As the summer holiday season draws near, phishing scams with travel-themed lures have been gaining momentum, posing a significant challenge to individuals and organizations.
A recent survey from McAfee found that nearly a third (30%) of adults have fallen victim or know someone who has fallen victim to an online scam when bargain hunting for travel deals, with a full two-thirds of victims losing up to $1,000.
The Phishing Defense Center (PDC) released a report this week shedding light on one phishing campaign in which threat actors impersonated the HR department, exploiting the trust users place in their employers.
By sending deceptive emails, the perpetrators aimed to deceive unsuspecting individuals into clicking on a link purportedly for submitting their annual vacation requests.
This version of a business email compromise (BEC) threat represents the evolution of travel-focused phishing campaigns, the firm said. Clicking the link in the fake HR communication results in a login prompt overlaying the victim’s corporate home page, which was detected and automatically generated from their email address in the URL.
This approach is characterized by the blending of two effective phishing tactics: spoofed HR communications and a travel-themed phishing hook.
The attack leverages the regular HR procedures associated with vacation requests and taps into the anticipation and excitement surrounding the summer travel season, the researchers noted in the report.
Exploiting Interest in Summer Travel
“This is a sophisticated credential harvesting tactic,” explains Mika Aalto, co-founder and CEO at Hoxhunt. “Trust is essential to social engineering and while many would sense something is off about the poorly worded email message, others might be disarmed by it.”
He notes these dual streams of familiarity could heighten trust and move the victim further down the kill chain.
“The more sophisticated and authentic the spoofed website appears, the higher the chances of successful deception,” Aalto says. “It’s almost like a decoy — the poorly composed email may lead the potential victims to underestimate the threat, thus lowering their guard when they arrive at a surprisingly genuine-looking site.”
He adds that attackers are not just relying on email anymore but are also using social media platforms, text messages, and even phone calls to reach potential victims.
“Looking forward, we can expect these scams to continue to evolve in complexity, possibly incorporating artificial intelligence to make their phishing attempts more convincing,” he says.
Plus, if phishing templates are run through ChatGPT, they’ll immediately become flawlessly worded and more convincing phishing lures.
“AI chatbots can interact with unwitting victims as convincingly as a human being to steal valuable credentials, and deepfake platforms enable criminals to pose as trusted figures,” Aalto warns.
Phishing Scams Target Victims With Text Messages
The summer holidays in general represent an opportunity to reach more victims because there is an increase in vacation requests, which increases the chance of a successful breach.
Patrick Harr, CEO at SlashNext, points out there are many variations of this threat that could succeed in organizations and lead to a breach.
“Organizations should look for variations of this attack,” he adds, “including vendor compromise attacks from organizations that use vendors to manage HR functions or an employee’s compromised email account.”
Harr explains that hackers are taking advantage of travel companies that are trying to make travel frictionless for their guest with apps and text messaging.
“Threats are growing because of the increased use of apps and text messages from airlines, hotels, transportation, and other travel activities,” he says.
He says the most notable evolution of travel-based scams is the transition from email and Web-based threats to mobile app threats and threats on social media.
He points out hackers are taking advantage of travelers because they are more likely to interact with unfamiliar text messages or apps, connect to unfamiliar Wi-Fi, and look for VPNs to stream content.
In fact, from Harr’s perspective, the most important thing that can be done to educate travelers is to avoid using free public Wi-Fi.
“Do not connect to unfamiliar networks, and when unsure about the safety of Wi-Fi, use cellular data,” he cautions. “Do not download free VPNs or free streaming services. Don’t connect to airport Wi-Fi or connect your phone to free charging stations.”
Phishing Lures in Form of Travel Discounts
Common phishing campaigns targeting travelers often involve discounted or free flights, hotel bookings, or package deals that are simply too good to be true.
“All these attacks will be particularly hard to resist for bargain hunters this travel season, which will be unusually expensive due to inflated travel, food, and lodging prices,” Aalto says.
Most scams will either result in a direct payment of hundreds or thousands of dollars to a fraudulent site, or a credential-harvesting scam that captures and sells or otherwise uses sensitive data.
“Remember, there’s a multibillion-dollar organized cybercrime industry thriving on the Dark Web, where stolen data is a commodity that contains significant value,” he says. “Corporate accounts are gateways to corporate systems.”
There are also scams involving fake vacation rentals or timeshares, false travel insurance, and even scams where criminals pose as government officials to offer expedited visa or passport services.
“In a more sophisticated approach,” Aalto adds, “we’re seeing scams involving fraudulent loyalty program emails or notifications designed to trick customers into divulging their personal information or login credentials.”