Going on vacation? Beware of scammers

Online dangers faced by travelers in summer 2023.

Travel phishing and online scams in 2023

Summer’s here, with the vacation season in full swing. Along with holidaymakers, tourist-targeting scammers are also getting more active. Our experts studied the dangers confronting travelers in the 2023 vacation season. Here’s what they found out…

Phishing attacks on Booking.com users

Let’s start with a phishing site mimicking Booking.com, one of the world’s most popular sites for online hotel and apartment bookings. The aim of the fake site is to harvest email addresses that double up as usernames, as well as some kind of “email passwords”. The phishers seem to have got their nets in a twist: what they’re really after is probably passwords for Booking.com accounts.

Fake Booking.com site

Phishers harvest login credentials of Booking.com users

Interestingly, the phishers didn’t forget about the second largest category of Booking.com users: hotel and apartment owners who use the website to attract clientele. For them, too, there are fake sites that hoover up usernames and passwords.

Another fake Booking.com site

Another site pretending to be Booking.com harvests credentials of hotel and apartment owners

To avoid such tricks, always carefully check the website address before entering any credentials on it. If you’re unsure what the real address should be, better to double-check using a search engine and good old Wikipedia.

Scammers prey on Airbnb users

Inevitably, cybercriminals haven’t ignored that other bastion of online accommodation booking, Airbnb. A fake Airbnb site — a carbon copy of the original — offers attractive apartment rentals and doggedly reminds the visitor that they must make a wire transfer to some agent to confirm their reservation.

Fake Airbnb site

Fake Airbnb site urges visitors to pay for a non-existent booking

It goes without saying that “customers” who send the transfer are left with nothing but a hole in their wallet. To avoid this danger, always carefully check the address of the site before sending money to its owners.

Harvesting user data on fake travel survey sites

A less serious, but also less-than-pleasant online scam involves sites promising valuable gifts for taking a survey. In this case — travel surveys offering a prize of US$100.

Fake travel survey

Enticed by the prospect of a US$100 gift, the visitor is asked to take a fake survey (and hand over personal data)

At the end of the survey, the scammers usually ask the victim for some personal data: first and last name, address, phone number and sometimes payment information. Such data can be used at a later date for all kinds of bad stuff — from identity theft to hacking into financial accounts. As for the “prize”, it’s not exactly forthcoming.

Avoiding this threat is easy: don’t fall for the promise of easy money — especially when it’s an unfeasibly large sum that falls from the sky.

Airline phishing sites

Another traditional target for phishers is airline passengers. Fake pages are forever popping up imitating the official sites of different carriers. Of course, the bigger the airline, the more likely its customers’ credentials will be hunted by phishers.

Fake airline website

Phishing site hungry for a popular airline’s customer accounts

The goal here can be twofold. First, there can be a direct financial interest: all major airlines have loyalty programs with bonus points that are a kind of currency. If cybercriminals manage to hack into someone’s account holding sufficient bonus points, they can buy a ticket and sell it for real money, which they pocket.

Another fake airline website

Phishing site that harvests credentials for an airline loyalty program accounts

Second, login credentials can be collected in order to hijack other accounts held by the victim. This method of hacking has a very good chance of success, since password reuse is still common, sadly. So a password for an airline loyalty program account could well work for email.

Unusual airline ticket scams

This year has also seen a rather unconventional method of defrauding airline ticket buyers bound for the UK. Scammers posing as travel agency employees offer tickets at extremely attractive prices. What’s more, after payment, the booking shows up in all systems — it’s completely real.

However, the fraudsters don’t actually buy any tickets; rather, they exploit the temporary ticket reservation service that’s used in many booking systems and costs no more than a few dozen dollars. The service even assigns a so-called passenger name record (PNR) to the booking — a six-digit alphanumeric code that goes by different names, depending on the airline: booking reference, reservation number, flight confirmation code, etc. This code lets you check the booking on the airline’s website and make sure it’s logged in the system.

Of course, since the scammers never redeem the ticket, when the holding time is up the reservation turns into a pumpkin. The difference between the hundreds of dollars paid for the non-existent ticket and the twenty-odd bucks spent on the reservation service is duly pocketed by the fraudsters, who then mysteriously fail to respond to the victim’s urgent inquiries.

Incidentally, there’s a way to make sure that you paid for a proper ticket — not a reservation. Simply look in the booking information for a 13-digit ticket number (for example, 123-4567890123), and not for a six-digit PNR (for example, A1B2C3). If there’s a ticket number, it means the airline ticket has been paid for and issued and you’ve nothing to worry about.

How to stop scammers ruining your vacation

Lastly, a few tips on how to protect your trip from online scammers and phishers:

  • When buying airline tickets, as well as booking hotels and apartments, use only reputable websites.
  • If possible, buy your tickets directly on the airline’s own site. It might be a little more expensive, but it’s always safer.
  • Don’t be fooled by the promise of prizes or fairy-tale low prices. As you know, if the cheese is free, it’s likely in a mousetrap.
  • Carefully check the address of the site you end up on.
  • And triple-check the page URL before entering any important information there: username and password, payment card number, etc.
  • Never share reservation numbers with anyone, or post photos of airline tickets with a visible barcode or PNR on social networks — here’s why.
  • A few days before your departure date, check all the bookings you’ve made for the trip. If there’s a problem with a reservation, better to sort it out beforehand, not at the airport check-in desk or hotel reception.
  • Use a reliable antivirus with built-in protection against online fraud and phishing on all your devices. This will give you early warning of sites to avoid.