TSA PreCheck Scam Dupes Travelers into Paying Excess Fees

November 18, 2021

In March 2021, the Better Business Bureau (BBB) issued a scam alert describing misleading websites that claimed to offer victims TSA PreCheck, Global Entry, or NEXUS application services but instead charged the consumer $140. This was followed up in July by a consumer alert from the New Hampshire Attorney General’s Office. Additional reporting from later that month indicated at least one of these scam websites was a paid Google ad appearing in the top search result for “TSA Pre-Check.”

TSA Phishing Email Leads to Renewal Application

On November 9, 2021, we identified an unusual phishing email that claimed to be from “Immigration Visa and Travel,” inviting the recipient to renew their membership in the TSA PreCheck program. While the email wasn’t sent from a .gov domain, the average consumer might not immediately reject it as a scam, particularly because it had the term “immigrationvisaforms” in the domain. The email instructed the user to renew their membership at a quasi-legitimate-looking website.

Tsa precheck scam email

The email provides instructions on how to renew the TSA application, and the website URL appears to be a TSA PreCheck Application Service. A disclaimer at the top clarifies that this website has nothing to do with the Department of Homeland Security (DHS) or the TSA, and it is displayed in white text over a busy photo of an airport security line. The application is featured at the top of the page, with the pesky information clarifying the $139.99 additional fee for their “services” listed well below. And if the applicant scrolled to the very bottom of the page, they would read the following disclaimer:

“We are not the United States government or associated with it. There are no guarantees you will be granted a known traveler number by the government. We try to make sure everything is submitted correctly to eliminate rejections from submission errors.”
Tsa scam application

Continuing to use the “application,” an applicant flips through several screens, entering contact and personal information, including all previous names, place of birth, passport number, criminal history, and all addresses from the past five years. The user is then allowed to select their first and second choice cities for a security interview, providing general windows of time when interviews are and are not available.

When certifying that the application is correct, the instructions indicate processing the application may take several weeks, providing the expectation that the user would be contacted to finalize their interview schedule. The instructions also clarify that two fees are necessary to submit an application, one to PayPal upon submission of the application and another $85 fee—the actual cost for a PreCheck membership—to be paid at the interview.

Tsa scam certify

After agreeing to the terms and conditions, an applicant selects if the application is for initial approval or renewal.

Tsa scam terms

Finally, a user is led to the final payment screen where they are instructed to make a $139.99 payment to APPLICATION CONSULTING OOD for “Low Risk Traveler Service item #: APS-TSA” through PayPal. Because when purchasing federal services there is usually only one option, and you must use PayPal, right?

Tsa scam paypal

Sadly, this was where our experiment ended, and we were informed our payment had been unsuccessful. We were assured that our application would be processed once the payment was received, and we would get an email once it had been submitted to the United States government.

The refund policy page for the website explicitly discourages filing a dispute or issuing a chargeback, promising that it would only add a two-week delay to any possible refund.

Tsa scam refund policy

The contact information provided on the refund page uses info@airportprescreening.com and an address also associated with an accounting firm named Doherty & Associates, located in Wilmington, Delaware, whose website appears inactive and currently redirects to another site. The bad actors may be using another random address, or the accounting firm itself may have been the victim of a breach. It's interesting to note that similar email addresses were present on other travel program websites created by this fraud group, which uses the pattern info@[domain.com] when providing a contact email on their websites.

Behind the TSA Scam: IVT Services, Inc.

The domain from which the original TSA PreCheck renewal email was sent appears to be like any generic copy of a customer service WordPress website. In this case, IVT is attempting to appear as the controlling business for this venture. Our original phishing email was signed by Dolores Green, “IVT Applications Manager.” The copyright at the bottom of the immigrationvisaforms.com website provides the company name IVT Services Inc and registered address 5301 Limestone Rd, Wilmington, DE 19808—a multistory business park building.

Add the subdomain “usa.”, and you will see somewhat familiar-looking copywriting and formatting for a website, this time claiming to assist with applications for the NEXUS travel program between the United States and Canada. This group uses this subdomain tactic more than once.

Nexus card scam

A quick Google search located another website using the exact same disclaimer: "We are not the United States government or associated with it." WHOIS records indicate that the domain was registered with the email address fastvisasassessoria@gmail.com.

Tsa scam google search

The email address fastvisasassessoria@gmail.com was located in WHOIS information and passive DNS records for nine domains.

The websites themselves were registered between August 2020 and October 2021 and feature a very similar structure, targeting Global Entry, NEXUS, SENTRI, and FAST travel program applicants.

Interestingly, the first domains registered using fastvisasassessoria@gmail.com used the top-level domain “.com.br”. In November 2017, the small travel business Immi Solutions was registered in Brazil by Renato Teodoro Gabeta using the same email address. The listing also provided the WhatsApp phone number (19) 99280-8240 as the contact for the business, as well as an address located in a Sao Paulo high-rise condominium.

Performing a reverse IP address lookup for 69.16.204.17, associated with one of our original domains, links 153 travel program domains and subdomains. Between the email address and the IP address, 30 domains were identified in total.

Domains we’ve linked to this group include the following:

  • airportprescreen[.]com
  • airportprescreening[.]com
  • application-consulting[.]com
  • applyforglobalentry[.]com
  • applyfornexuscard[.]com
  • applyglobalonline[.]com
  • applyglobaltraveler[.]com
  • assist-gov[.]com
  • bordercrossingcanada[.]com
  • canada-online-visa[.]com
  • easyglobalapplication[.]com
  • easynexusapplication[.]com
  • easyprecheckapplication[.]com
  • easysentriapplication[.]com
  • eta-canada-online[.]com[.]br
  • expedited-immigration[.]com
  • fastpassapplication[.]com
  • fastvisas[.]com[.]br
  • globaltravelerapplication[.]com
  • globaltravelerforms[.]com
  • globalvisascenter[.]com[.]br
  • immi-solution[.]com
  • immigrationvisaforms[.]com
  • ivtservicesinc[.]com
  • lowrisktraveler[.]com
  • securityprescreen[.]com
  • sentricardonline[.]com
  • sentripassapplication[.]com
  • travelauthorizationusa[.]com
  • usab1b2visas[.]com

Also Behind the TSA Scam: Application Consulting

Application Consulting OOD is a Bulgarian IT service business that offers data processing and hosting and was allegedly created in 2017. The only two executives listed for the company are Dimitar Atanasov Atanasov and Elizabet Gomersal. While we're unsure how Application Consulting is connected to ITV Services, it's clear that they are both involved in this TSA PreCheck scam.

Application consulting logo

On October 22, 2021, Application Consulting OOD posted on several Bulgaria job search websites that they were looking for a fully remote IT administrator. The post describes the company as a small operation of about 25 people. Starting salary is 1000 Bulgarian Lev (about $580 USD) for the three-month trial period, and then doubles to their normal salary of 2000 Bulgarian Lev, which is about $1160 USD. The address listed for the business specifies that they are located on the 4th floor, in apartment 7 in Varna, Bulgaria.

From the description, it appears their primary business needs are the creation and management of websites using WordPress, which integrates with PayPal. Something about that seems very familiar…

Application consulting job description

TSA PSA

This is not the first time this scam has appeared, and it's not likely to be the last. Travelers can always apply for TSA PreCheck via the official website tsa.gov/precheck or the DHS website universalenroll.dhs.gov. Note that “First time applicants for the TSA PreCheck program are not asked to provide payment information online,” according to the TSA website. During their initial application, they “cannot pay the enrollment or application fee online,” and must complete their application and “pay in-person” to finish the application process. The TSA website provides advice on what to do if you believe you have been victimized by this scam.

For information on actual costs and details of all United States Trusted Traveler Programs, the official DHS website provides links to apply directly. The site contains links to contact TSA Support for assistance with PreCheck, and Customs & Border Protection (CBP) Support for Global Entry, NEXUS, SENTRI, and FAST programs.

While this scam mostly targets consumers, organizations that pay for or reimburse employees for TSA PreCheck and related services should be wary of these emails reaching employee inboxes. As business travel resumes around the world, organizations should provide this information to employees as an added precaution, before these Bulgarian cybercriminals can take advantage.

To learn more about how Abnormal detected and blocked this scam, request a demo of our platform today.

Related Posts

B 12 03 22 SIEM
Learn about Abnormal’s enhanced SIEM export schema, which provides centralized visibility into email threats
Read More
Blog phishing cover
The phishing email is one of the oldest and most successful types of cyberattacks. Attackers have long used phishing as a common attack vector to steal sensitive information or credentials from their victims. While most phishing emails are relatively simple to spot, the number of successful attacks has grown in recent years.
Read More
Blog brand cover
For those of you who have visited the Abnormal website over the last month, you’ve seen something different—a redesigned brand focused on precision. It’s new and innovative, and different from any other cybersecurity company, because it was created with one thing in mind: our customers.
Read More
B 11 22 21 AAA
At Abnormal, our customers have always been our biggest priority. Customer obsession is one of our five company values, and we live this every single day as we provide the best email security protection available for the hundreds of companies who entrust us to protect their mailboxes.
Read More
Blog microsoft abnormal cover
Before we jump into modern threats, I think it’s important to set the stage ​​since email has been around. Since email existed, threat actors targeted email users with malicious messages, general spam, and different ways to take advantage of the platform. Then of course, more dangerous attacks started to come up… things like malware and other viruses.
Read More
Blog black friday scam cover
While cybersecurity awareness is a year-round venture, it is especially important to be mindful during certain times of the year. With Thanksgiving here in the United States on Thursday, our thoughts will likely be on our family and friends and everything we have to be thankful for this holiday season.
Read More
Blog automation workflows cover
Our newest platform capabilities help customers streamline critical security workflows, like triaging phishing mailbox submissions or triggering tickets to investigate account takeovers, through automated playbooks. Doing so can decrease mean time to respond (MTTR) to incidents, further reducing any potential risk to the organization and eliminating manual workflows to save time and increase the efficiency of IT and security teams.
Read More
Blog tsa scam cover
On November 9, 2021, we identified an unusual phishing email that claimed to be from “Immigration Visa and Travel,” inviting the recipient to renew their membership in the TSA PreCheck program. The email wasn’t sent from a .gov domain, but the average consumer might not immediately reject it as a scam, particularly because it had the term “immigrationvisaforms” in the domain. The email instructed the user to renew their membership at another quasi-legitimate-looking website.
Read More
Blog pyspark cover
At Abnormal Security, we use a data science-based approach to keep our customers safe from the most advanced email attacks. This requires processing huge amounts of data to train machine learning models, build datasets, and otherwise model the typical behavior of the organizations we’re protecting.
Read More
Blog tiktok attack cover
As major social media platforms have expanded the ability of creators to monetize their content in the last few years, they and their users have increasingly found themselves the targets of malicious activity. TikTok is now no exception.
Read More
Blog ransomware guide cover
While various state agencies and the private sector keep track of ransomware attacks and related tactics worldwide, malicious actors change and evolve their ransomware strategies all the time. We’ve put together a comprehensive guide that will define ransomware, how to detect it, and what steps to take if you’ve fallen victim to a ransomware virus attack.
Read More
Blog detection efficacy cover
One of the key objectives of the Abnormal platform is to provide the highest precision detection to block all never-before-seen attacks. This ranges from socially-engineered attacks to account takeovers to everyday spam, and the platform does it without customers needing to create countless rules like with traditional secure email gateways.
Read More