How to combat cyber piracy and online travel scams

Source: Tourism Update, 08/12/2018

As a few recent articles on Tourism Update have shown (see here
and here), the travel industry is a favourite haunt for scammers
and fraudsters. Common scams include booking flights, hotels or
even entire trips (usually at the last minute) with stolen credit
card details, and then either cancelling and requesting a refund
to their bank account, or making use of the purchased flight or
hotel room and leaving the supplier with a chargeback on the
credit card after the fraudster has left. Another common tactic is
to overpay, for example by ‘accidentally’ paying R22 000 instead
of R2 200 and then asking for the additional money to be returned
in cash or by bank transfer.
Another scam is setting up a website as a dummy operator or hotel,
and scamming as many people as possible into booking trips or
accommodation and paying advance deposits, before the scam is
exposed and shut down. On a smaller scale, some scammers use
Gumtree, Facebook or online classifieds to advertise a fake
guesthouse, holiday house or B&B accommodation, often for peak
season at a very good rate, showing beautiful photos and taking
bookings and deposits from unsuspecting customers. Once the client
has booked and paid a deposit, the scammer disappears and no
longer answers their cellphone.
With the shift toward online bookings, it is very easy for a
scammer or fraudster to set up a fake website that looks exactly
like an established hotel or lodge website, even with an online
booking facility. The smaller the establishment, the easier it is
to copy their website and fool customers into booking on the fake
website, thinking they are dealing direct with the lodge or hotel.
The scammer sets up a domain and email account that looks real
enough, answers any incoming enquiries from a fake email address,
and even sends out invoices that look real, with the scammer’s
bank details on there of course. If the website has an online
booking facility, they can score twice. First, they get the victim
to attempt to pay online by using their credit card, to get their
credit card number which they can use again in other scams, or
sell to other fraudsters. Of course, they won’t have a legitimate
merchant facility, so the credit card payment won’t go through,
and the customer is then told they must pay by bank transfer since
the online payment facility is offline or experiencing technical
difficulties. Now they’ve got the victim’s credit card number, and
they convince the victim to make a bank transfer to the
fraudster’s account.
If they do it well and the customer paid in full, the tourist may
be none the wiser until they actually arrive at their destination
only to find out that no booking exists for them, and no payment
was received. Upon investigation they will then discover that they
were duped.
Such fraud is not unique to Africa, but it harms the entire
industry. How can we prevent this?
The threat of scams and cyber piracy is one downside of automated
online booking engines, and the shift toward direct bookings. The
risk of being scammed is much higher if a client merely has to go
online, make a reservation on the lodge website, and make payment
to confirm the booking, without once having to deal with a real
human. The establishment they’re impersonating is real, and
tourists can check out their reviews online, but they are unaware
that they stumbled upon a fake copy of the hotel’s website,
possibly with a very similar domain name.
The first step you can take is to register defensive domain names,
especially domain names that may appear similar to yours. If your
hotel is called Heavenly Hotel and your domain is
heavenlyhotel.co.za, consider registering heavenlyhotel.com and
.net, heavenly-hotel.co.za, heavenly-hotel.com and even
heavenly.co.za. All your parked domains can be set up to redirect
to your official website, and each one will only cost you a couple
of hundred rand a year. Make it harder for the scammer to register
a domain name that is very similar to your real domain name.
The second step is to create a website that is difficult to copy.
Smaller properties with a tiny five-page website are the easiest
to fake. If you have just a home page with overview, a contact us
page, an enquiry page, and a gallery page with pictures of your
rooms, it is a very simple task for a fraudster to recreate that
website. Discuss your website with your web developer, and
consider placing content in frames, using watermarks, using html
encryption, protecting the directory that contains your website
with a password, disabling right-click, and requiring users to
register and sign in before booking and paying online. There are
many other tips and tricks to secure and protect your website that
are beyond the scope of this article.
The third step is to keep an eye on the search engines. Search for
your own property and website regularly. The most common way for
users to come across a fake website is if the fake URL comes up in
search results, usually paid search but sometimes even organic
search, if the domain name is similar to your real domain name.
Visit any suspicious looking sites to see if they are trying to
impersonate your website.
On your website, let guests know how they can double check that
they are dealing with your official website. Banks continually
send out warnings to customers to educate them, and remind them
how to identify a genuine email from the bank. Perhaps travel
companies need to start doing the same. In your communication with
clients, agents and suppliers, inform people that they should
double check with you by phoning or emailing to your known address
if they receive a suspicious looking email or an unexpected
request for payment. Even a request from a known supplier can be a
scam if a fraudster somehow got access to your contacts.
Read emails carefully. A recent email I saw used the domain
bcoking.com to impersonate a well-known OTA. Although it is
usually the clients who are at risk, a successful scam using your
brand can really harm your brand.
Lastly, work with the trade. The traditional value chain still
offers many benefits, one of which is some level of protection
against online fraud. Loyal agents and operators can help spot
fake websites trying to impersonate a supplier and alert them.
Clients who try and book direct or pay online are perhaps more
likely to get scammed than those who work through a trusted
operator or agent, and deal with a human consultant. Anonymous,
automated booking and payment systems unfortunately offer
fraudsters easy opportunities to impersonate the official websites
of hotels or other tourism suppliers. Encourage clients to work
through a reputable agent or trusted operator, to minimise their
risk of falling victim to an online travel scam.