chat
expand_more

TSA PreCheck Scam Dupes Travelers into Paying Excess Fees

On November 9, 2021, we identified an unusual phishing email that claimed to be from “Immigration Visa and Travel,” inviting the recipient to renew their membership in the TSA PreCheck program. The email wasn’t sent from a .gov domain, but the average consumer might not immediately reject it as a scam, particularly because it had the term “immigrationvisaforms” in the domain. The email instructed the user to renew their membership at another quasi-legitimate-looking website.
November 18, 2021

In March 2021, the Better Business Bureau (BBB) issued a scam alert describing misleading websites that claimed to offer victims TSA PreCheck, Global Entry, or NEXUS application services but instead charged the consumer $140. This was followed up in July by a consumer alert from the New Hampshire Attorney General’s Office. Additional reporting from later that month indicated at least one of these scam websites was a paid Google ad appearing in the top search result for “TSA Pre-Check.”

TSA Phishing Email Leads to Renewal Application

On November 9, 2021, we identified an unusual phishing email that claimed to be from “Immigration Visa and Travel,” inviting the recipient to renew their membership in the TSA PreCheck program. While the email wasn’t sent from a .gov domain, the average consumer might not immediately reject it as a scam, particularly because it had the term “immigrationvisaforms” in the domain. The email instructed the user to renew their membership at a quasi-legitimate-looking website.

Prevent Phishing Emails
Tsa precheck scam email

The email provides instructions on how to renew the TSA application, and the website URL appears to be a TSA PreCheck Application Service. A disclaimer at the top clarifies that this website has nothing to do with the Department of Homeland Security (DHS) or the TSA, and it is displayed in white text over a busy photo of an airport security line. The application is featured at the top of the page, with the pesky information clarifying the $139.99 additional fee for their “services” listed well below. And if the applicant scrolled to the very bottom of the page, they would read the following disclaimer:

“We are not the United States government or associated with it. There are no guarantees you will be granted a known traveler number by the government. We try to make sure everything is submitted correctly to eliminate rejections from submission errors.”
Tsa scam email application

Continuing to use the “application,” an applicant flips through several screens, entering contact and personal information, including all previous names, place of birth, passport number, criminal history, and all addresses from the past five years. The user is then allowed to select their first and second choice cities for a security interview, providing general windows of time when interviews are and are not available.

When certifying that the application is correct, the instructions indicate processing the application may take several weeks, providing the expectation that the user would be contacted to finalize their interview schedule. The instructions also clarify that two fees are necessary to submit an application, one to PayPal upon submission of the application and another $85 fee—the actual cost for a PreCheck membership—to be paid at the interview.

Tsa scam certification payment screen

After agreeing to the terms and conditions, an applicant selects if the application is for initial approval or renewal.

Tsa scam terms and conditions screen

Finally, a user is led to the final payment screen where they are instructed to make a $139.99 payment to APPLICATION CONSULTING OOD for “Low Risk Traveler Service item #: APS-TSA” through PayPal. Because when purchasing federal services there is usually only one option, and you must use PayPal, right?

Tsa scam paypal payment page

Sadly, this was where our experiment ended, and we were informed our payment had been unsuccessful. We were assured that our application would be processed once the payment was received, and we would get an email once it had been submitted to the United States government.

The refund policy page for the website explicitly discourages filing a dispute or issuing a chargeback, promising that it would only add a two-week delay to any possible refund.

Tsa scam fake refund policy page

The contact information provided on the refund page uses info@airportprescreening.com and an address also associated with an accounting firm named Doherty & Associates, located in Wilmington, Delaware, whose website appears inactive and currently redirects to another site. The bad actors may be using another random address, or the accounting firm itself may have been the victim of a breach. It's interesting to note that similar email addresses were present on other travel program websites created by this fraud group, which uses the pattern info@[domain.com] when providing a contact email on their websites.

Behind the TSA Scam: IVT Services, Inc.

The domain from which the original TSA PreCheck renewal email was sent appears to be like any generic copy of a customer service WordPress website. In this case, IVT is attempting to appear as the controlling business for this venture. Our original phishing email was signed by Dolores Green, “IVT Applications Manager.” The copyright at the bottom of the immigrationvisaforms.com website provides the company name IVT Services Inc and registered address 5301 Limestone Rd, Wilmington, DE 19808—a multistory business park building.

Add the subdomain “usa.”, and you will see somewhat familiar-looking copywriting and formatting for a website, this time claiming to assist with applications for the NEXUS travel program between the United States and Canada. This group uses this subdomain tactic more than once.

Nexus card renewal scam website

A quick Google search located another website using the exact same disclaimer: "We are not the United States government or associated with it." WHOIS records indicate that the domain was registered with the email address fastvisasassessoria@gmail.com.

Tsa scam webpage google search result

The email address fastvisasassessoria@gmail.com was located in WHOIS information and passive DNS records for nine domains.

The websites themselves were registered between August 2020 and October 2021 and feature a very similar structure, targeting Global Entry, NEXUS, SENTRI, and FAST travel program applicants.

Interestingly, the first domains registered using fastvisasassessoria@gmail.com used the top-level domain “.com.br”. In November 2017, the small travel business Immi Solutions was registered in Brazil by Renato Teodoro Gabeta using the same email address. The listing also provided the WhatsApp phone number (19) 99280-8240 as the contact for the business, as well as an address located in a Sao Paulo high-rise condominium.

Performing a reverse IP address lookup for 69.16.204.17, associated with one of our original domains, links 153 travel program domains and subdomains. Between the email address and the IP address, 30 domains were identified in total.

Domains we’ve linked to this group include the following:

  • airportprescreen[.]com
  • airportprescreening[.]com
  • application-consulting[.]com
  • applyforglobalentry[.]com
  • applyfornexuscard[.]com
  • applyglobalonline[.]com
  • applyglobaltraveler[.]com
  • assist-gov[.]com
  • bordercrossingcanada[.]com
  • canada-online-visa[.]com
  • easyglobalapplication[.]com
  • easynexusapplication[.]com
  • easyprecheckapplication[.]com
  • easysentriapplication[.]com
  • eta-canada-online[.]com[.]br
  • expedited-immigration[.]com
  • fastpassapplication[.]com
  • fastvisas[.]com[.]br
  • globaltravelerapplication[.]com
  • globaltravelerforms[.]com
  • globalvisascenter[.]com[.]br
  • immi-solution[.]com
  • immigrationvisaforms[.]com
  • ivtservicesinc[.]com
  • lowrisktraveler[.]com
  • securityprescreen[.]com
  • sentricardonline[.]com
  • sentripassapplication[.]com
  • travelauthorizationusa[.]com
  • usab1b2visas[.]com

Also Behind the TSA Scam: Application Consulting

Application Consulting OOD is a Bulgarian IT service business that offers data processing and hosting and was allegedly created in 2017. The only two executives listed for the company are Dimitar Atanasov Atanasov and Elizabet Gomersal. While we're unsure how Application Consulting is connected to ITV Services, it's clear that they are both involved in this TSA PreCheck scam.

TSA scam Bulgarian IT business Application consulting logo

On October 22, 2021, Application Consulting OOD posted on several Bulgaria job search websites that they were looking for a fully remote IT administrator. The post describes the company as a small operation of about 25 people. Starting salary is 1000 Bulgarian Lev (about $580 USD) for the three-month trial period, and then doubles to their normal salary of 2000 Bulgarian Lev, which is about $1160 USD. The address listed for the business specifies that they are located on the 4th floor, in apartment 7 in Varna, Bulgaria.

From the description, it appears their primary business needs are the creation and management of websites using WordPress, which integrates with PayPal. Something about that seems very familiar…

Application consulting IT administrator job description

TSA PSA

This is not the first time this scam has appeared, and it's not likely to be the last. Travelers can always apply for TSA PreCheck via the official website tsa.gov/precheck or the DHS website universalenroll.dhs.gov. Note that “First time applicants for the TSA PreCheck program are not asked to provide payment information online,” according to the TSA website. During their initial application, they “cannot pay the enrollment or application fee online,” and must complete their application and “pay in-person” to finish the application process. The TSA website provides advice on what to do if you believe you have been victimized by this scam.

For information on actual costs and details of all United States Trusted Traveler Programs, the official DHS website provides links to apply directly. The site contains links to contact TSA Support for assistance with PreCheck, and Customs & Border Protection (CBP) Support for Global Entry, NEXUS, SENTRI, and FAST programs.

While this scam mostly targets consumers, organizations that pay for or reimburse employees for TSA PreCheck and related services should be wary of these emails reaching employee inboxes. As business travel resumes around the world, organizations should provide this information to employees as an added precaution, before these Bulgarian cybercriminals can take advantage.

TSA PreCheck Scam Dupes Travelers into Paying Excess Fees

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

 

See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

 
Integrates Insights Reporting 09 08 22

Related Posts

B Most Interesting Attacks Q1 2024
Take a look at five of the most unique and sophisticated email attacks recently detected and stopped by Abnormal.
Read More
B MKT499 Images for Customer Blog Series
Discover key industry trends and insights from cybersecurity leader Michael Marassa, CTO of New Trier Township High School District 203.
Read More
B Construction Professional Services QR Code Attacks
Abnormal data shows construction firms and professional service providers are up to 19.2 times and 18.5 times, respectively, more likely to receive QR code attacks than organizations in other industries.
Read More
B 1500x1500 Evolving Abnormal R2
From the beginning, we created Abnormal Security to be a generational company that protects people from cybercrime. Here’s how we’re doing it.
Read More
Blog Cover 1500x1500 Images for SOC Time Blog
Discover the critical tasks that occupy SOC analysts’ schedules beyond mere inbox management, and discover insights into optimizing efficiency in cybersecurity operations.
Read More
B 1500x1500 MKT494 Top Women in Cybersecurity
In honor of Women's History Month, we're spotlighting 10 women leaders who are making invaluable contributions to cybersecurity.
Read More