How to avoid common travel and vacation scams

From social engineering before you even get on the plane to apps that are riddled with security holes, it’s never been easier for cybercriminals to target unsuspecting travelers.

As usual, winter's been bleak. You're ready to go ... anywhere else. Somewhere warmer, brighter, more fun. 

And someone else is there waiting and ready to steal your information — and your money — in the process. 

Travel scams are ripe and ripening as the days grow longer, in some high and very low tech ways. 

"The really staggering message that came through in 2015 was that it was the year attackers spent a lot less time and energy on really sophisticated technology intrusions and instead spent the year exploiting us," says Kevin Epstein, vice president of the Threat Operations Center at Proofpoint

Criminals don't just want to grab your information when you're planning either. Your trip itself makes you a target, too. 

Pre-trip hacking

Travel is a focus of scamming for two reasons. 

The first is money -- lots of it. "Booking the trip turns out to be a great way to give away a lot of money," says Epstein. "You voluntarily provide lots of personal information." Not only do most sites require you to put in your credit card information to book a trip, but many also have you create a login and password to use the site. 

[Related: Craigslist fails to flag most scam rental ads, study finds] 

If a criminal can make you believe that you're putting that kind of information into the right place, they can take over your money and your digital life. Or, if they can send you something that looks legit, and you download what they ask, they get into your computer and everything that's stored therein. 

The second reason is that travel companies have lagged behind when it comes to the security of their sites. When other online sectors strengthened their walls, scammers went the path of least resistance, which lately has been travel. 

Banks, says Charlie Abrahams, senior vice president at MarkMonitor, used to be the subject of such cloning, by have "taken steps to deal with it," adding that MarkMonitor has recently seen an uptick in travel companies requesting the same kinds of service they have been providing for banks. 

"We deal with sites that illegally pretend to be a site for the purposes of capturing credential information," says Abrahams. Some of these sites can be found by searching for deals, and some by clicking on emails that purport to be from a legitimate travel entity. 

Fraudsters are also moving into the app space with travel as a target, though attacks there aren't big — yet. Abrahams says that MarkMonitor has been spending more time scanning online app stores "because there are a lot of apps there that are completely fake," he says. Sometimes these apps will glom onto famous name brands in the hopes of just getting people to download the apps; they may also be looking to get your information too. Sticking to big name brands and downloading only from well known app stores like iTunes or Google Play is the best way to keep those out of your life, and off your data. 

The same is true for where you go online to book your travel, says Epstein. "If you pick the wrong site, you've just handed over everything to someone." 

Sticking to known companies there too, whether that's with hotels or airlines or cruise companies themselves or well-known online travel agents, is your best bet. Deals that look too good to be true probably are. Read the find print too, and make sure that if your booking is cancelled — especially by the booker — that the entire amount isn't considered a non-refundable deposit. 

[Related: Travel apps riddled with security flaws] 

Epstein also suggests calling the hotel to make sure they have the booking in case something went awry. 

While on the road

The scams don't stop there, of course. Traveling presents more ways that criminals can get into your life, especially if your guard's down because you're on the beach, drinking margaritas, or both. 

"Free Wi-Fi is the most dangerous cyber vector" for travelers says Epstein. Even if your hotel offers it for free, don't use it. If you can't create your own Wi-FI network by tethering, Epstein says stick to your phone. If you must use your laptop, make sure you use full tunnel encrypted VPN. That way, what you're sending or receiving is protected. 

Securing your laptop and phone might sound basic, but Epstein says it's something that travelers can forget about — especially the laptop. 

"If you don't know where something is, even if you get it back, it may not be what you thought it was," he says. That's because someone could put malware on it. "It's a path into your company. It's a front door." 

If you can, he says, leave the corporate laptop at home. If you must bring it with you, have it locked away in a place where only you know the password. 

Besides, it's a vacation. Who wants to bring their laptop with them on that? Now you have a security reason not to work with you.

Show Comments