IATA email scam fake certificate
442 days ago
 

Exposed: How online fraudsters dive deep into IATA processes to secure payments

The classic Nigerian bank account email scam is as old as the internet itself and pretty much remains about as sophisticated as your average Saturday night reality TV show.

Not at all, in other words (we hasten to add).

Joe Public has learned over the years that anyone blindly offering to send them $20 million dollars if they deposit X amount in an overseas account is quite clearly pulling their leg.

But what about scams that operate within an industry, preying on customers and attempting to get into mix of the every-day workings of, say, the travel sector?

Indeed, what happens if a large, high-profile industry body suddenly sends an email asking for the settlement of a bill, often for arguably just a nominal amount (nowhere near the $20 million windfall being offered from those supposedly operating out of Africa)?

This type of scam is happening right now, using knowledge of the inner workings of high-profile international trade body IATA.

It starts like this:

Given that Tnooz is not an “airline code holder” with IATA, such correspondence from the industry group obviously set a few alarms bells ringing.

But imagine if the recipient was not a media brand and, instead, a customer that has applied for the “airline accounting code and airline prefix code” from IATA (guidelines and application form here).

The email comes from an .org email address (IATA-payment.org) and has valid contact details for the organisation’s offices in Montreal, Canada.

The reason for the redaction in the image above is that it corresponds exactly with that of a genuine employee in the accounts department at IATA in Monteal. A quick check on LinkedIn (as some worried about legitimacy might do) illustrates this:

Tnooz decided to start liaising with the sender of the email to get more details and see what emerged next (typically, entering into correspondence leads nowhere – fraudsters often want to complete the scam as quickly as possible).

On request, another email arrived:

This is the invoice containing details of the money supposedly owed by Tnooz:

After confirming the location of the bank, we asked LloydsTSB (a large UK retail bank) to verify the validity of the bank account details. LloydsTSB says due to the Data Protection Act in the UK it is unable to give further details regarding the account but confirms that its fraud team has been notified of potential fraudulent activity.

Tnooz continued to ask the sender of the original email for additional details relating to the account. This was not forthcoming (“my superiors are in charge of handling member contracts”), so we enquired as to whether it would be possible to elevate the query to a level of a supervisor or manager.

Expecting to hear no further from the sender, within a day we received the following email:

The email supposedly came from a senior individual in the finance department in Geneva (again, name redacted) and contained a scanned copy of Tnooz’s “certificate of accreditation”:

…and a copy of the “lease agreement”:

We then asked the sender to forward us a copy of the application we made for the certificate.

Once again, expecting the trail to go cold, events took an unexpected twist: the sender of the emails from Geneva called by telephone (number withheld).

In a very brief conversation (for fear of stereotyping, the accent of the caller did not sound like it belonged to that of the Anglo-Saxon or European name in the email), he tried to explain briefly that he was unable at that particular time to send the application and urged us to send the payment to resolve the “debt” owed by Tnooz.

This was clearly the last throw of the dice for those behind the original approach as direct correspondence with both the original individual supposedly in the admin unit in Montreal and the financial department in Geneva has now ceased despite a number of emails being sent to both asking for further clarification about the account.

Some interesting points to note about the activity outlined above:

  • Use of genuine employee details in the correspondence.
  • Knowledge of the terminology used by IATA with members and customers.
  • Creation of IATA-headed certificates and accreditation documents.
  • Multiple people involved in the approach.
  • Use of the telephone to persuade recipients of the invoice to settle their debt.

In short: a very detailed and elaborate process which, despite not fully researching who the recipient might be (Tnooz is, after all, just a media company rather than an agent or other industry business), shows how determined its backers are when using as many methods as possible to obtain money from unknowing people around the industry.

IATA has since confirmed that the original email came from what it says is a fraudulent address.

There are a number of approaches that have been made in the past to industry organisations and individuals, using a variety of bank institutions (LloydsTSB is not one of those listed).

All communication from IATA will ONLY ever come from a @IATA.org address. No official variations exist.

The organisation asks that anyone who has received similar correspondence to notify the organisation on the following email address: information.security@IATA.org.

UPDATE: 

Astonishingly, despite the bank account being referred to the LloydsTSB fraud team (and Tnooz publishing the above article), in the past few days the second character involved in the correspondence has persisted in asking for the payment via email.

He then called again (number withheld) to reassure us that he would be happy to provide a copy of the application we supposedly submitted and would do so BEFORE we needed to make the payment.

We continued to go along with it and promised we would send payment after a copy of the application form was forwarded to us.

However, in the past few hours, after we emailed the sender to remind him that we were still waiting for the document, the email (finally) inevitably bounced back.

We presume this is probably the end of it all now, in terms of our correspondence – although the entire saga has thrown up plenty of surprises so far, so we’re not holding our breath just yet.

UPDATE II:

Well, perhaps we could’ve held our breath after all.

The team behind the activity forwarded the requested application form we supposedly completed to apply for the aforementioned license.

The sender also then called again.

We noted with him that the signature was a fake, to which he tried to explain was a result of a process used at IATA’s end to protect signatures of applicants.

Despite this, when asked when we would be making the payment, we assured him that once details were authorised at our end we would be forwarding it the bank account listed above.

Around ten minutes later we received another call.

“My colleague tells me you have been writing about us on the internet.”

We respectfully outlined the process we went through to obtain our information, including talking to the bank and IATA about the alleged fraudulent activity.

After an awkward silence, and before we could ask any further questions, we were simply told to look out an email and he hung up.

An email arrived a further 20 minutes later, simply saying: “YOU SMART??????????”.

No further correspondence received by Tnooz since then.

NB: Tnooz has passed to IATA all of the correspondence and materials it obtained during the course of the process outline above.

 
 
Kevin May

About the Writer :: Kevin May

Kevin May is editor and a co-founder of Tnooz. He was previously editor of UK-based magazine Travolution for nearly four years and web editor of Media Week UK from 2003 to 2005.

He has also worked in regional newspapers (Essex Enquirer) and started his career in journalism at the Police Gazette at New Scotland Yard in London. He has a degree in criminology and a postgraduate diploma in magazine journalism.

 

Comments

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

  1. Kevin May

    Kevin May

    @ALL

    Against all the odds, we have another update (above) and screenshot:

    UPDATE II:

    Well, perhaps we could’ve held our breath after all.

    The team behind the activity forwarded the requested application form we supposedly completed to apply for the aforementioned license.

    The sender also then called again.

    We noted with him that the signature was a fake, to which he tried to explain was a result of a process used at IATA’s end to protect signatures of applicants.

    Despite this, when asked when we would be making the payment, we assured him that once details were authorised at our end we would be forwarding it the bank account listed above.

    Around ten minutes later we received another call.

    “My colleague tells me you have been writing about us on the internet.”

    We respectfully outlined the process we went through to obtain our information, including talking to the bank and IATA about the alleged fraudulent activity.

    After an awkward silence, and before we could ask any further questions, we were simply told to look out an email and he hung up.

    An email arrived a further 20 minutes later, simply saying: “YOU SMART??????????”.

    No further correspondence received by Tnooz since then.

     
  2. Jonathan Meiri

    Catching up on the story. I assumed fraudsters use only highly scalable technics that do not incude phone calls. Great reporting @Kevin!

     
  3. Mike Jirout

    Nice work. I’ll always string along these fraudsters for as long as possible. I figure every minute wasted with me is a minute that they can’t spend duping others. If everyone recognized the scam, played along, and had them continuously manufacture documents to no avail, hopefully they’d get discouraged and get a job!

     
  4. Kevin May

    Kevin May

    @ALL – A little update just added at the foot of the story.

    ******

    UPDATE:

    Astonishingly, despite the bank account being referred to the LloydsTSB fraud team (and Tnooz publishing the above article), in the past few days the second character involved in the correspondence has persisted in asking for the payment via email.

    He then called again (number withheld) to reassure us that he would be happy to provide a copy of the application we supposedly submitted and would do so BEFORE we needed to make the payment.

    We continued to go along with it and promised we would send payment after a copy of the application form was forwarded to us.

    However, in the past few hours, after we emailed the sender to remind him that we were still waiting for the document, the email (finally) inevitably bounced back.

    We presume this is probably the end of it all now, in terms of our correspondence – although the entire saga has thrown up plenty of surprises so far, so we’re not holding our breath just yet.

    ******

    NB: We’re not distressed that the story failed to be picked up by those at the other end of the correspondence (not everyone reads Tnooz!) :) . We suspect the penny dropped when they tried to access the bank account.

     
  5. Gilian Huntoon

    You rock Kevin!

     
  6. Perry Flint

    Hi Kevin,

    A very good job! Thanks for digging into this scam and helping your readers to recognize these phony emails.

     
  7. Orestis

    Nice work Kevin! Thanks!

     
  8. Rod Cuthbert

    Kevin, This was a fun read. You may have saved some unsuspecting souls from an expensive mistake.

    Having said that, I think your characterisation of the typical Nigerian scam as unsophisticated is off the mark. This Telegraph article (http://bit.ly/ZWL3wh) on some recent Microsoft research suggests exactly the reverse. But I know what you mean…

    Rod

     
    • Kevin May

      Kevin May

      @rod – thx for chiming in. Interesting article from the Telegraph. cheers!

       
  9. Stephen Joyce

    Stephen Joyce

    A whois search of the domain iata-payment.org (which is referenced in the first email) shows a domain that was created using homestead.com (a free website builder). This is a pretty clear indicator that this is a bogus domain since I doubt IATA would be using homestead for anything, especially payment communications. In addition, the primary contact email on the domain is boltsandnuts6@gmail.com. I’d be surprised if someone at IATA used an email like this for their domain registrations.

    http://whois.domaintools.com/iata-payment.org

     
  10. John Pope

    @Kevin

    Ok, you caught me – I give up. But, I can’t believe you didn’t recognise my dodgy accent.

    To be fair, I was really only trying to establish a new crowd-funding model to raise some fast cash for our venture – thought that’s what they meant by Blue Ocean Strategy?? ;-) Guess I’ll have to go back to the drawing board now.

    Seriously, interesting story and great work. You’re a man after my own heart, trying to make the world a better, and safer, place for us all.

    Kudos, Obi Wan.

     
  11. Glenn Gruber

    @kevin…are you sure that the “information.security@IATA.org” address is legitimate? :)

     
    • Kevin May

      Kevin May

      @glenn – 100% sure. Thanks for your concern over our reporting though.

       
  12. RobertKCole

    Nicely done Kevin – good to see that Criminology degree finally coming in handy.

    Interesting that you referenced the Nigerian email scam.

    Due to my advanced age, I can tell you the Nigerian scam originated in the Fax era. I got one in the early 1990′s (It was only $5 million – inflation had not yet increased the amount…)

    All they wanted was my bank account number to “completely legally” transfer $25 million into my account and transfer out $20 million, with the remaining $5 million left for my troubles.

    It was pretty much the same approach – convincing letterhead, with an assumed identity of a presumably trusted individual – In my case, it was a Nigerian classmate from Cornell University’s Hotel School and a reference to a high profile alumnus who was based in Hong Kong (a fellow who was relatively hard to reach due to time zone & travel schedule.)

    These guys had done their homework pretty well.

    I went through the same process to see how far the scam would be taken if I kept engaging and asking for a bit more information. I received two more faxes and two follow-up phone calls before they stopped communicating.

    Even then, it was my understanding from the authorities handling my report of the scam, that they were using some fairly sophisticated call forwarding methods in order not to be tracked by phone or fax number.

    All in all, these con men are simply upping their game by using technology to make their pitches look more realistic. With email & easily spoofed PDFs used as an ubiquitous form of invoicing, like the Nigerian email scam, this scam will inevitably grow.

    Eventually, enough idiots will try poorly executed pitches it to make the general population aware of the risks.

     
    • Kevin May

      Kevin May

      @robert – yes, been waiting for years to reinvigorate my crime reporting days :) .

      Interesting additional data, thanks for sharing.

       
    • Christopher James

      The scam did not originate in the fax era, it was simply moved to fax in that era.

      The scam has been alive and well since the advent of international postal mail, if not before. I have seen copies of letters send in the 1920′s executing this scam.

      Interestingly, their English was much better back then. Go figure.

       
  13. Sam Daams

    You should totally have tried to get their photo a la http://www.419eater.com/ (a great site if you want to enjoy some justice on scammers!) :)

     
  14. Mike Putman

    Great job Kevin! Fraudster emptor.

     
    • Kevin May

      Kevin May

      @mike – thanks for the comment.

      I think what astonished me the most that it kept going as long as it did, especially with the phone call at the end.

      Of course it is far too easy to presume, but you would’ve thought that at some point they might’ve considered asking themselves what this Tnooz thing is.

      What’s that? Oh, it’s not a travel company? It’s a media company. Oh.

       
    • Ana

      Thanks for this – you just spare me having to fight it out with the useless administration office at work, who forwarded it to me (blindly it seems, cos i really have no idea how they didn’t think it screams “SPAM” at their face)

       
 
 

Newsletter Subscription

Please subscribe now to Tnooz’s FREE daily newsletter.

This lively package of news and information from Tnooz’s web site provides a convenient digest of what’s happening in technology that drives the global travel, tourism and hospitality market.

  • Cancel