His name is J. Michael Skiba, but he goes by Dr. Fraud. Over the course of his 25-year career, he’s worn many hats: currently, he’s the department chair for Colorado State University’s fund management and cyber crime programs, and also owns and operates a consulting and training company that specializes in international counter fraud and financial crime.
He’s also an avid traveler. So in addition to being able to educate you on the particulars of all manner of scams, he can also advise you on the best seat in first class on a Dreamliner 787. But what he really wants you to know is that travel-centric scams are at an all time high right now, and if you’re booking flights, accommodations or even using public wifi while traveling, you might be at risk.
Below, everything you need to know about travel scams, and avoiding them.
InsideHook: You’ve said previously that there’s been a surge in the number of travel related scams coming out of the pandemic. How much of an increase are we talking about compared to pre-pandemic numbers?
Dr. Fraud: One of the issues that we have in developing fraud metrics is that a lot of people don’t report it. Most people — if they get scammed — get embarrassed and don’t report it. The FTC reporting is anonymous, but people don’t know that, so they get duped and then they just want to forget it. But what we’re seeing is at least a 50 percent increase. That could even be higher, because when I look at solid statistics in relation to robocalls, we’ve seen an increase of 80 percent pertaining to travel. That averages out to about $5.5 billion on the year. So just very disturbing metrics all the way around. I would say probably at least 50 percent — and potentially up to 80 percent — more than usual.
It’s so curious to me that people don’t report them. Do people just accept that it’s happened and move on?
If they have significant financial damage, then they will often try to take action. I saw a recent timeshare scam of $15,000. People that get scammed at that level will usually take action, but I would say, for most of them — probably three quarters of them — it might just be a few hundred dollars. Or maybe they got tricked out of releasing personal information. So people don’t report that. They don’t want to admit that they got got.
I find, too, that we have a really hard time finding victims, even though we know the statistics are through the roof. And when you do find them, they are so resistant. You’d think they’d be like, “Hey, we want to let others know and the community know.” But I don’t know — there’s some psychological resistance to it for some reason.
How frequently are these things resolved? If I were to report a scam, what are the odds that there would be an outright conclusion?
Very low. And there are two reasons: jurisdiction and buy-in. First, jurisdiction. Let’s say you’re scammed in a travel-booking scheme on an Alaska Airlines spoof website. So, you have Alaska Airlines. You’re in Albany. You sent the money to the scammer through Georgia and then, come to find out, the IP address was in Africa. There is no law enforcement agency that’s going to take that seriously. If you go to local police, or state police, they’re not going to want to do anything. If the feds are going to get involved, it has to be a large-scale case.
That being said, the FTC does have some restitution avenues, so other than that anonymous reporting, you can actually file a claim. It’s almost like a class action. If they have other claims that are brewing, they can put yours in the queue. I’ve known people that have been scammed and they’ve hired a personal attorney, but it’s just hard. Attorneys are very expensive and it’s a return on investment. Is it really worth it? Nobody wants to take these cases. I tried to prosecute for 25 years. Nobody wants it unless it’s a slam dunk, which they very rarely are.
Why are travel scams surging right now?
There are three main reasons. First of all, you have incredible volume. People have been cooped up for two years and they want to get out … When you have that kind of volume, it brings with it vulnerabilities. People are not taking that extra precautionary step. They just book quickly without really looking, doing their due diligence or taking any of the normal preventative measures.
Second, is that the scammers know that. They’re seasonal. I say seasonal because scammers focus on what’s hot at any given time. Right now, it’s travel. They know people want to get back on the street and so they are putting a lot of effort there right now. You’re going to see them pivot a little bit toward the holidays towards shopping scams, but they’re still going to focus on travel because people love to travel around the holidays.
Lastly, it’s because of the fluctuation in pricing. Before, consumers would know what was normal. Normal for an Airbnb in the Outer Banks, for example. But it’s such a crazy environment right now and there’s been immense fluctuation in pricing. What that means from a fraud perspective is that something that normally would be a red flag, isn’t. If someone sees a price that’s really low, that’s generally a red flag, right? But people don’t know anymore. They think, “Oh, this could be a good deal now.”
Another thing to keep in mind is that the travel industry itself — the Uniteds, the Marriotts — is very low staffed. I know this both statistically and personally. I waited on a plane once for two and a half hours because they didn’t have a baggage person to unload the plane. So if they don’t even have the people to do those physical things, they definitely don’t have the people to man the fraud platforms. It’s what I call a target-rich environment right now.
What are the most common travel scams? What should consumers watch out for?
What’s interesting about these scams is that they can be focused on any area of travel. You have a segment of the population that hasn’t traveled in a while, like myself, who had to go back in and refresh all their apps. I had to re-enroll and make sure my TSA pre-check, global entry, all of that, was up to date. In years past, I wouldn’t necessarily have gotten an email saying, “Hey, you have to update your United app,” or “Your TSA pre-check is up” or “Your passport needs to be updated.” But now I might … and a scammer can easily do that. So, that’s the log-in scam — where you have to re-enroll or re-up your membership, something like that.
The other has to do with airline and vacation rentals. With those, it really happens at booking and at that very initial stage. For example, when people go on Kayak, or any of those third-party websites, you can be redirected very easily onto a scammer site. So, let’s say you’re on Kayak and you get all these hits for a flight to Atlanta. You decide on an American flight and you click on it. That’s where the scammer can penetrate the system and send you to their own site. It looks just like American, but it’s an imposter site and you don’t know it. Imposter scams last year totaled 1.2 billion. This is big money. You’re chipping away, putting in your credit card information, having a great day and then as soon as you hit click — it’s game over.
Obvious follow-up question: How do I avoid ending up there?
The best mode of prevention with those airline scams is to go direct. Type in the URL itself. Don’t go to Google and search United, because you could get redirected. People don’t see it because they don’t see instead of “united.com,” it’s “unitedairline-dot-com-backslash-international” and that’s a dupe. That’s an imposter site. Go directly to the site from the web browser.
I see a lot of that at booking and also, too, in customer service numbers. If you go onto Google and you put in Alaska Airlines, the real number for Alaska Airlines is the fifth one down on the web results. The first one is a travel company, which has to do with SEO, but the other ones could be scams. You call these numbers and who knows who you’re talking to? You have no idea.
Lastly, there’s the Airbnb, vacation rental scam. We could spend probably an hour on this alone. I see so much fraud with Airbnb — and when I say Airbnb, I mean any of those rental sites — and in two areas. One is that the website itself can be an imposter site. It might look like Vrbo or Airbnb, but it’s not the right one and, again, you’re clicking around doing things, putting in information. So, again, go right to your browser. That’s a big one.
The second one, though, is within the legitimate Airbnb site. What’s happening is you’re getting a lot of fraud directly on the site and it’s not necessarily illegal, but it’s incredibly unethical. Basically what it is, is misrepresentation. So on the one hand, you have a phantom house, in that the house literally does not exist or isn’t for rent. Somebody literally shows up and there’s a family at the house — after they’ve already paid for it.
Apparently “catfishing” is big on Airbnb as well — places that exist, but don’t measure up to the details in the listing.
There’s a lot of misrepresentation that goes on within the Airbnb site itself. For example, inflated photos, things that don’t look anything like the facility. That’s very common. So, how do you avoid that? Well, if you right click on the photo and put it in Google, you can do a Google image search — see if it could be out of a catalog somewhere or a real estate image.
Also misrepresenting accommodations, that’s big. Something like saying they have three bathrooms when they have one. Saying they have air conditioning when they don’t. So, one of the ways to avoid that is to look at the reviews. If it’s a new property and it only has two or three reviews, I would definitely not engage with it. It’s going to be priced a lot lower, which is another flag. If you have properties that just look too good, if they’re priced 20% lower, that’s a flag. But you have those reviews on the property, the reviews on the owner and reviewer’s reviews — because what the scammers will do, they’ll take it to a phase two. They’ll actually develop a fake profile to leave reviews with. And if it’s a fake property, they’ll put fake reviews in on their fake property.
Lastly, there’s cryptocurrency. If someone asks you to pay outside of the app, or says something like, “Hey I can save you 10% if you want to just book directly with me,” or “Hey, can you wire transfer this?” I would disengage immediately.
Sometimes, too, people will fake damage after you leave. That’s popular because there’s very limited recourse after that. What I always do right before I leave an Airbnb, on the day of checkout — when it’s all cleaned up and after I do what I need to — I take a video. Not a long one, but I kind of just take a quick walk around because I’ve seen that happen. Let’s say you rent a place in Africa and then you get home and they claim there was $2,000 worth of damage. You’re not going to fly back and dispute that, but if you have a video — 99 times out of a hundred — they’re going to back right down. So … yeah, tons in that space. Tons of Airbnb fraud.
Can you talk a little more about fake websites? Is there a tried-and-true method for IDing them?
Look at that URL. Most of the bigger travel companies have just straight-up URL. So if you start seeing a long URL stem, things that just don’t make sense in that URL, I think you’re probably on the wrong site. Also, if there are any kind of characters in there, like a .exe — that’s an executable file. That’s malware or ransomware. If you see that, immediately hop out. Do not engage at all.
If they’re looking for any type of wire transfer or alternative currency, that’s a huge flag. Crypto, if you use crypto or Bitcoin, there’s no recourse. You’re never going to get your money back. They’re going to take your money and run before you even know what happened. So if there’s any mention of that, definitely hop out.
What about with Airbnb listings?
If there’s any degree of pressure. If an Airbnb owner uses a tactic like, “Geez, I have five people that are looking at this so you want to book it now,” or if they rush to lower the price for you like, “Hey, I just want to get this booked. Here take 10% off,” definitely hop out.
I also see a ton of errors in the fraudulent ones that I look at. Misspellings, grammar errors, things that just don’t phonetically flow. That’s why I suggest, when people do book, they book on a laptop and not on their phone, because you can miss those things on your phone. You’re looking at a two-inch, three-inch diagonal screen as opposed to a 15-inch.
As far as payment, one way to protect yourself is to always use your credit card. Never use a debit card, because they can drain those very quickly, even if you have a fraud protection plan. Most credit cards, especially if you align yourself with a strong one, have good fraud protection — that double-layer authentication and all those great things.
On top of being an expert in fraud, you’re an avid traveler. Any travel hacks to share?
The first thing people do when they travel is make sure they’re connected, right? We need to be connected. We cannot be offline for more than two seconds. So with that comes risk because a lot of people hopping on wifi instead of paying the $50 for the trip through AT&T or something.
Now, what’s interesting about public wifi, first of all, is that it’s not secure at all. Even though it says it’s secure, and you might have to sign in, it’s not secure. Secondly, fraudsters — and these are highly intelligent fraudsters — actually create fake wifi. That’s very common. So you might be logging into a Brussels airport wifi, but it’s not actually the Brussels airport wifi. Every single thing that you’re putting in — your touch ID, your passwords — that’s all fair game. I’ve seen a lot of people getting into a lot of trouble with public wifi. So I would always recommend, if you’re doing work, to get a VPN. Make sure you can somehow VPN to a secure client, a secure server.
But even as a regular consumer traveler, watch the wifi. Go with the platform that your cellphone has. I have AT&T now, the passport is like $10 a day. It’s all filtered through them. I get unlimited data and it’s not foolproof, but at least I know where my information is going. Even if you don’t have an unlimited data plan, it’s still worth it.
Are you careful using hotel wifi as well?
It depends, because it’s a little bit more controlled environment. It really depends on the location I’m in. I work in Colorado and there’s a hotel I stay at, a Marriott up in Westminster or Boulder. Everybody there is mom-and-pop people or skiers. In that environment, I’m not worried. But that’s purely subjective, it’s just my gut. It really depends on my appetite at that particular time because, yeah, it could be a concern.
So just be aware of your surroundings.
Absolutely. When people are just walking through an airport, everyone has their phones out. Or they’re slouching and they have their phones propped up. I’m like, “Oh my word.” I could be a fraudster in a seat right behind them, recording what they’re doing. You literally can see when a password screen comes up, you can see what people type in. It’s unbelievable. It’s so easy.
It really is just so easy in those highly public environments, especially airports. There are just so many vulnerabilities. I think people feel somewhat safe in an airport because there’s security all over and they’re kind of in a controlled environment. They’re not physically threatened. It increases their appetite for risk for some reason, on the technology front. When you really start looking, it’s like, “Wow, these guys are making it easy.”
This article was featured in the InsideHook newsletter. Sign up now.