The Rise of AI-Powered Travel Attacks

AI seems to be everywhere these days, and use of the
technology to up the game on travel scams to make them more convincing and
harder to detect is no exception. 

Travel managers need to be aware of when their business travelers
can be most vulnerable and educate them on what to look out for, because
“corporate travel managers play a critical role in protecting the
traveler,” World Travel Protection regional security director of the
Americas Frank Harrison told BTN.

“AI is no longer just targeting computer systems. It’s
now being used to manipulate and directly target people,” Harrison said.
“It’s a major shift in travel risk.”

Business travelers are particularly vulnerable when they are
in urgent or stressful situations, such as when an airport closes or flights
are canceled. Deep fakes can include voice and video manipulation, “and
they’re used to mimic real customer service agents, colleagues or even senior
executives,” Harrison said. “AI-driven scams are effective because if
you tap into the psychology, it triggers authority, urgency and fear of
loss.”

Say a scammer knows a business traveler is going from
Washington, DC, to Doha to Southeast Asia, he said. The flight just landed in
Doha, and the traveler receives a message saying their connecting flight has
been changed. The scammer says, “you need to book your seat now,” and
there’s potentially a bit of a language barrier, Harrison added, so it’s hard
to spot that subtle inconsistency. “The next thing you know, you think
you’re booking your seat on the next leg aircraft, and you’ve just been
scammed.”

Another example: Most people haven’t received a message from
their boss saying, “Hey, I lost my credit cards. Can you forward me some
money?” Harrison explained, noting that the average person would question
that. “But if you’re in a smaller mom-and-pop type of environment, or you
get a panic call from somebody you’re close to, you’re probably going to act on
it because [you think] they need help.” 

Harrison relayed a circumstance recently where an organization
he works with that focuses on cyber threats took a screen shot and voice clip
from an interview he did two years ago and created a 25-second video of
Harrison talking about travel risk management. “That was very convincing,
and it sounded better than I do now,” he said. 

There also are virtual kidnappings, Harrison said. Say an
executive is going on a business trip, and after they are dropped off at the
airport, their family gets a phone call from the executive saying they’ve been
kidnapped, and they need to transfer money to a specific account or the
executive will be harmed. The family wires the money. But the executive has
been on their flight, and when they land, contacts the family to let them know
they’ve arrived. 

“The family is like, ‘they released you,’ and the
person goes, ‘what are you talking about?’ ” Harrison said, adding that these
scammers like to use offshore Bitcoin accounts so its untraceable. “It’s
becoming very effective, very elaborate. We now have to start training our
travelers how to identify the risk associated with deep fakes and how to
respond to them effectively.”

Travelers more vulnerable are those who may not use a
corporate booking tool or travel management company and instead decide to do
their bookings directly with suppliers, but there are fake websites created to
look like real companies, Harrison said. 

“You think you’ve just gone into their website to rent
a car, and you haven’t really paid attention to the logo or the URL, and you
book a car,” he said. “But the next thing you know, your corporate
credit card’s been maxed out because you went into a phishing site that grabbed
your financial details.”

Harrison said that at least six different events like that
happened while he was in Denver for the recent Global Business Travel
Association convention, where “people thought they were in legitimate
airline pages or legitimate car rental or hotel [sites], made a booking and the
booking disappears and so does their credit card.”

Train for the Warning Signs

The best thing corporate travel managers can do is to look
at how they’ve structured their travel program, how they’ve integrated and
interact with their TMC and all of their different vendors, and “reinforce
to traveling workers and executives that if they see any kind of an
inconsistency or they see a deviation from that normal travel and booking
process, that’s a red flag,” Harrison said. 

It’s essential to maintain and share an approved contact
list and ensure it’s easily accessible, Harrison said. Also, “whether it’s
in the travel policy, company app or even wallet cards, regular training helps
travelers recognize and verify legitimate requests.”

“As soon as you see an inconsistency, that’s where
you’ve got to stop, get your travel managers involved, your IT team, and don’t
go through with whatever it’s prompting you to do because potentially it is an
attack,” he said.

Another warning sign is an unusual request for payment
methods that don’t involve a traveler’s actual corporate credit card, Harrison
said. “You might get a request that they want you to transfer money to an
account or they give you a digital number to transfer money into. That’s a red
flag.”

Additional signs are if you’re being asked by your TMC for
your credit card details. “They already have that,” Harrison said. “Or
you get a call from someone posing as a travel agent or representative of an
airline, but they want to move the call to another platform or a space you’ve
never heard of before. You’re being redirected into an environment where they
have control of you, your device and your information.”

“If it’s out of the norm, don’t do it,” Harrison
said.