How to avoid common travel and vacation scams

From social engineering before you even get on the plane to apps that are riddled with security holes, it’s never been easier for cybercriminals to target unsuspecting travelers.

As usual, winter's been bleak. You're ready to go ... anywhere else. Somewhere warmer, brighter, more fun. 

And someone else is there waiting and ready to steal your information — and your money — in the process. 

Travel scams are ripe and ripening as the days grow longer, in some high and very low tech ways. 

"The really staggering message that came through in 2015 was that it was the year attackers spent a lot less time and energy on really sophisticated technology intrusions and instead spent the year exploiting us," says Kevin Epstein, vice president of the Threat Operations Center at Proofpoint

Criminals don't just want to grab your information when you're planning either. Your trip itself makes you a target, too. 

Pre-trip hacking

Travel is a focus of scamming for two reasons. 

The first is money -- lots of it. "Booking the trip turns out to be a great way to give away a lot of money," says Epstein. "You voluntarily provide lots of personal information." Not only do most sites require you to put in your credit card information to book a trip, but many also have you create a login and password to use the site. 

[Related: Craigslist fails to flag most scam rental ads, study finds] 

If a criminal can make you believe that you're putting that kind of information into the right place, they can take over your money and your digital life. Or, if they can send you something that looks legit, and you download what they ask, they get into your computer and everything that's stored therein. 

The second reason is that travel companies have lagged behind when it comes to the security of their sites. When other online sectors strengthened their walls, scammers went the path of least resistance, which lately has been travel. 

Banks, says Charlie Abrahams, senior vice president at MarkMonitor, used to be the subject of such cloning, by have "taken steps to deal with it," adding that MarkMonitor has recently seen an uptick in travel companies requesting the same kinds of service they have been providing for banks. 

"We deal with sites that illegally pretend to be a site for the purposes of capturing credential information," says Abrahams. Some of these sites can be found by searching for deals, and some by clicking on emails that purport to be from a legitimate travel entity. 

Fraudsters are also moving into the app space with travel as a target, though attacks there aren't big — yet. Abrahams says that MarkMonitor has been spending more time scanning online app stores "because there are a lot of apps there that are completely fake," he says. Sometimes these apps will glom onto famous name brands in the hopes of just getting people to download the apps; they may also be looking to get your information too. Sticking to big name brands and downloading only from well known app stores like iTunes or Google Play is the best way to keep those out of your life, and off your data. 

The same is true for where you go online to book your travel, says Epstein. "If you pick the wrong site, you've just handed over everything to someone." 

Sticking to known companies there too, whether that's with hotels or airlines or cruise companies themselves or well-known online travel agents, is your best bet. Deals that look too good to be true probably are. Read the find print too, and make sure that if your booking is cancelled — especially by the booker — that the entire amount isn't considered a non-refundable deposit. 

[Related: Travel apps riddled with security flaws] 

Epstein also suggests calling the hotel to make sure they have the booking in case something went awry. 

While on the road

The scams don't stop there, of course. Traveling presents more ways that criminals can get into your life, especially if your guard's down because you're on the beach, drinking margaritas, or both. 

"Free Wi-Fi is the most dangerous cyber vector" for travelers says Epstein. Even if your hotel offers it for free, don't use it. If you can't create your own Wi-FI network by tethering, Epstein says stick to your phone. If you must use your laptop, make sure you use full tunnel encrypted VPN. That way, what you're sending or receiving is protected. 

Securing your laptop and phone might sound basic, but Epstein says it's something that travelers can forget about — especially the laptop. 

"If you don't know where something is, even if you get it back, it may not be what you thought it was," he says. That's because someone could put malware on it. "It's a path into your company. It's a front door." 

If you can, he says, leave the corporate laptop at home. If you must bring it with you, have it locked away in a place where only you know the password. 

Besides, it's a vacation. Who wants to bring their laptop with them on that? Now you have a security reason not to work with you.

Join the CSO newsletter!

Error: Please check your email address.

More about GoogleProofpoint

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jen A. Miller

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place