Exposed: How online fraudsters dive deep into IATA processes to secure payments
The classic Nigerian bank account email scam is as old as the internet itself and pretty much remains about as sophisticated as your average Saturday night reality TV show.
Not at all, in other words (we hasten to add).
Joe Public has learned over the years that anyone blindly offering to send them $20 million dollars if they deposit X amount in an overseas account is quite clearly pulling their leg.
But what about scams that operate within an industry, preying on customers and attempting to get into mix of the every-day workings of, say, the travel sector?
Indeed, what happens if a large, high-profile industry body suddenly sends an email asking for the settlement of a bill, often for arguably just a nominal amount (nowhere near the $20 million windfall being offered from those supposedly operating out of Africa)?
This type of scam is happening right now, using knowledge of the inner workings of high-profile international trade body IATA.
It starts like this:
Given that Tnooz is not an “airline code holder” with IATA, such correspondence from the industry group obviously set a few alarms bells ringing.
But imagine if the recipient was not a media brand and, instead, a customer that has applied for the “airline accounting code and airline prefix code” from IATA (guidelines and application form here).
The email comes from an .org email address (IATA-payment.org) and has valid contact details for the organisation’s offices in Montreal, Canada.
The reason for the redaction in the image above is that it corresponds exactly with that of a genuine employee in the accounts department at IATA in Monteal. A quick check on LinkedIn (as some worried about legitimacy might do) illustrates this:
Tnooz decided to start liaising with the sender of the email to get more details and see what emerged next (typically, entering into correspondence leads nowhere – fraudsters often want to complete the scam as quickly as possible).
On request, another email arrived:
This is the invoice containing details of the money supposedly owed by Tnooz:
After confirming the location of the bank, we asked LloydsTSB (a large UK retail bank) to verify the validity of the bank account details. LloydsTSB says due to the Data Protection Act in the UK it is unable to give further details regarding the account but confirms that its fraud team has been notified of potential fraudulent activity.
Tnooz continued to ask the sender of the original email for additional details relating to the account. This was not forthcoming (“my superiors are in charge of handling member contracts”), so we enquired as to whether it would be possible to elevate the query to a level of a supervisor or manager.
Expecting to hear no further from the sender, within a day we received the following email:
The email supposedly came from a senior individual in the finance department in Geneva (again, name redacted) and contained a scanned copy of Tnooz’s “certificate of accreditation”:
…and a copy of the “lease agreement”:
We then asked the sender to forward us a copy of the application we made for the certificate.
Once again, expecting the trail to go cold, events took an unexpected twist: the sender of the emails from Geneva called by telephone (number withheld).
In a very brief conversation (for fear of stereotyping, the accent of the caller did not sound like it belonged to that of the Anglo-Saxon or European name in the email), he tried to explain briefly that he was unable at that particular time to send the application and urged us to send the payment to resolve the “debt” owed by Tnooz.
This was clearly the last throw of the dice for those behind the original approach as direct correspondence with both the original individual supposedly in the admin unit in Montreal and the financial department in Geneva has now ceased despite a number of emails being sent to both asking for further clarification about the account.
Some interesting points to note about the activity outlined above:
- Use of genuine employee details in the correspondence.
- Knowledge of the terminology used by IATA with members and customers.
- Creation of IATA-headed certificates and accreditation documents.
- Multiple people involved in the approach.
- Use of the telephone to persuade recipients of the invoice to settle their debt.
In short: a very detailed and elaborate process which, despite not fully researching who the recipient might be (Tnooz is, after all, just a media company rather than an agent or other industry business), shows how determined its backers are when using as many methods as possible to obtain money from unknowing people around the industry.
IATA has since confirmed that the original email came from what it says is a fraudulent address.
There are a number of approaches that have been made in the past to industry organisations and individuals, using a variety of bank institutions (LloydsTSB is not one of those listed).
All communication from IATA will ONLY ever come from a @IATA.org address. No official variations exist.
The organisation asks that anyone who has received similar correspondence to notify the organisation on the following email address: information.security@IATA.org.
Astonishingly, despite the bank account being referred to the LloydsTSB fraud team (and Tnooz publishing the above article), in the past few days the second character involved in the correspondence has persisted in asking for the payment via email.
He then called again (number withheld) to reassure us that he would be happy to provide a copy of the application we supposedly submitted and would do so BEFORE we needed to make the payment.
We continued to go along with it and promised we would send payment after a copy of the application form was forwarded to us.
However, in the past few hours, after we emailed the sender to remind him that we were still waiting for the document, the email (finally) inevitably bounced back.
We presume this is probably the end of it all now, in terms of our correspondence – although the entire saga has thrown up plenty of surprises so far, so we’re not holding our breath just yet.
Well, perhaps we could’ve held our breath after all.
The team behind the activity forwarded the requested application form we supposedly completed to apply for the aforementioned license.
The sender also then called again.
We noted with him that the signature was a fake, to which he tried to explain was a result of a process used at IATA’s end to protect signatures of applicants.
Despite this, when asked when we would be making the payment, we assured him that once details were authorised at our end we would be forwarding it the bank account listed above.
Around ten minutes later we received another call.
“My colleague tells me you have been writing about us on the internet.”
We respectfully outlined the process we went through to obtain our information, including talking to the bank and IATA about the alleged fraudulent activity.
After an awkward silence, and before we could ask any further questions, we were simply told to look out an email and he hung up.
An email arrived a further 20 minutes later, simply saying: “YOU SMART??????????”.
No further correspondence received by Tnooz since then.
NB: Tnooz has passed to IATA all of the correspondence and materials it obtained during the course of the process outline above.
Kevin May is a senior editor and one of the co-founders at Tnooz in 2009. He was previously editor of UK-based magazine Travolution and web editor of Media Week UK from 2003 to 2005.
He has worked in regional newspapers (Essex Enquirer) and started his career in journalism at the Police Gazette at New Scotland Yard in London. He has a degree in criminology, a postgraduate diploma in magazine journalism and publishes his first book - a biography about electronic band, Depeche Mode - in 2015.