The Internet has revolutionized the way we book our holidays. Unfortunately it is also enabling fraudsters to prey upon people’s desires to have a perfect vacation, so stay vigilant and check everything before spending any money on airline tickets or accommodations.
Nowadays, it’s common for cybercriminals to send out mass amounts of fake emails that are cleverly disguised as legitimate messages. These are generally fraudulant airlines or other travel-associated organizations, such as agencies, hotels and travel agents. This is part of a larger “malicious traveler” campaign that occurs during popular business and consumer travel seasons.
Scammers usually try to do one of the following:
- Steal money, by making you pay for impressively cheap tickets or luxury villas that doesn’t exist or won’t be booked for you
- Steal frequent flyer miles
- Install a Trojan on your computer to steal banking information and other kinds of valuable data
The first kind of scam became particularly easy to implement thanks to the Internet. It’s quite easy to set up a fake website for a travel agency or make a clone of a popular website like booking.com. It looks exactly like any other online service designed to help a traveler; the only difference is that payment goes to scammers instead of hotels or airlines. You will receive an electronic confirmation, but it is impossible to use it when you begin your vacation. According to an ABTA (UK Travel Association) study, the most dangerous bookings are airline tickets, villas and apartments and packaged trips, especially related to sports or religion. All of them have something in common – you typically pay in advance.
To steal frequent flyer miles, fraudsters send huge amounts of phishing emails that promise more points in a frequent flyer program or offer a supposed prize to victims. In some attacks the customer is asked to re-register on a fake website, which gives cybercriminals the victim’s account information so they can take their miles. By scamming the customer, criminals are able to steal the flyer miles to use as tickets themselves, or sell/barter them off to other criminals. We saw this in Latin America with airlines in the region and fake American Airlines notifications were also reported in the US.
Of course, it is easier to trick users into clicking on malicious links when a victim is searching for vacation options. That’s why phishing emails disguised as confirmation emails (like a fake confirmation from US Airways or British Airways). If a user is fooled into clicking on the link, the URL redirects the user to a malicious site that installs a banking Trojan, which infects the computer and steals banking passwords, logins/credentials. These types of emails can also contain ZIP file attachments asking you to open it to view your confirmation.
Booking your vacation in a safe way
- Stick to popular and well-known websites. Don’t visit them using any links inside e-mails or advertising banners. Type the URL in the address bar of your browser – this helps to avoid clones.
- If you’re tempted with an offer from an unknown company, perform some research online. Google the company’s name, visit your country’s tourism authority like the aforementioned ABTA to check the company’s reputation and check that contact details are fully accessible, including a physical address.
- Carefully read the terms and conditions to be fully aware of protocol.
- Use protected payment, if available – a credit card, a payment card with traveler’s insurance and so on.
- Don’t make a direct payment to property owners, especially through a bank transfer. Use reputable travel agents for apartment/villa accommodations.
- Double-check confirmations you’ve received. If it confirms something you haven’t booked, it’s probably phishing. Brand names of popular sites are often used to produce fraudulent spam by cybercriminals and we advise users to avoid opening the email or clicking any links inside them. If you have a confirmation for a transfer or accommodation you’ve previously booked, use airline or hotel websites to ensure its validity. Don’t click links in your confirmation– type the website name into the address bar of your browser.
- Additionally, do not open any email attachments sent from travel agencies, hotels or airlines. Reputable companies will not send confirmations in an attachment. If you doubt the authenticity of an email, you can always contact the company involved using the contact details provided on their official site.
- If you have frequent flyer miles accumulated for an airline, stay alert and don’t react to any suspicious messages you may receive by email. Instead of checking your account within the email, type out the URL of the airline’s designated homepage and login directly, as opposed to clicking on links from third parties. From there, check your account for any notifications that match the one sent in the email to verify if it’s legitimate.
- Protect your logins to airline or travel agency websites with a unique, complex password/passphrase that you maintain privately and securely.
- Use total protection of your computer to avoid malicious sites and attachments.