Q: Last Monday morning, as usual, I opened my agency’s ticketing files to see what had been issued over the weekend. To my amazement, I saw that my agency had issued several dozen tickets on Royal Air Maroc and Air France for travel from Abidjan, Ivory Coast, to various points in Europe. No credit card was used; instead, they were cash notes. How did it happen? Is my agency responsible for paying for these tickets, which total approximately $30,000?
A: The “Abidjan Phishing Fraud Scheme” surfaced over 10 years ago, and law enforcement authorities appeared to have shut it down for some time. Now the scammers are apparently back in business.
To my knowledge, the only way this fraud happens is: The fraudster sends an email (a phishing email) that appears to be from your GDS provider. The email states that the vendor needs the agent’s username and password to install the latest GDS updates. The agent then responds with the requested information, allowing the fraudster to access the agency’s GDS from any computer in the world. The fraudster makes a reservation and issues a ticket using the agency’s ARC number.
Tickets are usually issued over a weekend, when the agency is likely closed. In most cases, the trip has already taken place on Monday morning, so it is too late to try to get the airline to prevent the passenger from boarding in Abidjan. The method of payment is always cash, which means that when you file your ARC report the following Tuesday, you must authorize payment for these notes from your own funds.
The CRA has two relevant rules in the agent reporting agreement. First, as a general rule, the agency must pay for each ticket issued using the agency’s ARC number. Second, on an exceptional basis, the agency can be exonerated from liability for the payment of the tickets if it can demonstrate that it exercised “due diligence” at the time the fraud occurred.
The ARC Agreement defines “reasonable care” by referring to Section B of the ARC Industry Officer Handbook, which states:
“The officer must exercise due diligence in the issuance or disclosure of ARC traffic documents…to prevent the unauthorized issuance or use of such traffic documents….”Reasonable care” includes a effective electronic challenge and authentication, e.g. login credentials.”
ARC policy is that you should ask staff never to give out their GDS credentials in response to an email, phone call or text message. If you can prove that you instructed staff and no one admits to falling for a phishing email, the CRA may issue a letter absolving you of all liability.
Unfortunately, at least one of the carriers you name considers you must pay for the ticket even though ARC has issued a letter releasing you from liability. Your choices are to pay, negotiate a discount, or lose the carrier’s appointment and risk a lawsuit.