Security
Headlines
HeadlinesLatestCVEs

Headline

How Your Real Flight Reservation Can Be Used to Scam You

Scammers use a booking technicality, traveler confusion, and promises of dirt-cheap tickets to offer hot deals that are anything but.

Wired
#web#ios#git#sap#ssl

How do you tell that your plane ticket is real? If it checks out on the airline’s website, you’re good to go, right? Don’t be sure. Fraudsters are abusing a little-known but decades-old technicality in how airline reservations work to con people out of their cash.

Mevonnie Ferguson, who lives in Kent in the UK, says she was scammed out of £994 ($1,267) by someone claiming to work at a travel agency called Infinity Global Travel. A single working mother of two daughters, Ferguson says she was sold what appeared to be a valid British Airways ticket from London to Kingston, Jamaica. When she looked up the reservation on BA’s website using the confirmation number and her last name, it showed up valid and fine. But about two weeks after purchasing this ticket from Infinity Global Travel, and just days before her scheduled departure date, the reservation disappeared from BA’s website without a trace.

Ferguson, who also relayed her story to the UK’s Channel 5, contacted the airline and explained her situation, but she was told there were no flights booked in her name. BA would not release information to Ferguson, as she was not the party who had directly booked the reservation with the airline, she says. After some persuasion, the BA representative ultimately told Ferguson that while the reservation code she provided was correct, there was no record of an e-ticket number.

Ferguson has since tried to get a refund from the supposed travel agent, who has neither returned her money nor responded to subsequent calls and emails. A BA spokesperson asked WIRED for additional details so they could investigate but did not otherwise respond to a request for comment.

This problem isn’t unique to British Airways or any one airline in particular. In fact, it’s an intentional part of the air travel industry’s reservation process that scammers can abuse.

Hold Up

Like many travelers, Ferguson did not understand the difference between a “confirmed” and a “ticketed” reservation, travel industry jargon terms that are not synonymous. The system makes it possible to create what appears to be a valid flight reservation, but which is actually a mere temporary reservation “hold.”

Here’s how the con works: A scammer entices customers with cheap airline tickets through email, a website, or social media. Once they have a victim’s details, the scammer purchases a reservation hold—not the actual plane ticket—via a travel agency. They then pass that hold on to the victim as a legitimate ticket. The victim can check the airline’s website and see that the reservation is in the system. But once the two weeks are up the hold disappears, and the scammer makes off with the money the victim thought they were spending on a real—albeit suspiciously cheap—plane ticket.

Most airlines will not let individual passengers hold a prolonged reservation directly. As an example, Qatar Airways lets anyone hold a flight for just 72 hours for a “minimum fee,” without paying the full fare up front. This means you’ll be provided a valid passenger name record (PNR) number, but your reservation will not be “ticketed”—meaning no e-ticket number—until the full fare is paid. By contrast, travel agencies have much more power and flexibility to hold a reservation, a weak point that gives scammers an in.

Some legitimate travel agencies will let you pay as little as $15 to $20 to “hold” a flight ticket for a couple of weeks. And there are good use cases for this. When applying for a tourist visa, for example, embassies or consulates of a destination country may ask applicants to provide proof of return travel. Rather than purchase a full ticket, applicants may instead opt to pay a travel agent a small fee and get a valid flight booking, with a real PNR that can be verified by the visa officer on an airline’s website. Should their visa application be refused for any reason, applicants lose only the small fee paid to the travel agent—a better deal than hassling with an airline to modify or cancel a full ticket or failing to get a refund entirely.

Sites like Expedia and Skyscanner are, of course, the mainstream way people book air travel. But for anyone who needs a long hold, travel agencies are their only option. These agencies advertise inexpensive reservation holds as “flight itineraries for visa applications,” which are colloquially known as “dummy tickets” and are valid for two weeks. This time window is enough for a scammer to con someone.

Test Dummy

To test how a dummy ticket scam works, I purchased a Qatar Airways reservation for $20 via a legitimate third-party travel agency. For the two weeks after I made this booking, Qatar Airways’ website would show the confirmation number as valid. But no e-ticket number is listed anywhere on the reservation—indicative of this being a mere “hold”—meaning it’s a reservation that’s “confirmed” but not ticketed. Scammers do exactly the same thing by booking the hold under their victim’s name.

Scams aside, the gap between reservation holds and ticketing can cause problems for travelers all by itself. In 2019 a traveler named Alexander told his story to The Points Guy of a mishap in which his flight to Spain was merely confirmed but never ticketed—which he didn’t find out until he arrived at the airport. In this case the problem had to do with the airline’s policy of not issuing e-tickets against bookings until an identity check was completed by the passenger—something Alexander missed because the ID verification email landed in his spam folder. But the mechanism behind his and Ferguson’s scenarios are identical.

Suffice it to say, it is best to book your flight tickets directly with an airline or via a trusted travel platform. If an offer sounds too good to be true, it may be a scam. And always verify with the airline if your “confirmed” reservation indeed has a real ticket to go along with it.

Wired: Latest News

More Spyware, Fewer Rules: What Trump’s Return Means for US Cybersecurity