TORONTO — The American Society of Travel Advisors (ASTA) says it want to raise awareness of a significant fraud incident reported by ACTA here in Canada, involving the unauthorized use of a legitimate travel agency’s IATA accreditation number and attempted exploitation of airline NDC onboarding processes.

According to ASTA, a bad actor operating from Brazil and other international locations spoofed an agency’s email domain in order to impersonate a legitimate travel business.

Using the agency’s valid IATA accreditation number and GDS PCC – without authorization – the individual attempted to gain access to airline NDC connections. Fraudulent ticketing ultimately occurred through an airline’s NDC channel, despite the legitimate agency not being registered for that NDC connection. The tickets were issued using stolen credit cards, and subsequent chargebacks exposed the scheme. Similar attempts were identified across multiple airlines and connectivity providers, indicating what appears to be coordinated activity rather than an isolated incident.

As ASTA notes, there was no evidence of a breach within GDS or NDC systems. Instead, the vulnerability appears to stem from insufficient verification controls during certain airline NDC onboarding processes. In cases where validation relied primarily on confirming an IATA accreditation number – without additional authentication measures – those credentials were susceptible to misuse, says ASTA. The fraudulent activity involved spoofed domains, exploitation of legitimate accreditation credentials, stolen payment methods, and cross-border coordination.

“This incident underscores a systemic risk for the travel industry,” says ASTA. “If verification controls are weak, legitimate agency credentials can be leveraged by fraudsters to obtain unauthorized ticketing access. As NDC adoption continues to expand, onboarding and credential validation processes may create new exposure points for both agencies and airlines.”

ASTA says its encoring its members to regularly review BSP and (and in the U.S., ARC) reports for unfamiliar ticketing activity and promptly investigate any irregular chargebacks or airline inquiries. “It is also critical to centrally track and strictly control airline NDC registrations within your organization. Agencies should limit who has authority to request or approve NDC access and actively monitor for spoofed or look-alike email domains. Additionally, confirm that airlines and technology providers use executive-level validation and/or multi-factor authentication before granting new NDC or portal access. IATA accreditation alone should not be treated as sufficient proof of authorization.”

ASTA adds that agencies that identify suspicious activity should immediately notify the relevant airline partners and GDS or technology security teams. Incidents should also be reported to IATA BSP/Agency Services (or in the U.S., ARC).