Mark Pestronk
Q: Last Monday morning, as usual, I opened my agency's airline ticketing records to see what had been ticketed over the weekend. To my shock, I saw that my agency had issued several dozen tickets on Royal Air Maroc and Air France for travel from Abidjan, Ivory Coast, to various points in Europe. No credit cards were used; instead, these were cash tickets. How did this happen? Is my agency liable for payment of these tickets, which total about $30,000?
A: The "Abidjan Phishing Fraud Scheme" surfaced over 10 years ago, and law-enforcement authorities seemed to have put a stop to it for a while. Now the fraudsters are apparently back in business.
To my knowledge, the only way that this fraud occurs is as follows: The fraudster sends an email (a phishing email) that appears to be from your GDS vendor. The email states that the vendor needs the agent's username and password in order to install the latest GDS updates. The agent then replies with the requested information, thus enabling the fraudster to access the agency's GDS from any computer in the world. The fraudster makes a reservations and issues ticket using the agency's ARC number.
The tickets are typically issued during a weekend, when the agency is probably closed. In most cases, travel has already taken place by Monday morning, so it is too late to try to get the airline to stop the passenger from boarding in Abidjan. The form of payment is always cash, which means that, when you file your ARC report on the following Tuesday, you have to authorize payment for those tickets out of your own funds.
ARC has two relevant rules in the agent reporting agreement. First, as a general rule, the agency must pay for every ticket issued using the agency's ARC number. Second, as an exception, the agency can be relieved of liability for payment for the tickets if it can show that it was exercising "reasonable care" at the time that the fraud occurred.
The ARC agreement defines "reasonable care" by referring to Section B of the ARC Industry Agent's Handbook, which states:
"Agent must exercise reasonable care in the issuance or disclosure of ARC traffic documents ... to prevent the unauthorized issuance or use of such traffic documents .... "Reasonable care" includes effective, electronic challenge and authentication, e.g., log-in credentials."
ARC's policy has been that you must instruct staff never to give out their GDS logins in response to an email, phone call or text. If you can prove that you so instructed staff, and if no one admits to having fallen for a phishing email, then there is a chance that ARC may issue a letter relieving you of liability.
Unfortunately, at least one of the carriers that you name takes the position that you must pay for the ticket even if ARC issued a letter relieving you of liability. Your choices are to pay, negotiate a reduction or lose the carrier's appointment and risk a lawsuit.