The hospitality, leisure and travel industry found an unusual, albeit temporal, respite from human trafficking and certain fraud incidences during the peak of the pandemic, but this limited reprieve is quickly fading as business activity returns to normal. For a while, as hotel occupancy rates declined, flights, major sports and social events were canceled, and borders closed in response to the pandemic, fraudsters diverted their attention to more lucrative targets such as government-sponsored relief programs, medical supply scams, fake charities and superannuation fraud.
With many borders now reopened and travel and hotel bookings up significantly this summer, industry players are bracing for fraud and human trafficking activities to return to the rampant levels experienced before the pandemic. Among the threats, companies are facing a growing number of transnational organized crime groups that migrated to the cyberworld during the pandemic and are using malware and ransomware as a service to attack businesses from anywhere around the world. These groups are part of the dark underworld of cybercrime that has been thriving during the pandemic. According to research from Trustwave SpiderLabs, the volume of dark web users surged more than 40% in the early months of the pandemic, with an estimated $100 million in COVID-19-related goods and services — from fake vaccines to personally identifiable information (PII) stolen through pandemic-themed phishing attacks — trading through these channels.
The economic stress from the pandemic has also exacerbated conditions in marginalized communities, where workers living on the edge of poverty are more susceptible to the fraudulent job offers and predatory loans that lead to situations of forced labor and debt bondage, according to a June 2021 report from the Council on Foreign Relations. This, combined with the resumption of major sporting and outdoor events this summer, point to an expected increase in commercial sexual exploitation and human trafficking incidents.
The current dynamic environment calls for organizations in the hospitality, leisure and travel industry to keep abreast of law enforcement, and regulatory and legislative changes, as well as reassess their compliance and fraud-prevention practices regularly to strengthen areas like third-party service arrangements where gaps in oversight can easily enable fraud. Hotels, resorts, airlines, travel agencies and restaurants, among others, have an opportunity now to build their “ark” – that is, invest in stronger anti-fraud defense mechanisms before the impending storm. Those that fail to develop stronger defenses or reinforce existing capabilities may find themselves more susceptible to fraud, given the very nature of how perpetrators of such crimes follow the path of least resistance or aim for the easiest targets to exploit.
Prevailing threats and the cost of doing nothing
Fraud activity – most commonly counterfeit transactions involving fake currency and stolen credit cards; loyalty programs; customer account compromises; data breaches; and cashier’s, gift, and travelers’ checks – cost the hospitality, leisure and travel industry billions of dollars in losses every year.
Loyalty programs have become perhaps the most enticing target for fraudsters. Driven by the digital explosion and intense competition, the global loyalty management market is projected to reach $10.02 billion by 2027, from $2.47 billion in 2019, according to one recent estimate. Cybercriminals have discovered that loyalty reward offerings can be very lucrative given how easily they can be monetized on (and increasingly off) the dark web. Recently, novel mechanisms have emerged where loyalty programs can be monetized through legal means and online marketplaces and platforms (e.g., bakkt.com). Additionally, the programs provide access to personally identifiable information that scammers can use to create additional fake accounts.
In a 2018 report of occupational fraud cases in various industries, the Association of Certified Fraud Examiners (ACFE) found a median loss of $90,000 in its review of 76 fraud cases impacting hospitality and food services companies. In the same report, the ACFE noted that skimming schemes were also notably more common in the hospitality industry than elsewhere.
Often victimized by counterfeit identity, hospitality businesses also are a favorite target of human traffickers. According to the National Human Trafficking Hotline, at least 7.7% of human trafficking cases reported in 2016 were based in hotels or motels, common sites for abuse because they usually provide privacy and anonymity for both traffickers and trafficked individuals.
In the travel arena, of which direct online bookings are a significant share, fraud has unfortunately become an expected cost of doing business. For example, airlines are currently rejecting or canceling almost 4% of bookings due to suspicion of fraud, and they are losing over a full percentage point of revenue in direct channels to fraud, according to a 2018 report by travel industry research firm Phocuswright.
For most businesses in the industry, the cost of doing nothing or too little to curb fraud and human trafficking goes beyond financial impacts. In recent years, multiple lawsuits have been filed against major hotel groups, accusing them of serving as breeding grounds for sexual exploitation of women and children. For businesses already operating on very tight margins and in a fiercely competitive arena, the risk of increased legal liability, regulatory scrutiny, monetary fines, customer and societal perception, and reputational harm that could lead to loss of customers is one that cannot be entertained.
Challenges of detecting fraud and trafficking
With so much at stake, the responsibility of hospitality, leisure and travel businesses to manage fraud effectively continues to increase each day. However, meeting this challenge remains a constant and frustrating battle for many organizations, particularly given the sophistication of the perpetrator base has risen in lockstep.
For starters, traffickers and fraudsters are good at concealing their activities to elude law enforcement. Many have learned to use sophisticated tools (such as bots) that make it difficult for businesses to detect their activities. They are also patient and nimble in their approach, which allows them to find the path of least resistance in their search, or the weakest link to exploit. Lastly, as many perpetrators are part of criminal cohorts, their craftiness is also well-funded.
Another major challenge is the shortage of technical solutions and data, as well as know-how, to combat fraud and human trafficking. While there is data aplenty, filtering the signals from the noise to detect real fraud is difficult given data comes in a variety of forms (e.g., structured and unstructured). Also, ensuring that the data is complete, timely and of good quality is a challenge. From an analytical perspective, businesses are saturated with false positives – fraud alerts that do not lead to follow-ups or investigations, and ineffective fraud-detection approaches make it difficult for many to obtain real outcomes and make better risk-management decisions.
Across many organizations, governance and processes to manage fraud and criminal activity are not properly organized. In many cases, there are too many chefs in the kitchen: Various functions within the organization have joint governance or cross-ownership of fraud management. A good example would be an organization where the compliance, legal, risk, information technology, human resources and audit functions are all managing fraud in separate silos but do not properly coordinate their activities.
Adopting more investigative techniques and fraud analytics mechanisms can be a sizable investment, often requiring the acquisition of software and hardware, incorporating new review methods, and hiring new talent or upskilling existing staff. Meanwhile, an ever-evolving regulatory landscape and jurisdictional variances makes it tough for companies to stay ahead of the game while remaining compliant with the expectations of multiple regulators and requirements. A perfect example are privacy regulations, which restrict businesses from collecting or using certain data that could be helpful in fraud detection.
Advanced analytics and a holistic approach to the fraud fight
To successfully combat and mitigate today’s sophisticated fraud and human trafficking, hospitality, leisure and travel businesses need to leverage data and advanced analytics in order to generate augmented insight, and in turn translate that insight into intelligent threat detection and decision making. Understanding data types and how to effectively use them is key to unlocking the potential of any fraud surveillance and monitoring system. It is important to integrate different elements and approaches holistically to unlock the business’ detection potential. The following approaches are essential:
- Capture existing data – Firms record a lot of data from the moment users log on to their sites through the time they browse through selected offerings or complete a purchase. The metadata captured from activities such as mouse clicks and movements, actual purchased items or those left unpurchased in shopping carts, time of log-in and log-out, and IP addresses can be used to detect potential abnormalities. This a low-hanging-fruit effort that will go a long way to increasing fraud detection even before deploying analytical expertise. And it does not require building new models – just gathering insights using capabilities and processes that already exist within the organization.
- Invest in the right technology – Sophisticated machine learning and artificial intelligence tools can be used to detect suspicious behaviors, including anomaly detection. Text mining tools can be deployed to uncover patterns in unstructured data, and predictive models can evaluate common activities against known cases of misconduct. Firms can also leverage social network analysis (SNA) to establish associative linkages or discover commonalities in seemingly disparate data points. For example, human traffickers often leave traces in public domains on the internet, mostly in the form of advertisements and solicitation ads on social media, dating apps, chat and community websites. While the traffickers often alter their online presence to elude identification, recent advances in techniques, such as matrix completion, have the potential to address issues regarding falsified or misleading data.
- Acquire (or partner with) experts in analytics – Aside from the technology, firms need to acquire or partner with data scientists and analysts who can help make sense of the trove of information gathered through these various tools, while also exploring additional data elements and analytical constructs that can further augment threat detection. With many firms warehousing their data across multiple systems (physical records, apps, tapes, call centers, etc.), these experts can help identify the key data assets and link all data sources to obtain a holistic view of fraud and other criminal behavior. Additionally, cross-disciplined experts with knowledge of relevant regulations and policies can ensure that practices comply with the myriad regulations applicable to the industry.
- Create linear ownership and governance around fraud mitigation – Coordinating the activities of various functions with fraud mitigation responsibility within the same organization requires creating a linear governance structure that can take actions quickly and assign responsibilities effectively. The right governance structure would also foster a stronger ethics and conduct culture within the organization and help minimize firmwide behaviors that could enable fraud.
The time to act is now
In addition to advanced analytics, hospitality, leisure and travel businesses should conduct frequent risk assessments to understand their critical vulnerabilities. If needed, they should bring in an independent party to give an unbiased assessment of fraud risks. Participating in networks or industry groups where experiences and intelligence on fraud trends are actively shared is important to gain a 360-degree view of threat vectors and anomalies. And, most importantly, they should stay vigilant by keeping their eyes and ears open for all warning signals internally and externally.
Naomi Wolak, Managing Director with Protiviti’s Internal Audit and Financial Advisory practice, contributed to this content.