Taking Charge of Chargebacks: A Hotelier’s Guide to Combating Fraud | Back to Main Page

PART THREE

Criminal Fraud: Battling Invisible Fraudsters

Most hotels have experienced a version of the “Inventing Anna” story. A con artist checks in and scams the property, leaving staff wondering, “How did we miss the signs?”

More often than not these days, however, the fraud takes place online, without staff ever seeing the perpetrator. In one extreme case, hackers intercepted a hotel’s email to a client with a PDF invoice for a group booking. The hackers altered the PDF and rerouted the payment to their own account—resulting in a $500,000 loss.

Cyber criminals are constantly looking for vulnerabilities in hotel operations. To prevent your property from becoming their next target, it’s critical to understand the different types of criminal fraud and how to protect your business.

“With the shift to chip card technology, the rules have become much stricter. If the chip isn’t scanned and other critical steps aren’t taken, hotels now have almost no chance of winning a dispute.”

– Mike Ryan, Director of Enterprise Payments, Sertifi

Types of Criminal Fraud

Criminal fraud involves an unauthorized third party using stolen payment information to make purchases, resulting in a chargeback from the actual cardholder. Below are the most common types of criminal fraud in hotels.

Credit Card Authorization Form Fraud

A fraudster provides stolen credit card details to arrange prepayment for room charges.

Card Testing Fraud

A fraudster makes a fake reservation to test if a stolen card is usable, often followed by a no-show.

Third-Party Booking Fraud

A fraudster books a room via a third-party supplier like an OTA and opts for remote check-in to avoid presenting ID in person.

Account Takeover Fraud

A fraudster accesses a guest’s loyalty account using stolen credentials, then uses stored payment methods or loyalty points to purchase items.

The Good News: Card-Present Fraud Is Declining

Recent security measures have reduced card-present (CP) fraud, thanks to stronger regulations.

  • Payment Card Industry Data Security Standard (PCI DSS): A global security standard for protecting cardholder data applicable to all businesses that handle credit card data. Compliance includes encryption, secure payment systems, and access controls.
  • Payment Services Directive 2 (PSD2): An EU regulation enforcing Strong Customer Authentication (SCA) through multi-factor authentication, including 3-D Secure technology, and allowing third-party providers to access customer data securely.

The Bad News: Card-Not-Present Fraud Is Rising

With stricter regulations to prevent offline fraud, criminals have simply shifted their focus to online. CNP fraud is now the most prevalent form of credit card fraud, accounting for 73% of all card payment fraud in 2023. This resulted in $9.49 billion in losses in the U.S. alone, an 8.5% increase from the previous year.

Contributing factors to the rise of criminal fraud include:

  • Growth in Online Payments: More digital transactions have created more opportunities for fraud.
  • Advanced Tactics: Fraudsters are using sophisticated techniques like phishing, social engineering, and malware to steal payment information.
  • Weak Security Practices: Many hotels haven’t invested in the technology and training needed to protect their systems from attacks.

Protecting Your Hotel from Criminal Fraud

One of the most vulnerable areas for hotels is credit card authorization (cc auth) forms. Here, scanning a chip isn’t an option. Forms are often handled manually, increasing the risk of exposure to fraud. For example, at one hotel, a binder containing cc auth forms was stolen, compromising all the cardholder data inside. Consider the following strategies.

Use e-Authorizations

Replace paper, fax, and email forms with digital authorization systems to securely collect and store credit card information. 

Verify Information

Scrutinize cc auth forms for suspicious details like fake signatures or mismatched addresses. Always verify contact information.

Enable AVS

This will confirm that the billing address matches the one on file with the card issuer.

Require Prepayment

When possible, ask for payment or a deposit at least five days prior to arrival to reduce chargeback exposure.

Be Cautious

Avoid accepting last-minute authorization forms and be wary of bookings that seem suspicious.

Never Refund to a Different Card

Refuse any request to refund a payment to a card that is different from the one used for the booking.

Reviewing Your Credit Card Authorization Form

A submitted authorization form can give you helpful clues that show a fraudster may be at work. Train staff to carefully review these areas.

Fraudsters like to act quickly (up to 72 hours prior to arrival), so many hotels have adopted a policy to not accept reservations within this timeframe, particularly same-day reservations. While that may not be an option, here are some best practices to follow if you can adopt it:

  • Adopt an advance deposit policy and charge a minimum or full amount immediately. If the transaction’s being made with a stolen card, the true cardholder will get a notification of the charge, which will prompt them to contact you. Best practice is to accept a pre-payment no less than six days prior to arrival; do not take a payment five days or less to arrival.

  • Require a second form of payment. If the first card fails or results in a chargeback, the second option is available. This process can be implemented for all same-day reservations.

  • Be on the lookout for vague, mismatched, or incorrect addresses, as well as any address with a P.O Box.

  • Run a Google search of the provided business name to verify that it's real. Google Streetview can show you if the provided address is really a home, empty lot, bus stop, etc.

  • If the provided cardholder and guest names are the same, that's a red flag since that would mean an authorization isn't necessary at all.

  • Don’t accept a credit card if the address provided for the card and the address provided for the authorization are drastically different.

  • Take note if a business email wasn't used with a business selection.

  • Refrain from accepting credit cards if the billing address and authorization address differ significantly.

The signature should match the cardholder's name. Hotels have been known to accept authorizations signed with false signatures, such as “AAAAAAA,” resulting in chargebacks.

These sections are typically not required to fill out, so fraudsters may skip them to suggest billing was not approved.

Verify phone numbers, as well as a person's identity. Ensure the customer has consistent identities across social media platforms.

Using Sertifi’s authorization solution, you can confidently accept business knowing you’re backed by Kount, an Equifax company, the industry-leading provider of fraud prevention solutions. Our AI-powered fraud tools instantly verify cards and identify risks.

Jump to Part Four: Shifting Payment Trends: Balancing Convenience with Security

 

sertifi-logo