Summer Travelers Could Get Burned by Phishing Scams: Survey

More than half of 1,000 survey respondents indicated they are unaware they remain ripe phishing targets when booking summer travel, setting the stage for a jump in malicious activity.

Seattle-based DomainTools, which provides a proprietary threat intelligence and investigation platform, announced the results of its new research that sheds light on consumer awareness around phishing when booking summer travel. The survey of U.S.-based consumers explored the potential correlation between an uptick in travel-related scams during the summer months and the general lack of awareness around phishing as it relates to booking travel online. Despite 58% of respondents being aware of phishing in general, 54% are unaware they might be ripe targets when booking their summer travel, setting the stage for a jump in malicious activity during the summer months.

DomainTools pointed to the IBM X-Force Threat Intelligence Index, which held since January 2018 alone, 566 million records from leaked or compromised in publicly reported breaches affecting the travel and transportation industry. The travel industry is a prime target for bad actors, as booking vacation often requires expensive purchases and the disclosure of personal information online.

Of the respondents in DomainTools’ survey that shared they are familiar with phishing scams aimed at the travel and hospitality industry, nearly 40% revealed they had been tricked by an attempted scam. Overall, the survey findings shed further light on consumers’ habit of overlooking key details while making online purchases and the larger issue of unawareness around what could ultimately cost them money or personal information.

As part of this research, DomainTools conducted additional investigation via its PhishEye solution by creating more than 70 spoofed domains in a two-week period in an attempted to imitate vacation rental company Airbnb. The volume of spoofed domains in this short span of time further demonstrated the heightened efforts of bad actors targeting travelers at this time of year.

Some examples of fraudulent domains with a Risk Score of 70-plus (scores of 70-99 predict potentially malicious domains before they are weaponized) in this research include:

• airbnbpromo[.]net
• airbnbprices[.]com
• airbnb-bookins[.]review
• airbnbhostpr[.]com
• airbnb-update[.]org
• checkin-airbnb[.]com
• airbnbvrbo[.]com
• airbnbb[.]net
• airbnbexclusive[.]com

“While the most popular sites such as Airbnb, Expedia and Alaska Air could be at risk of phishing attempts, we found that many of the people who use these sites are unaware of the potential dangers of booking travel online,” said Corin Imai, senior security advisor for DomainTools. “More than half of respondents indicated that they are unfamiliar with phishing campaigns that specifically target travel and hospitality sites and three-quarters of respondents were unsure if they had even fallen victim to a scam.” Imai noted while popular sites like Airbnb take it upon themselves to protect customers, consumers must remain vigilant while shopping online, and the security industry should educate consumers to put proper defenses in place. “The reality is, no person or site is exempt from falling for a scam unless we encourage awareness and put precautions in place to prevent it from happening.”

Additional takeaways from the survey include:

• Of the 27% of respondents who clicked on a link or email to what they thought was a trusted travel company only to learn it was an attempted scam, 20% reported compromised personal information, while 71% revealed they are unaware anything bad happened.
• Respondents who are “very” aware of phishing prioritized best practices such as going directly to the website of the travel company they book through (71%) and taking closer looks at URLs used in emails to ensure legitimacy (59%).
• Fifty-five percent of respondents said they can determine a phishing email from a legitimate one based on how the email looks. Despite this tactic, of this group, 26% admit they have fallen victim to phishing.

Those who book summer travel online are advised to: Closely monitor domains that imitate leading travel, airline and booking companies with typos or disguised letters (e.g., ‘rn’ written to appear like the letter ‘m’);  book directly through the airline or vacation rental site rather than a third-party; Stay up to date on the latest scams circulating the web, avoid high-pressure tactics (e.g., “Book now!” or “Only three tickets left!”); and go back to the old school ways, and call the airline or travel company directly to confirm a reservation is in your name.