By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: RiskifiedPublished July 23, 2025

TL;DR: Fraud rings are using fake online travel agencies, long lead times, device and connectivity combinations, and booking changes to bypass travel merchant controls, according to Riskified. The pattern shows that fraud prevention must account for adversarial adaptation, not just static rules, while customers using buy-for-you services often become victims too.


At a glance

What this is: This is an analysis of how fraudulent online travel agencies and buy-for-you services are exploiting merchant fraud signals to turn travel bookings into a dark web fraud pipeline.

Why it matters: It matters because travel merchants, payment teams, and fraud leaders need controls that detect manipulated booking behaviour, protect customer cards, and reduce chargeback exposure without blocking legitimate demand.

👉 Read Riskified's analysis of travel fraud trends in the latest Risk Rundown


Context

Fraud in travel is not only a payment problem. It is a control problem where attackers study the merchant’s rules, then shape booking behaviour to sit just outside detection thresholds while still completing monetisable reservations. In this case, the primary keyword is travel fraud, and the identity boundary is the payment credential and the customer account being abused.

Fraudulent online travel agencies, often called buy-for-you services, sit between a genuine traveller and the merchant’s booking flow. That creates a trust gap across card use, reservation changes, and post-booking fulfilment. For identity and fraud teams, the key question is not whether the booking looks ordinary at submission, but whether the surrounding behaviour shows coordinated abuse across accounts, devices, and payment sources.


Key questions

Q: What breaks when travel fraud controls focus only on checkout risk?

A: Checkout-only controls miss the later stages where fake OTA fraud is actually monetised. Attackers may pass the initial authorisation, then change itinerary details or rely on long settlement windows to avoid reversal. Effective travel fraud defence has to monitor booking mutation, fulfilment timing, and chargeback exposure, not just the first payment event.

Q: Why do fake travel agencies complicate fraud prevention and identity checks?

A: They separate the person making the booking from the person funding it and from the person who ultimately benefits. That breaks the usual assumption that one verified customer is behind the entire transaction. Merchants need to assess payment authority, booking behaviour, and fulfilment intent as distinct signals.

Q: How do security teams spot book-and-switch fraud in travel flows?

A: Look for long-dated bookings, itinerary edits, and unusual device or network combinations that appear consistent only when viewed in isolation. Fraud rings use these patterns to avoid red flags and extend the time before chargeback processing. A useful detection model links these behaviours across the full booking journey.

Q: Who should own response when fake OTA fraud affects customers and merchants?

A: Responsibility should be shared across fraud operations, payments, customer support, and risk governance. Merchants need a process for disputed bookings, card-skimming indicators, and customer protection because fake OTA schemes can harm cardholders even when the merchant’s own controls were partially effective.


Technical breakdown

How buy-for-you travel fraud uses legitimate booking flows

Buy-for-you services are fraud operations that present as ordinary travel agencies while using stolen cards or other illicit payment methods underneath. The fraudster absorbs the booking risk, then resells the itinerary or the appearance of a cheap deal to the end customer. The merchant sees a normal booking flow, but the real transaction context is obscured. That matters because booking legitimacy and payment legitimacy are no longer the same thing, and fraud controls must separate the two.

Practical implication: merchant controls must score the transaction context, payment provenance, and post-booking behaviour as separate signals.

Why long lead times and itinerary changes reduce detection

Fraud rings often target flights scheduled far in the future because the delay reduces the chance of immediate review and allows more room to alter the booking later. A long gap also gives scammers time to move money, resell access, or switch itineraries before reversal or chargeback processes complete. In practice, the fraudster is not defeating a single rule. They are exploiting how booking windows, review latency, and fulfilment timing interact.

Practical implication: teams should tune monitoring for long-dated bookings, reissue events, and post-purchase itinerary changes.

How device and network patterns become fraud signals

Risk signals in travel often include unusual combinations such as desktop devices using cellular connections, which can indicate proxying, emulation, or intentional mismatch between the claimed customer context and the real operating environment. Fraudsters study which combinations trigger scrutiny and then vary them to blend in. This is classic adversarial adaptation: once one pattern becomes a rule, the attacker shifts to the next closest acceptable pattern.

Practical implication: merchants need layered device, network, and behavioural analytics rather than single-signal blocking rules.


Threat narrative

Attacker objective: The attacker aims to monetise travel bookings while keeping fraud hidden long enough to complete fulfilment and avoid reversal.

  1. Entry occurs when a fraudulent OTA or buy-for-you service submits travel bookings using stolen credit cards or other illicit payment means.
  2. Escalation happens when the fraudster modifies departure dates or uses behavioural patterns that avoid immediate merchant review, extending the window before detection.
  3. Impact is realised when bookings are monetised through fake agency channels, chargebacks rise, and legitimate travellers or cardholders absorb the downstream loss.

NHI Mgmt Group analysis

Fraud in travel has become a signal-aware adversary problem, not a simple payment screening problem. The article shows that fraudsters are studying merchant detection logic and reshaping booking behaviour to sit just outside rule thresholds. That shifts the problem from static fraud rules to adaptive governance across payment, customer, and fulfilment signals. Practitioners should treat the booking flow as an adversarial environment, not a passive transaction record.

Buy-for-you services create a trust boundary that merchants rarely model cleanly. The traveller, the fraudster, the cardholder, and the merchant are not the same party, yet current workflows can blur those roles into a single approved booking. That creates a verification gap between identity, payment authority, and travel intent. Identity and fraud teams should separate who initiated the booking, who funded it, and who benefits from the reservation.

Book-and-switch fraud is really a timing attack on merchant controls. Long lead times, itinerary changes, and delayed reversals give criminals a larger action window than merchants often expect. The named concept here is detection latency gap: the time between fraudulent intent appearing and the control stack being able to act on it. Practitioners should reduce that window by aligning monitoring with booking lifecycle events, not just checkout.

Travel fraud governance now depends on behavioural correlation across the full journey. The article’s device and connectivity examples show that no single indicator is sufficient when fraud operators vary their patterns quickly. The right response is not more isolated friction, but stronger linkage between device reputation, payment history, booking mutation, and customer account behaviour. Teams should build for correlation, not isolated alerts.

The customer harm in fake OTA schemes extends beyond merchant loss. The article notes that travellers using these services can become secondary victims when their own cards are skimmed and reused. That means fraud prevention is also a consumer protection issue, and programmes need escalation paths that account for compromised cardholders as well as merchant exposure. Practitioners should measure harm across the whole fraud chain, not only on authorisation rates.

What this signals

Detection latency gap: travel merchants should measure how long it takes for a suspicious booking to become a decisive control event, because fraud rings profit from the delay between first signal and containment. That means aligning risk scoring with itinerary mutations, not just payment submission, and treating delayed travel dates as an operational risk factor rather than a harmless booking preference.

The governance lesson here is broader than travel. Any business that sells a future service, allows post-purchase modification, or relies on deferred fulfilment should assume adversaries will optimise for the window between approval and delivery. Merchants that connect payment telemetry with customer behaviour and fulfilment changes will close that gap faster than those that rely on isolated fraud rules.


For practitioners

  • Correlate booking lifecycle events Track initial booking, date changes, ticketing, and refund activity as a single sequence so fraud teams can spot manipulation that only emerges after the first authorisation.
  • Weight long lead-time bookings differently Apply separate review logic to distant departure dates because fraud rings use the gap between booking and travel to avoid reversal windows.
  • Combine device and network reputation Score mismatched combinations such as desktop sessions over cellular networks alongside IP history, account age, and payment provenance rather than using each signal alone.
  • Build escalation paths for compromised cardholders Treat travellers using fake OTA services as potential victims and route suspected card skimming cases into both fraud and customer protection workflows.

Key takeaways

  • Fake OTA and buy-for-you fraud works because the attacker can separate booking intent from payment legitimacy.
  • Long lead times and post-booking changes expand the fraud window and reduce the value of single-point checkout checks.
  • Merchants need correlation across device, payment, and fulfilment signals if they want to shrink the detection gap.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0DE.CM-1Continuous monitoring is relevant because fraud patterns adapt to merchant signals.
NIST SP 800-53 Rev 5SI-4System monitoring supports detection of manipulated booking behaviour and fraud patterns.
GDPRArt.32Customer and payment data used in fraud detection still requires proportionate protection.

Link booking telemetry to monitoring workflows so suspicious behaviour is detected across the full journey.


Key terms

  • Buy-for-You Service: A buy-for-you service is a fraudulent intermediary that appears to help customers book travel while secretly using illicit payment methods or stolen cards. The service creates distance between the criminal actor and the merchant, making the booking look legitimate until chargebacks, disputes, or downstream misuse reveal the fraud.
  • Chargeback Window: The chargeback window is the time available before a disputed transaction can be reversed or contested through card network processes. Fraud operators exploit this period by delaying detection, changing fulfilment details, or monetising the purchase before recovery actions can begin.
  • Detection Latency Gap: Detection latency gap is the time between the first suspicious signal and the point at which a control can actually stop loss. In travel fraud, that gap can be created by long lead times, delayed travel dates, and post-booking edits that move the fraud beyond the merchant’s first review point.
  • Payment Provenance: Payment provenance is the traceability of where a payment instrument came from, who controls it, and whether it is being used within authorised intent. It matters in fraud governance because a successful transaction can still be illegitimate if the underlying card, account, or funding source is compromised.

What's in the full article

Riskified's full analysis covers the operational detail this post intentionally leaves for the source:

  • The specific travel-fraud patterns observed in the dark web OTA ecosystem and how they evolve over time
  • Practical examples of booking behaviour that merchants can feed into fraud models and manual review queues
  • A fuller roadmap for fraud prevention across travel merchants, loyalty programmes, and payment teams
  • Operational guidance on using machine learning and broader data networks to separate good bookings from bad orders

👉 Riskified's full article breaks down the fraud patterns, merchant signals, and prevention roadmap in more detail.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, and identity lifecycle controls that help practitioners think clearly about trust boundaries and privileged access. It is useful for security teams that need a stronger governance model across identity-driven risk.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org