It’s a time of year when plenty of people are thinking about travel. Whether you’re reliving the memories of your summer vacation while daydreaming at your desk, preparing for your end of summer trip, or planning to visit family over the holidays, there’s a travel vibe in the air.
Fraudsters, of course, love to jump on trends, and there are lots of ways to steal money at travel companies’ expense. Recently, that increasingly includes “clean slate” fraud.
What is “Clean Slate” Fraud?
In a sense, a lot of fraud involves fraudsters trying to present themselves as a clean slate. Either they’re trying to look like someone specific (with account takeover, identity theft, etc.) or they’re trying to look like a new legitimate person, aka someone with a clean slate.
What’s special about clean slate fraud, though — and is the reason we give it this name — is that they clean the slate during the attack as well as before it. There are two main stages to the attack.
Stage 1: Opening & Using Multiple Accounts
- With different IPs from different countries
- Different cookie per account
- Place one order per account, using one single card in each
- Cancel the order right after the transaction has gone through, possibly to race (and avoid) manual review
- Redeem the voucher from the cancelation
Stage 2: Monetize
- Put the vouchers towards the real aim of accommodation or travel
- Use the true names of the people who will be using it; not necessarily the fraudster, since this can be & frequently is part of a wider fake OTA scheme/social media scam
- Book last-minute deals so there’s no time for extra checks — and since it’s all vouchers, rather than cash, suspicion is reduced
Why Clean Slate Fraud Is Growing
Fraud attempts with an extra step of this kind have increased 11% over the last year. That indicates a fairly broad step up on the type of complexity and time criminals are willing to invest in an attack.
That’s borne out more generally as well, as the sophistication in fraud attacks continues to increase, notably over the last 5 years. It’s like fraud got a shot in the arm during the coronavirus pandemic, and never really came down after.
I’m just speculating, but I wouldn’t be surprised if some of this were made possible by generative AI. Not in the direct sense, as with the fake returns images, or the deepfake scams that are becoming creepily convincing. But since genAI makes other aspects of fraud so much faster and easier, as all kinds of automation always have done, fraudsters have more time to devote to their attacks.
Why Clean Slate Fraud Targets the Travel Industry
Travel loyalty programs are a byword for excellence when it comes to showing other industries how it’s done. Unfortunately, that does come with risk attached, and fraudsters are always ready to exploit any loophole they find. In this case, since vouchers and using points from one travel experience towards a different travel experience are so common in the industry, the extra step seems very natural as part of a customer flow.
Last-minute bookings are also fairly common within travel, which is another thing fraudsters have traditionally been eager to leverage. So alarm bells are less likely to go off with clean slate attacks, because this behavior isn’t really out of the ordinary.
Travel is a good candidate for this kind of fraud. If fraudsters see success with it, though, which they seem to be given the increase in attacks with these extra steps, they’ll likely try to apply it broadly elsewhere as well.
How to Stop Clean Slate Fraud
The good news is that as long as you’re looking out for it, clean slate fraud isn’t hard to stop. A travel merchant onboarding with Forter had suffered a loss of $120K in ten days due to this issue. But as soon as they turned Forter’s systems on, the ring was blocked, and it went elsewhere.
The key thing is remembering that everything comes back to identity. No matter how many stages the fraudster or ring inserts into their attacks, and no matter how much they mix up their payment methods and pull vouchers into the story to look more legitimate — if they’re the same people trying the same tricks, you can identify that. And block it.
The technical aspects of clean slate fraud, such as IP masking, fake email addresses, and stolen payment methods, aren’t new. Putting them to use as part of an attack that spans a large number of accounts and involves leveraging voucher credit is a step further in obfuscation, but it doesn’t change the game.
As always, it comes down to identity.
