Summer travel scam targets your points and miles

How sure are you that the airline miles and hotel rewards points you've been hoarding for years will be there when you go to redeem them?

Ah summer: the time for cookouts and fireworks and long days at the beach trying not to check your email. It's also a time to finally use all those airline miles and hotel points you've accumulated to get a free place to stay and free transportation to get there.

If they haven't been stolen, that is.

Those points and miles have become the target of the latest hacking scams, and most travel-related sites haven't done much about it, according to the recently released State of Email Trust Report from email security company Agari. While financial institutions are still attacked with gusto, Agari has found that most of them have put up roadblocks to those attacks. And when one path is blocked, scammers will quickly find one that is not.

"Criminals are still going after the liquid assets in banks and credit cards, but they've found those sites have been locked down," says Patrick Peterson, Agari founder and CEO. "It's much harder to do something with airline miles and hotel points, but it's much easier to get your hands on." 

Airline points a new form of black market currency?

Peterson calls scamming customers out of miles and points the "issue du jour" in travel hacks.

"Criminals have discovered that they can monetize all those wonderful airline and hotel points," he says. "They are very busy doing some very nefarious things with that, and a lot of our hotel chains and airlines are up in arms."

[Related: E-Z Pass drivers warned about phishing scam]

In January, for example, the Starwood Preferred Guest program was hacked. Lufthansa and British Airways saw similar incidents this spring.

Hackers are doing this, Peterson says, because banks and credit card companies have finally gotten serious about security, and even though there's less cash value to miles or points, they're still worth something on the black market especially if the hacking process can be automated.

"It's quite surprising they got away for so long with so little security," Peterson says of many travel sites.

Two big exceptions in these security flaws, he said, are and Delta, which were both ranked "Safe" by Agari's TrustScore rankings.

Multiple travel-related sites, including AirTran, American Airlines, CheapOAir, Expedia, Marriott, SkyWest, United Airlines and USAirways were ranked "Vulnerable," the lowest rank possible. Sites for, Jetblue, Priceline, RentalCars, Travelocity, Trip Advisor and Virgin America ranked "At Risk," which is in the middle.

How the hack works

While the target of these travel scams points may have changed, the method of getting the information acquiring usernames and passwords has not.

Scammers are still sending phishing emails to get consumer information, and also sending invoices or vouchers for fake tickets to get malware onto consumer's machines, said Peterson.

[Related: How to protect personal, corporate information when you travel]

"There's a lot of targeted emails and texts that are going out right now that are coupons or travel-based," says Jerry Irvine of the National Cyber Security Task Force and CIO of Prescient Solutions. When receivers of those messages click on links, they're sent to what looks like legitimate hotel or airline or travel websites.

But they're not legit. If a user lands on one of those websites and starts answering what look like standard questions, "they can at that point in time gather user IDs and passwords or take information," Irvine says.

He adds that some faux sites are even selling rooms that don't exist or they're selling rooms that they don't have the privilege to sell. "Websites are showing pictures of facilities that are no longer available or just not even around," he says. "They're taking money and then when people get there, there's no reservation for it."

Scammers can also take a consumer's credit card information and steal his or her identity or sell that information to someone who will. They can also grab a username and password and test them across other sites. If that consumer uses the same username and password across multiple sites, the hacker has unlocked that person's financial world.

Pay up

It's costing companies money to reimburse customers their points and miles especially after rooms or airline tickets have already been paid for and used by the stolen chits. But the bigger price to pay comes from the damage to the company's reputation.

"It's a much bigger branding problem than it is an economic problem," says Peterson. While a customer's points can be reinstated after a breach, that may not be enough to have them wondering if their information is really safe with a company that's been hacked.

The good news, Peterson says, is that while another new travel scam could pop in July or August, there is no major event like the Olympics that would get the hackers cracking their knuckles and leaning into their keyboards. But he wouldn't put a new online hoax past them, especially since the points and miles scam is "another example of if there's money to be made over time, criminals will innovate.'"

Join the CSO newsletter!

Error: Please check your email address.

Tags online securityonline safetysecurityAgari

More about American AirlinesBritish AirwaysDeltaExpediaHotels.comLufthansaSkyWestTravelocityUnited Airlines

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jen A. Miller

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts