB’s purpose is to:

• Make effective us of intelligence from fraud victims across the UK (be they individuals, businesses or the public purse) – exploiting such information to help; alert, educate, and protect; find new and effective ways to engineer out the threat from fraud; and positively influence the UK’s limited enforcement resources to tackle fraud crime.

• Harvest, process and analyse fraud data to provide actionable intelligence to the UK counter fraud community, promoting a better understanding of fraud, including themes and trends in order to inform more focussed, collaborative prevention and disruption.

• Develop and allocate crime packages to facilitate local, regional and national police functions and other law enforcement agencies’ investigations into the most harmful instances of fraud-linked criminal activity.

• Achieve an improved and effective response to organised fraudsters by adding value to the knowledge and understanding of organised crime groups directly and indirectly related to fraud crime through its connectivity with the Organised Crime Co-ordination Centre.

Since its inception in 2008, the NFIB has achieved much but will now be looking to improve relationships with existing data providers, improve constraints written into original data provider contracts and reform it’s business processes. The aim is to generate an even richer fraud intelligence picture, more effective prevention disruption activity and a higher return on investment.

22


Contacts

National Fraud Intelligence Bureau (NFIB) Url: www.nfib.police.uk

Fraud Intelligence Network (FIN) Email: [email protected] Url: www.finetwork.co.uk

Prevention of Fraud in Travel (PROFiT) Email: [email protected] Url: www.profit.uk.com

TO REPORT A FRAUD Action Fraud Url: www.actionfraud.police.uk Telephone: 0300 123 2040 Phone lines are open: Mon to Fri – 8am to 9pm Sat to Sun – 9am to 5pm Closed Bank Holidays Calls charged at local rate (0300 phone numbers cost the same as a call to local landline numbers, even from a mobile phone).

© Copyright 2013

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, nor translated into any human or computer language, in any form or by any means, electronic, mechanical, optical, chemical, manual or otherwise without the prior written consent of FI Network, 23 Wansbeck Court, Waverley Road, Middl esex. EN2 7BS .

Cover image credit: <a href='http://www.123rf.com/photo_3804474_2d-illustration-of-a-flat-world-map-hovering-over-a-wireframe-globe-with-navigational-markings-aroun.html'>norebbo / 123RF Stock Photo</a> Aircraft Image credit: <a href='http://www.123rf.com/photo_13553590_airplane-lifting-up-on-the-runway-with-white-sky.html'>fabian19 / 123RF Stock Photo</a>

a case study by the fraud intelligence network, and the

Documents