Fraud costs airlines USD1.4 billion a year. Regional airlines the fraudsters' “carriers of choice”
The aviation industry is inherently exposed to numerous external influences, such as fuel costs, the economy, exchange rate fluctuations, natural disasters and political instability, as recent world events highlight.
Fraud is another external challenge facing the aviation industry, with major cost implications - although this can at least to some degree be controlled and monitored by aviation companies.
In an exclusive Q&A with CAPA, David Britton, VP of industry solutions at risk management/fraud prevention company 41st Parameter, explains how online fraud is affecting the aviation industry.
1. In 2008, airlines lost around USD1.4 billion to fraud, representing around 1.3% of the world total. Where does this figure stand today?
Overall, the airline industry continues to experience an “attack rate” of 1% - 1.5% of revenue, although some geographies, including the Middle East and Latin America, are subject to rates as high as 3 – 4% of revenue.
2. Given the increasing proportion of business conducted online, are airlines particularly susceptible to fraud compared to other industries?
The attack rate for airlines is comparable to the overall rate for e-commerce merchants selling physical goods online. Two areas where airlines are more sensitive to fraud losses are 1) the perishability of seat inventory, and 2) margins that make the loss of even a single seat to fraud painful to recover from. Ideally, airlines either prevent a fraudster from completing a booking, or are able to discover a fraudulent booking in sufficient time to cancel the reservation and resell the seats.
3. Is it primarily larger carriers that have taken steps against fraud? Are the smaller carriers more susceptible to this type of crime?
All carriers are susceptible to fraud, but it was the largest carriers that pioneered aggressive countermeasures to fight fraud. With fairly strong protections now in place at the majors, fraudsters are shifting their focus to airlines they have an easier time booking with – and the least chance of being stopped at the gate and asked for an alternate form of payment before they can board.
Who is at a disadvantage today? Airlines that fly routes competitive with carriers that have superior fraud prevention capabilities will naturally absorb a disproportionate share of fraudulent booking attempts. At the same time, mid-tier or regional carriers are now becoming the “carriers of choice” for fraudsters.
4. Are particular airline models targetted in fraudulent activities (LCCs? FSCs? Charters?). LCCs, for example, tend to have a higher proportion of bookings made online. Does this expose them to greater risk?
Fraudsters attack based on where and how they have the greatest likelihood of successfully booking and flying, so carriers which have marginal protections in place vis-à-vis competitors will naturally be at a disadvantage. Likewise a carrier that does not have consistently strong protections across booking channels will see fraud migrate to the least-protected channel. 41st witnessed this during an implementation where the carrier chose to deploy enhanced fraud protection against its online channel first, to be followed by the call centre and kiosks. Within a month of the tougher fraud protection being put in place for web-based bookings, fraud in call centre reservations had surged 40%. The following month, both the call centre and kiosk channels were placed under the umbrella of the fraud detection solution and the trend was reversed.
Both full-service and low-cost carriers suffer fraud attacks. Exposure varies by routes (certain cities have a higher preponderance of fraudulent bookings) and on long-haul flights premium cabins are often preferred.
5. Which carrier types manage fraud well?
Managing fraud well means minimising fraud losses while simultaneously not offending or inconveniencing customers. Said another way, maximising passenger revenue by not rejecting valid bookings or cutting off sales too far in advance of a flight to allow time to process manual review queues. Both of these objectives must be met within the constraint of an operating budget for fraud detection and prevention that is appropriate given the size of the problem.
With airlines experiencing fraud attack rates in the 1–3% range, there are carriers that actually reject 8%-25% of good orders because their automated fraud screening methods can’t examine bookings with sufficient granularity to accurately interpret whether a booking request is fraudulent or not.
6. What percentage of airlines would have fraud prevention departments in place?
The Deloitte Airline Fraud Report 2010 states that 52% of the respondents to its survey of IAAIA member airlines had “no system to formally detect and track fraudulent attempts to obtain tickets, and only half of respondents had a formal system to pick up unusual transactions or suspicious activities.”
Virtually all of the major carriers have systems in place today.
7. Does the majority of online fraud involve stolen credit card information or are more sophisticated forms of online fraud prevalent?
Stolen credit cards or cards obtained using a synthetic identity are a major source of fraud for the airlines today, but insider fraud by airline employees and travel agents remains a problem as well. Other sources of fraud which today’s carriers must deal with include loyalty programme account takeover or inappropriate mileage aggregation, and friendly fraud where passengers do pay for travel but dispute the charge after completing the trip.
8. Are the majority of fraud cases internal or external?
A majority of cases are external, though internal cases involving employees or industry insiders including travel agents/agencies are very real due to their expanded knowledge of ticketing processes.
9. What are airlines, credit card vendors, governments and/or IATA and other industry bodies doing to tackle the problem?
In addition to investing in expanded cross-channel fraud detection countermeasures, industry working-groups are tasked with addressing the problem from a holistic perspective.
For instance, IATA’s Fraud Prevention Working Group oversees industry fraud prevention activities and focuses on sources of revenue losses such as credit card and frequent flyer fraud. The group's activities may encompass any area where airline revenue is at threat. Non-airline partners, such as credit card companies and law enforcement agencies, may participate as observers providing such entities have a direct commitment to the prevention of fraud.
10. Is there any geographical/regional bias in airline fraud? Do any regions manage fraud particularly well?
The ability to manage fraud well must be evaluated at the carrier level, rather than a geographic region.
11. What are the most common indicators of a fraudulent transaction? What is the typical profile of a successful airline fraudster?
There are literally hundreds of signals to read in evaluating a fraudulent transaction, and the more attributes scored the lower the risk of an incorrect answer. In addition to card data, attributes commonly evaluated for possible fraud include origin and destination city pairs, booking time-to-departure, and class of service. A more sophisticated solution will not just look at PNR data but also interrogate the device that originated the reservation request to see whether the device settings (eg time zone or default language) are consistent with cardholder demographics.
12. Are airlines more at risk of online fraud compared with other sectors that have online revenue streams?
The attack rate for airlines is comparable to the overall rate for e-commerce merchants selling physical goods online, and far lower than companies selling digital goods or services.
13. How much would it typically cost an airline to prevent fraud?
Given the size of the problem as measured by the attack rate (1% - 1.5% of revenue), carriers spend some fraction of this number, with most carriers looking for a 5X – 10X return.
41st Parameter customers included carriers that have replaced existing fraud detection capabilities (usually internally developed) and recovered their total cost within 2 months.
14. How can airlines minimise “profit leakage”, incurred when rejecting valid bookings or staff costs associated with manually reviewing suspicious transactions?
The vast majority of revenue leakage is due to automatic rejection of booking transactions by fraud detection engines that only utilise real-time technology. The Airline Travel Payments Summit held in San Francisco in December 2010 included multiple presentations by airlines in which auto-reject rates of 20% or more were cited. For an industry with a 1% - 1.5% fraud problem, auto-reject is an unbelievably wasteful practice. Instead, carriers should focus on automatically approving the obviously good bookings, and tune its fraud engine to outsort the smallest possible subset of transactions necessary to identify the %age of fraud that the carrier can afford to detect based in part on its OpEx budget for an investigation team (see questions 17 and 18.)
Having analysts sift through a smaller but more highly “contaminated” pool of suspect transactions will yield a far lower false positive ratio and minimise the size of the team necessary to achieve the desired fraud detection result.
15. Does the advent of new, more powerful and affordable technologies increase the threat of fraudulent activities?
Whether the target is an airline, an online merchant, or a bank – fraud threats are constantly evolving as criminals attempt to thwart new countermeasures by exploiting any source of change in the environment, from new software releases to smartphones to inexpensive throwaway technology. Essential to maintaining efficacy of a solution is to stay current.
16. How effective are existing security measures, and will anti-fraud measures be able to keep up with improvements in technology?
In an industry with an attack rate of 1% - 1.5% (or 100 – 150 basis points), 41st airlines are reporting fraud rates as low as 1 basis point and typically in the single-digit BPS range. Today’s solutions can be extremely effective, for example 41st Parameter carriers have been successful in eliminating in excess of 95% of fraud while reviewing only 1% - 2% of all reservations. The very low outsort rate means that operating expense is reduced, due to the need for smaller investigation teams and there is no revenue lost to auto-reject of reservations.
17. Has it proven more effective to outsource fraud management to third parties or have an internal department, such as risk or internal audit, working on the issue?
Fraud is a highly specialised discipline, with experienced practitioners in short supply, so with the availability of hosted/SaaS solutions, outsourcing of fraud management is becoming increasingly popular with carriers of all sizes - especially those that have not previously deployed fraud detection or had an internal fraud team. Making outsourcing of the fraud function even more cost-effective is the availability of not only outsourced solution hosting, but complete fraud investigation teams that can review questionable reservations, make accurate decisions on which to reject and even cancel reservations in carriers’ reservation systems.
Managed Fraud Investigation Services are also being used by carriers as a way to supplement their in-house fraud analyst teams for night/weekend shifts or peak travel periods. Audit or Risk/Security still have overall ownership for minimising chargebacks, but the cost structure is obviously far different.