There is no single script when it comes to travel fraud, but rather different tracks that overlap and intersect with each other. To simplify the complexity involved in this trade, this crime scripting exercise divides the ‘universal script’ into three ‘Acts’. The first Act relates to ‘preparing to travel’, and encompasses the preparation, entry, and pre-condition scenes. The second Act, ‘the middle-men and their methods’, includes the scenes relating to instrumental pre-condition, instrumental initiation, instrumental actualisation, and doing. The final Act, ‘(attempting to) travel’, includes the post-condition and exit scenes. Each Act consists of different tracks and actors, which provide options for how the script may develop (like a ‘choose your own adventure’ book).

ACT 1: Preparing to travel

The main objective in preparing to travel is to purchase a flight ticket from a travel service provider.

Actors: Victim traveller; complicit traveller; mule handler; human smuggler/trafficker; re-seller

There are five main actors identified as preparing for travel, two are actual travellers, and three are preparing others’ travel. The two travellers are distinguished by either being a victim traveller, who is unaware the ticket has been obtained fraudulently, and a complicit traveller, who is aware. One participant estimates victim travellers account for five to 10% of those travelling on fraudulently obtained tickets, although, as will be discussed, this can be hard to verify:

From the perspective of people that are purchasing them, and this is our finding based on the actions so far, between 90 and 95% of the travellers were fully aware, or at least should be aware that it’s criminal activity. Between 10, but we think it’s more close to 5% of the people, were really cheated, either online travel agency or the criminal service was organised so well they were not able [...] to recognise that it’s actually criminal activity behind (participant LE1).

The third and fourth actors are the mule handler and human smuggler/trafficker, who are organising travel on behalf of others. The actors travelling on these tickets, the mules, smuggled and trafficked, will enter the script in Act 3. Human smugglers facilitate the movement of people from one place to another, however those travelling are doing so voluntarily (e.g. illegal immigration or seeking asylum). On the other hand, human traffickers coerce, threaten, force, or deceive those they are transporting (e.g. sexual or labour exploitation). The fifth actor is the re-seller, who purchases the tickets and sells them to others, most likely other victim travellers, mule handlers or human smugglers/traffickers.

Track: Online blackmarkets

There was evidence that complicit travellers, mule handlers, and re-sellers use online blackmarkets. There was no evidence that human smugglers/traffickers are buying tickets here, although the possibility remains. These actors are, or should be, aware the tickets available on these blackmarkets are obtained fraudulently. Advertisements for travel services, along with feedback from others who have done, or attempted to do, business with them are listed. Buyers liaise with the seller, who will typically ask them to provide them with a screenshot (an image file) of the booking they require, as well as the details of those travelling. An example advertisement is:

Greetings to the community. We are a team of profesionals at the travel industry who have been in business for over 2 years with resellers all over the globe. Now we want to expand our business offering our worldwide travel services for flight and hotel bookings to the […] community. Offering the opportunity to its members to enjoy life to the fullest and make their dreams come true using our services to get in a travel adventure to a exotic beach a weekend on a 5star resort a getaway with your beloved ones. Be my guest to try our services to get the best out of a trip in a healhty safe and affordable way […] Live the life of a Highroller that you deserve enjoy life to the fullest and travel the world with your beloved ones sharing memories that will last for a lifetime! Benefits of booking with us. Great and affordable experiences with worldwide flights and hotels at 25% of retail valie. Our customers safety and satisfaction is our #1 priority! Friendly customer support active on ICQ/Jabber to answer any questions. No legal risks involved OUR SERVICES ARE NOT CARDED! To arrange our bookings in a safe and long lasting manner we exchange various gift cards and vouchers from several companies and airlines to provide a safe and satisfactory services at a great price! HOW TO BOOK WITH US. Booking request must be done with 72 h in advance. First capture screenshot of the trip you want from any agency […] Upload it on image upload site(anony.wsanonfiles.com) Request us a custom listing so that we will create a custom listing for the specific amount for you. Then provide passenger details as follows. First Name- Donald Last Name- Trump Dob-1/Nov/1955 As soon as the order is done we will provide you booking details for lfights and confirmation voucher for hotels. Thats it just confirm it with airline website or calling hotel and you are ready to go […] (blackmarket post).

Payment is made directly to the seller, or through the escrow service offered by the blackmarket. The escrow service receives the payment from the buyer, and transfers it to the seller once they receive notification they are happy with the transaction. Payment is usually made using alternative currencies such as Bitcoin.

Track: Fake travel agency

Fake travel agencies trick unsuspecting ticket buyers into becoming victim travellers. Fake travel agencies have advertised online through paid advertisements on social network sites and search engines; websites returned through searches; through newspapers and classified advertisements; on the radio; and through posters displayed at airports. One participant explained how some of the fake travel agencies operate:

Many of the airlines, including ourselves, have experiences where these companies are paying for ad space on Google so that when you do a search for [Airline], their paid ad comes up before our website comes up. And so, their phone numbers are the first thing that people see, so the customer calls those phone numbers, but they are not us. They are not booking with us (participant AIR1).

In this example, the agency pays for Google AdWords, so their advertisement appears above that of the legitimate airline in search queries. The victim traveller is told they are dealing with the actual airline, and books the ticket as they would normally expect to, providing their personal information, flight information, and payment details.

Track: Insider

Insiders work in legitimate travel agencies and airlines. Insiders can take on a variety of roles, including employees, contractors, or third party suppliers, who misuse their privileges. While this track seems similar to the fake travel agency track, it differs in that an employee of a legitimate provider carries out the fraud, for example:

We do get rogue employees, where they’re, on the side, taking in cash from customers and then inserting compromised cards to pay for the ticket. That is definitely always a concern (participant IN1).

Track: Word-of-mouth

All five actors, victim travellers, complicit travellers, mule handlers, human smugglers/ traffickers and re-sellers may also obtain their tickets through word-of-mouth. Introductions are through close-knit communities, informal networks, and even through church groups:

But there are also tickets sold in communities, for example, some passengers who have been interviewed say that they get the tickets through their church (participant AIR4).

Often there is an element of trust, in that the seller has been recommended through others. In some instances, they are friends and family members. On the other hand, some travellers purchase tickets from people they have only just met. In relation to re-sellers and mule handlers, there was evidence in the blackmarket that trades were also taking place off-forum, with those who had developed business relationships with the sellers.

ACT 2: The middle-men and their methods

The first Act explores the different options by which tickets are purchased. In Act 2, the methods by which these tickets are obtained are outlined.

Actors: Blackmarket seller; fake travel agent; rogue employee

In many cases, the person travelling on the ticket is not the person who actually obtained it from the affected airline or travel agent. In Act 2, a number of new actors are encountered: the ‘middle-men’. These include the blackmarket seller, the fake travel agent, and the rogue employee. The reader may recognise that some of these actors correspond to the tracks outlined in Act 1. For instance, the blackmarket seller operates within the online blackmarket track, the fake travel agent within the fake travel agency track, and the rogue employee is the actor the insider track. This Act will demonstrate the methods used by these actors, which again may overlap and intersect across the different tracks.

Track: Compromised credit cards

Compromised credit cards are used by a number of actors, including blackmarket sellers, fake travel agents, and rogue employees. Compromised credit cards can be used to book tickets directly with the airline, however chatter on the blackmarket indicated that airlines are more likely to detect this type of fraud. Therefore, many blackmarket sellers will instead book with smaller travel agencies without sophisticated fraud detection systems. There are also different places compromised credit cards are used, such as through a booking website, a call centre, in-person at a travel agency, or at the airline’s desk in an airport.

The compromised card data can be purchased from the same, or similar, blackmarkets where the travel services are offered for sale. It is believed many of the middle-men are specialists, and are purchasing the data, rather than obtaining them themselves. This is not always the case, with a police investigation revealing one group obtaining tickets using credentials they had phished themselves.

The compromised credit card track is one of the most versatile. It is also one of the more obvious means by which tickets are fraudulently obtained, and therefore the most likely to be detected and cancelled. However, there was evidence of diversification. A number of methods were identified that enabled compromised cards to be used in a way to slow detection and circumvent fraud detection systems. Middle-men have also displaced to new methods, such as those explored in the following tracks.

Track: Loyalty point fraud

Loyalty points, also referred to as reward points, frequent flyer points, or miles, are offered by airlines and banks to reward their clients for repeat custom. The loyalty programs have differing rules limiting the movement of points from one account to another, however many can be used to book a ticket in a name other than the account holder, and if the loyalty program is part of an alliance, can be used to obtain tickets with a number of airlines, therefore making detection more difficult.

Participants explained when a loyalty point account was compromised the first thing they see is a change to the email address associated with the account. The credentials to access the account may also be changed, and sometimes the address and phone number stored on the account. After this, the points accumulated in the account are used. It is believed the majority of accounts are compromised because the account holder has used an email and password combination shared with a breached account. Airlines and financial institutions can see the automated testing of multiple username and password combinations attempting to access their systems. It appears these login attempts come from account checkers, which test compromised data against a variety of different online accounts in order to gain access. Social engineering attempts, through social network sites, have also been seen, although it is not believed this works at scale. Some accounts are also compromised by telephone, by calling the bank or airline and impersonating the account holder.

Track: Unauthorised access to global distribution systems

Travel agencies book tickets using a GDS to link with the airlines’ computer reservation systems. A number of different companies provide GDS’, including Amadeus, Sabre and Travelport. For a six-year period, a group in the Ivory Coast was compromising these systems, and issuing tickets fraudulently. Phishing emails were sent to travel agencies to obtain their login credentials to the system. As it appeared the affected travel agency had issued the tickets, they would be invoiced for the travel. The travellers were also mainly from the Ivory Coast, and in some cases waited at the airport for the ticket to be set up. While this group apparently stopped in 2014, the use of this method may be ongoing. The method is consistent with other instances of detected fraud, and terms related to GDS’ turned up occasionally on the blackmarket, for example:

User 1: Soon we will have hacked amadeus logins but we will list this when ready [...]

User 2: Care you elaborate how are you going to use them? Thank you [...]

User 1: Book tickets (blackmarket post).

Track: Compromised business accounts

Much legitimate travel is for business purposes, and many businesses have corporate accounts with travel agencies for their bookings. Furthermore, some travel agencies only deal with business clients, and some large organisations will have their own internal travel agency. Business accounts can be compromised through a variety of ways, either aimed towards the corporation, or the travel agent. One scheme involves what is known as business email compromise. This either involves the compromise of a legitimate email account, or the creation of an email account that appears to belong to target, such as registering a similar domain name. This email account can then be used to converse with the travel agency, and trick them into issuing a ticket that is then invoiced to the corporate account. Depending on how long it takes to identify, this type of fraud can perpetuate for some time. Corporate booking tools, which allow businesses to make bookings directly through their travel agency’s system, are also vulnerable to attack. Once compromised, they are used to purchase as many tickets as possible before being detected.

Track: Identity fraud

There was some speculation on the blackmarket that one method sellers can use is identity fraud. This involves opening a credit account in a fake or victim’s name, and using this to purchase tickets. The advantage of such an approach over the compromised credit card track is there is no chargeback when the victim finds unauthorised transactions on their account. However, the downside is this method requires a level of information that is hard to obtain and use in such a way to obtain a high credit limit, and newly created cards used for suspicious transactions such as flights are usually blocked quickly. Therefore, participants confirmed this method is identified occasionally, but not as frequently as compromised credit cards and loyalty point fraud.

Track: Voucher fraud

Vouchers include gift vouchers for travel services, as well as vouchers issued by airlines to compensate travellers following a disruption to their journey, such as a delayed or oversold flight. Like loyalty points, vouchers are an internal currency, and are therefore vulnerable to fraud. Rogue airline employees have been found issuing vouchers when no negative experience has been incurred, and not providing the voucher to the intended recipient.

A blackmarket seller was also offering the sale of travel gift vouchers. They claimed to have gift card numbers that had been issued years ago but not used. This vendor attracted a lot of attention, with one of the selling points being the buyer could make the booking themselves, without providing their personal information. However, this seller was only operational for six days before buyers started reporting bookings being cancelled. There are a number of ways disused gift cards might be obtained, including having a rogue employee in the company, or accessing their computer systems remotely. Alternatively, the seller may have lied about their method, and purchased gift cards using compromised credit cards.

ACT 3: (attempting to) travel

Actors: Victim traveller; complicit traveller; mule; the trafficked/ smuggled

The victim traveller and complicit traveller reappear in Act 3, along with new actors, the mule and the trafficked/smuggled. The victim traveller may be journeying for a variety of reasons, just like any other traveller. Similarly, the complicit traveller may be travelling for personal reasons, such as taking a holiday or attending a family emergency. One potential complicit traveller identified in a blackmarket post they were planning their honeymoon. However, some complicit travellers carry out other criminal activities. Mules may be aware they are facilitating crime, or they may be victims, such as ‘romantic mules’, who believe they are in a relationship with their handler. Unlike complicit travellers, it appears mules and the trafficked/smuggled are provided with the tickets, rather than obtain them themselves, and may not be aware of their fraudulent origin. It was believed the majority of the smuggled are trying to escape hardship, sometimes trying to reunite with their families, whereas many of the trafficked are facing sexual exploitation.

The tracks present in Act 3 provide potential experiences the traveller may encounter, including cancelled bookings, being detained by law enforcement, providing identification, and travelling successfully. Act 3 also contains a track for involvement in other crime.

Track: Cancelled booking

The most common way a journey goes awry is if fraud is detected and the ticket is cancelled. This can happen shortly after booking, or shortly before the flight (although sometimes these may be the same time). The latter appears to have the most impact, as it does not allow time to seek alternative arrangements. Another outcome of cancellations is that complicit travellers and mule handlers complain using the feedback mechanism on the blackmarket. If a blackmarket seller is experiencing many unsuccessful bookings, they will be labelled a ‘ripper’ or ‘scammer’, and in some cases will be banned from the marketplace.

Airlines are juggling two sometimes competing imperatives, one being fraud detection and prevention, while the other is the customer experience. One concern airlines have when it comes to cancelling flights is the possibility of false positives, whereby a ticket that appears to be fraudulent is in fact legitimate. An alternative to cancelling a ticket, particularly if the airline has not been able to formally confirm a transaction is indeed unauthorised, is to put the transaction on hold, and request an alternative form of payment at the airport prior to boarding. This method also allows the airline to gain some intelligence about how the ticket was obtained. As the original payment is then reversed or not processed, legitimate travellers are only paying once, and victimised card or account holders do not suffer any loss. However, those who have purchased fraudulently obtained tickets will essentially pay twice for their journey, if they wish to board the flight. Airlines try to minimise the impact on victim travellers, but they can be hard to differentiate from complicit travellers. Advice on the blackmarket for travellers who face this scenario is ‘you pay no argument/questions asked’.

Track: Detained by law enforcement

In some cases, law enforcement become involved, detaining and questioning those travelling on fraudulently obtained tickets. This may be part of the Global Airline Action days, run with Europol and other industry and law enforcement partners, part of a focused investigation, or done on an ad hoc basis. As identifying who is truly a victim traveller is problematic, when a traveller is detained, they are rarely charged with any crime. These difficulties have not gone unnoticed on the blackmarket. While they have shared media releases relating to the global action days, they also note law enforcement are rarely involved, and when they are, the traveller, not the person who obtained the ticket, is targeted:

Although it looks like theyve arrested purchasers of said service but not the guys running the business in the first place... (blackmarket post).

However, participants indicated that law enforcement are starting to take more notice of travel fraud, and even when a passenger was detained with no charge, this ultimately causes some disruption to the person who had organised the ticket.

Differentiating complicit travellers and victim travellers is complicated as the former can easily claim to be the latter. The blackmarket contain advice about how to do this if detained, including preparing fake correspondence before travelling. The provision of fake correspondence and receipts has even been advertised as a service on the blackmarket.

Track: Providing identification

The use of fake or stolen identification was discussed on the blackmarket, and the consensus was, for flights at least, the traveller’s genuine passport should be used. This may seem counterintuitive at first, particularly as fake identification can be obtained in these blackmarkets, and their use hides the traveller’s real identity if the fraudulent ticket is discovered. The reason fraudulent or stolen identification is not recommended is, as identified in the detained by law enforcement track, travellers can easily claim they are victim travellers, and travelling with fake identification would not lend any credence to this assertion. Indeed, travelling on false identification would increase the risk of detection.

Most participants agreed travellers used their own identification, however this is not always the case. It is likely that where a false identification document is used, it would have been used anyway, regardless of how the ticket was obtained, such as to avoid travel watch lists. Some participants hypothesised travellers would be more likely to use a fake name for bookings when travelling domestically or within the European Schengen Area, where identification is not necessarily checked for border control purposes.

However, just because genuine documents are provided, it does not mean all the information provided to the airlines when the tickets are purchased is correct. Advice given on the blackmarket is to change the details slightly, and airlines also advised this happens. It seems that when a passport is swiped at check-in, at least for some airlines, any incorrect information, such as a wrong date of birth, is automatically updated.

Track: Travelling successfully

If the ticket is not cancelled, the passenger is not detained by law enforcement, and there are no other reasons the travel did not occur (such as missing the flight) then it is likely the traveller reaches their destination successfully. Complicit travellers who purchased their ticket through a blackmarket will sometimes provide feedback, advising if they travelled successfully or not. Some blackmarket sellers provide a free or heavily discounted ticket when they are just starting out, in exchange for ‘vouches’, whereby the buyers will write a review of the service provided. In other cases, feedback is left for other potential customers, particularly where travel has not been successful.

Another step in travelling successfully is releasing payments through the escrow system, if this was used. However, it is apparent many blackmarket sellers are asking for release of escrow after the flight booking has been confirmed, rather than after the journey. This can lead to problems when the ticket is later cancelled. As mentioned, complaints about unsuccessful journeys can lead to allegations the blackmarket seller is a ripper when payment is not refunded.

Track: Involvement in other crime

As has been alluded to throughout this script, some of those travelling on fraudulently obtained tickets are known or suspected to be involved in other offences. In addition to human smuggling and trafficking, other crimes travellers are known to be involved in include: theft, including pickpocketing and shoplifting from airport stores; smuggling cash and contraband, such as drugs, cigarettes and tobacco; facilitating money laundering, such as opening bank accounts in other countries; and credit card fraud, including making transactions with compromised cards, and operating skimmers. With some of these additional offences, there are elements of organised crime and co-offending present.

There were suspected links to terrorism financing, however there was little evidence to support this concern. There were also claims the movement of people and proceeds from the sale of some fraudulently obtained tickets were linked to an alleged terrorist group. Some of the offences listed above are more readily ascertained than others, particularly when contraband is involved. On the other hand, mules opening bank accounts, and human smuggling/trafficking may be less likely to be detected. Furthermore, some contraband, such as credit card skimmers, may be difficult to recognise by those who are untrained.