How to combat cyber piracy and online travel scams

Onne Vegter

How to combat cyber piracy and online travel scams

11 Dec 2017 - by Onne Vegter

In an increasingly online world, cyber piracy and online scams are an ever-growing threat. Banks have had to become smarter to prevent phishing attempts and online banking fraud. Customers are making more purchases online and people are no longer wary of typing in their credit card details to make an online payment or purchase. It has become normal and commonplace, and many users do so without even a second thought to double check the authenticity of the site.

As a few recent articles on Tourism Update have shown (see here and here), the travel industry is a favourite haunt for scammers and fraudsters. Common scams include booking flights, hotels or even entire trips (usually at the last minute) with stolen credit card details, and then either cancelling and requesting a refund to their bank account, or making use of the purchased flight or hotel room and leaving the supplier with a chargeback on the credit card after the fraudster has left. Another common tactic is to overpay, for example by ‘accidentally’ paying R22 000 instead of R2 200 and then asking for the additional money to be returned in cash or by bank transfer.

Another scam is setting up a website as a dummy operator or hotel, and scamming as many people as possible into booking trips or accommodation and paying advance deposits, before the scam is exposed and shut down. On a smaller scale, some scammers use Gumtree, Facebook or online classifieds to advertise a fake guesthouse, holiday house or B&B accommodation, often for peak season at a very good rate, showing beautiful photos and taking bookings and deposits from unsuspecting customers. Once the client has booked and paid a deposit, the scammer disappears and no longer answers their cellphone.

With the shift toward online bookings, it is very easy for a scammer or fraudster to set up a fake website that looks exactly like an established hotel or lodge website, even with an online booking facility. The smaller the establishment, the easier it is to copy their website and fool customers into booking on the fake website, thinking they are dealing direct with the lodge or hotel. The scammer sets up a domain and email account that looks real enough, answers any incoming enquiries from a fake email address, and even sends out invoices that look real, with the scammer’s bank details on there of course. If the website has an online booking facility, they can score twice. First, they get the victim to attempt to pay online by using their credit card, to get their credit card number which they can use again in other scams, or sell to other fraudsters. Of course, they won’t have a legitimate merchant facility, so the credit card payment won’t go through, and the customer is then told they must pay by bank transfer since the online payment facility is offline or experiencing technical difficulties. Now they’ve got the victim’s credit card number, and they convince the victim to make a bank transfer to the fraudster’s account.

If they do it well and the customer paid in full, the tourist may be none the wiser until they actually arrive at their destination only to find out that no booking exists for them, and no payment was received. Upon investigation they will then discover that they were duped.

Such fraud is not unique to Africa, but it harms the entire industry. How can we prevent this?

The threat of scams and cyber piracy is one downside of automated online booking engines, and the shift toward direct bookings. The risk of being scammed is much higher if a client merely has to go online, make a reservation on the lodge website, and make payment to confirm the booking, without once having to deal with a real human. The establishment they’re impersonating is real, and tourists can check out their reviews online, but they are unaware that they stumbled upon a fake copy of the hotel’s website, possibly with a very similar domain name.

The first step you can take is to register defensive domain names, especially domain names that may appear similar to yours. If your hotel is called Heavenly Hotel and your domain is heavenlyhotel.co.za, consider registering heavenlyhotel.com and .net, heavenly-hotel.co.za, heavenly-hotel.com and even heavenly.co.za. All your parked domains can be set up to redirect to your official website, and each one will only cost you a couple of hundred rand a year. Make it harder for the scammer to register a domain name that is very similar to your real domain name.

The second step is to create a website that is difficult to copy. Smaller properties with a tiny five-page website are the easiest to fake. If you have just a home page with overview, a contact us page, an enquiry page, and a gallery page with pictures of your rooms, it is a very simple task for a fraudster to recreate that website. Discuss your website with your web developer, and consider placing content in frames, using watermarks, using html encryption, protecting the directory that contains your website with a password, disabling right-click, and requiring users to register and sign in before booking and paying online. There are many other tips and tricks to secure and protect your website that are beyond the scope of this article.

The third step is to keep an eye on the search engines. Search for your own property and website regularly. The most common way for users to come across a fake website is if the fake URL comes up in search results, usually paid search but sometimes even organic search, if the domain name is similar to your real domain name. Visit any suspicious looking sites to see if they are trying to impersonate your website.

On your website, let guests know how they can double check that they are dealing with your official website. Banks continually send out warnings to customers to educate them, and remind them how to identify a genuine email from the bank. Perhaps travel companies need to start doing the same. In your communication with clients, agents and suppliers, inform people that they should double check with you by phoning or emailing to your known address if they receive a suspicious looking email or an unexpected request for payment. Even a request from a known supplier can be a scam if a fraudster somehow got access to your contacts.

Read emails carefully. A recent email I saw used the domain bcoking.com to impersonate a well-known OTA. Although it is usually the clients who are at risk, a successful scam using your brand can really harm your brand.

Lastly, work with the trade. The traditional value chain still offers many benefits, one of which is some level of protection against online fraud. Loyal agents and operators can help spot fake websites trying to impersonate a supplier and alert them. Clients who try and book direct or pay online are perhaps more likely to get scammed than those who work through a trusted operator or agent, and deal with a human consultant. Anonymous, automated booking and payment systems unfortunately offer fraudsters easy opportunities to impersonate the official websites of hotels or other tourism suppliers. Encourage clients to work through a reputable agent or trusted operator, to minimise their risk of falling victim to an online travel scam.