Posted by 
When a cyber-criminal sent Isabel Wagner an email, pretending to be the hotel she’d just booked, it’s unlikely that the would-be fraudster knew who she was. Wagner, an associate professor in cyber security at Switzerland’s University of Basel, has devoted her career to researching how to keep personal data private. She wasn’t going to be an easy mark.
“Congratulations on your new booking!”, the email read. “To ensure the successful confirmation of your booking, please take the following step by clicking the provided link. As a safeguard for your reservation, the system temporarily earmarks funds, which will be requested at check-in. Rest assured that these funds will solely be used to secure your reservation, and payment will be due upon your arrival.”
The email appeared to come through the Booking.com system, which she’d used to place the reservation, and it used Booking.com’s logo. Still, Wagner wasn’t convinced. The email didn’t address her by name. The link it tried to send her to, which wasn’t a booking.com link, wasn’t clickable: she would have had to copy and paste it.
And there was the small matter of the warning she’d received right after making her original Booking.com reservation. “Please note that we never send you… requests for any payment with a QR code and/or a link”, the email – which actually was from her hotel – had read. “If you receive any message about these subjects please ignore the message, keep secret your private information details and contact Booking.com customer service care”.
Needless to say, Wagner didn’t copy and paste the link – and didn’t lose her money. But not everyone has been so lucky.
As BBC News recently reported, hackers increasingly have been targeting businesses that use Booking.com, first contacting hotels with a phishing email, getting hotel staff to click a link that downloads malware onto the hotel’s computers and searches for customers with Booking.com reservations. Then hackers email those customers, like Wagner, directly. Any payment a client makes, of course, goes to the hackers – not the hotel. The scam is paying “serious dividends”, one threat intelligence expert told BBC News.
It is one of hundreds of scams that catch travellers out each year, from tourists showing up at their Airbnb only to find it doesn’t exist to buying an airline ticket that vanishes before check-in. In 2022, the US’s Federal Trade Commission (FTC) received more than 55,330 reports of travel fraud (including regarding timeshare properties), adding up to a $49m loss in total. A survey of 7,000 people across seven countries by computer security software company McAfee, meanwhile, found that one in three travellers have been scammed or know someone who has – and a third of these lost $1,000 or more before their holiday even began.
Whether you’re booking a flight, a hotel or you’re currently on the road, here are 10 tips from cyber-security and travel fraud experts on how to protect yourself.
1. If the matter seems urgent or you feel pressured, that’s your first red flag.
While there are many kinds of scams, they almost all have one characteristic in common: they make the target feel as if there’s something they must do as urgently as possible, at risk of losing, say, their booking. “Scammers try to play on your emotions, or they try to get you to react quickly – like, if you don’t take action, then there are going to be disastrous consequences. But in reality, there aren’t many scenarios like that, right? You’re very unlikely to receive a message from a hotel saying that, if you don’t do something in the next 30 minutes or 60 minutes, you’re going to lose the booking,” said Oliver Devane, a senior security researcher at McAfee Labs who investigates tourism cyber scams. “Alarm bells should be going off if you’re being pressed to do something quickly.”
That’s especially true regarding customer-facing businesses, like hotels, Devane adds. “The service industry just doesn’t work like that – it’s meant to be a nice experience,” he said.
2. Know that almost anything can be faked
Wagner’s email had some suspicious details, like the unrelated hyperlink. But other phishing emails are far more professional – and might not have any tell-tale signs at all. “A few years ago, my bank sent a message that said, ‘When we email you, we will always include your name, and that’s how you know that this is genuine’,” Wagner said. “That advice hasn’t aged very well.”
Today, anything can be faked, experts say, including not only including a target’s name, but even sending the recipient to a webpage that looks identical to the legitimate businesses.
3. Never click on a link or download an attachment from an email purporting to be a business – and never send money because an email asks for it
The fact that these emails can be so convincing, experts say, is why you should just avoid certain actions no matter how legitimate the message looks. “If an email comes asking for money, never trust it,” Wagner said.
