Exploring the Growing Threat of Sophisticated Travel-Related Phishing and BEC Scams This Summer.

Phishing Scams with Travel-Themed Lures Ramp Up Ahead of Summer Holiday Season

As the summer holiday season approaches, phishing scams with travel-themed lures are gaining momentum, posing a significant threat to individuals and organizations alike. A recent survey by McAfee found that almost one-third (30%) of adults have either fallen victim to, or know someone who has fallen victim to, an online scam when seeking travel deals, with two-thirds of victims losing up to $1,000.

Evolution of Travel-Focused Phishing Campaigns

The Phishing Defense Center (PDC) has released a report, shedding light on a phishing campaign where threat actors impersonated the HR department, thereby exploiting the trust that people place in their employers. By sending deceptive emails, the perpetrators aimed to deceive unsuspecting individuals into clicking on a link for submitting their annual vacation requests, representing the evolution of travel-focused phishing campaigns. The attack leverages the regular HR procedures associated with vacation requests and taps into the anticipation and excitement surrounding the summer travel season.

Dual Streams of Familiarity Heighten Trust

According to Mika Aalto, the co-founder and CEO at Hoxhunt, “Trust is essential to social engineering, and while many would sense something is off about the poorly worded email message, others might be disarmed by it.” He notes that these dual streams of familiarity could heighten trust in the fake HR communication. Aalto also warns that attackers are not just relying on email anymore, but are also using social media platforms, text messages, and phone calls to reach potential victims.

Mobile App Threats and Threats on Social Media

Hackers are taking advantage of travel companies that are trying to make travel seamless for their guests by using apps and texts. “Threats are growing because of the increased use of apps and text messages from airlines, hotels, and other travel activities,” said Patrick Harr, CEO at SlashNext. According to Harr, the most significant evolution of travel-based scams is the transition from email and web-based threats to mobile app threats and threats on social media, where travelers are more likely to interact with unfamiliar text messages or apps and connect to unfamiliar Wi-Fi.

Avoiding Travel Scams

One of the most critical things that travelers can do to protect themselves is to avoid using free public Wi-Fi. Harr suggests avoiding downloading free VPNs or free streaming services, connecting to airport Wi-Fi, or connecting your phone to free charging stations. Most phishing scams targeting travelers involve discounted or free flights, hotel bookings, or package deals that are simply too good to be true. These scams generally result in a payment of hundreds or thousands of dollars to a fraudulent site, or a credential-harvesting scam that captures and sells sensitive data. Other scams could include fake vacation rentals, timeshares, false travel insurance, and scams where criminals pose as government officials to offer expedited visa or passport services.

Advice for the Upcoming Summer Season

As phishing scams with travel-themed lures continue to evolve in complexity, it is essential to remain vigilant and take all necessary precautions, such as avoiding public Wi-Fi, downloading software updates, and avoiding clicking on links and emails from unknown sources. It is also essential to think twice before providing personal information to anyone. By following these simple guidelines, we can safeguard ourselves and our organizations from potential phishing scams and associated threats.