As the summer holiday season approaches, phishing scams with travel-themed lures are becoming more prevalent, posing a significant challenge to individuals and organizations alike. A recent survey conducted by McAfee revealed that nearly a third (30%) of adults have fallen victim or know someone who has fallen victim to an online scam when searching for travel deals, with two-thirds of victims losing up to $1,000.
Phishing scams have been around for a while, but attackers are getting increasingly sophisticated in their tactics. The Phishing Defense Center (PDC) recently released a report that sheds light on one phishing campaign where threat actors impersonated the HR department and exploited the trust users place in their employers. By sending deceptive emails, the perpetrators aimed to deceive unsuspecting individuals into clicking on a link purportedly for submitting their annual vacation requests.
This version of a business email compromise (BEC) threat represents the evolution of travel-focused phishing campaigns. Clicking the link in the fake HR communication results in a login prompt overlaying the victim’s corporate home page, which the attackers automatically generate from their email address in the URL. This approach blends two effective phishing tactics: spoofed HR communications and a travel-themed phishing hook.
The attack leverages the regular HR procedures associated with vacation requests and taps into the anticipation and excitement surrounding the summer travel season. For instance, hackers are taking advantage of travel companies that are trying to make travel frictionless for their guests with apps and text messaging.
Phishing scams target victims with text messages, which could lead to a successful breach. According to Patrick Harr, CEO at SlashNext, the most notable evolution of travel-based scams is the transition from email and web-based threats to mobile app threats and threats on social media. Hackers are taking advantage of travelers because they are more likely to interact with unfamiliar text messages or apps, connect to unfamiliar Wi-Fi, and look for VPNs to stream content.
One of the most common phishing campaigns targeting travelers involves discounted or free flights, hotel bookings or package deals that are merely too good to be true. Most scams will either result in a direct payment of hundreds or thousands of dollars to a fraudulent site, or a credential-harvesting scam that captures and sells or otherwise uses sensitive data.
“There’s a multibillion-dollar organized cybercrime industry thriving on the Dark Web, where stolen data is a commodity that contains significant value. Corporate accounts are gateways to corporate systems,” warned Mika Aalto, co-founder, and CEO at Hoxhunt. “Remember, the summer vacation season will be unusually expensive due to inflated travel, food, and lodging prices. All these attacks will be particularly hard to resist for bargain hunters.”
Attackers are not just relying on emails anymore but are also using social media platforms, text messages, and even phone calls to reach potential victims. As the phishing campaigns get more sophisticated, they may even incorporate artificial intelligence to make their phishing attempts more convincing. AI chatbots can interact with unwitting victims as convincingly as a human being to steal valuable credentials, and deepfake platforms enable criminals to pose as trusted figures.
In a more sophisticated approach, we’re seeing scams involving fraudulent loyalty program emails or notifications designed to trick customers into divulging their personal information or login credentials. There are also scams involving fake vacation rentals or timeshares, false travel insurance, and even scams where criminals pose as government officials to offer expedited visa or passport services.
Organizations must be vigilant and keep their employees informed about the latest phishing trends. Companies should also institute protocols to prevent BEC threats, such as two-factor authentication, malicious email detection software, and training employees on how to identify and avoid phishing scams.
As phishing scams get more sophisticated and travel restrictions ease, it is paramount that individuals and companies remain cautious and vigilant to avoid falling prey to cybercriminals seeking to exploit their trust.