Beware of phishing attacks when booking your holiday!

The holiday season is the most wonderful time of the year, but the excitement of booking your next holiday could be ruined by cybercriminals. So, if you book your holiday using an online booking platform, be careful. From messages telling you your payment information is incomplete for the booking, to completely fake offers on deceptively genuine-looking platforms – fraudsters will try and trick holidaymakers in a variety of ways. These messages can come by email, text or even via the booking app chat box.

If you’ve completed your booking and then you get a message apparently from the booking provider, it’s easy to become concerned. After all, you don’t want anything to get in the way of your well-deserved holiday. Phishing emails often copy confirmation messages from travel providers and include a link to a fake website, for example with the pretext that, “Your details are incomplete”, or “You need to add a credit card to your booking”.

Important rules: Never click on the link in messages like this. It could take you to a fake website and your payment details could end up in the hands of the fraudsters. If you are unsure if there is still money owed on a booking, you should contact the provider directly and ask them. If you are the victim of a fraud, you should contact you bank immediately, block the relevant cards, if necessary, and report it to the police. You should also keep a close eye on your bank statements for a while after the fraud.

And remember, even with special offers you get, for example, from social media channels: always visit the provider’s website to check that the offer is a real deal. If you are not familiar with the provider, then check the website’s legal notice and reviews of the provider on well-known review platforms. In Germany, the consumer advice portal, Verbraucherzentrale, also provides information about fake offers.

Digital communication as a gateway for fraud

Phishing attacks are usually targeted at consumers. The scammers use email, text messages, WhatsApp, other messaging services or direct messages on social media. They use all these digital channels to bait their victims. They often also create a sense of urgency: “Take action now or your package will be sent back or account suspended.” If you are unsure, always ask your provider directly.

Data theft via streaming services

Phishing campaigns operating under the guise of well-known streaming services have increased significantly. The phishing messages contain, for example, alleged changes to terms and conditions, to pricing or payment or they may even announce measures to counter unauthorised account sharing. Ultimately, the fraudsters are only interested in one thing: obtaining sensitive information, especially payment data.

Time delay as a phishing tactic

There will often be a delay between when the data is phished and when the information is used to implement the scam – a few days for example. This is one of the scammers’ tactics: as a result, victims often find it more difficult to link the two events together. There is then a particularly high risk that the attack goes unnoticed and is therefore not reported to the bank or police. 

Fraudulent telephone calls 

Once the fraudsters have ‘phished’ or have access to their victims’ sensitive data, then comes the next step. They will try and manipulate people on the phone in order to get more data, payment authorisation or even to gain complete access to their victims’ PCs using special software. One example: If you suddenly get a phone call from your bank, a financial regulatory body (such as BaFin in Germany) or from the card services hotline 116 116, you should ask yourself if this call really is genuine. They might say something like, “We’ve noticed irregular payments on your bank account”, “Someone has tried to gain access to your account” or “If you don’t act now, your account will be suspended”. But they may have manipulated or spoofed the caller ID, so the number displayed appears legitimate. Of course, genuine service hotlines, from a bank for example, need to get you to confirm some personal data (name, address, date of birth) so they can correctly identify the caller. However, a bank will never ask you for your online banking PIN or transaction number (TAN).

The best response to a call like this is to hang up. Then you can call the bank directly and ask if there have been any irregularities with your account or card. To avoid calling the scammers back on the manipulated number, dial the correct number yourself and don’t use the automatic call-back button.

Fake websites with enticing offers

Enormous advances in technology have made it possible for scammers to publish fake websites that are incredibly accurate. Fake messages with special offers, coupons or alleging the need for customer data to be updated have become incredibly realistic, especially when it comes to the corporate design. In fact, the link contained in those messages might take you to a fake website so any data you enter is snapped up by the criminals. You should always check bargains and especially attractive products from unknown providers very carefully before buying them.

Misuse of AI

The use of AI tools allows criminals to optimise their attacks. AI-based language models can be used to remove suspicious errors in texts. By misusing artificial intelligence, the scammers can imitate the voices of the victim’s family members, taking the attack to a new level. If they then use these fake voices to say they’re in trouble and urgently need help, (e.g. “Mum, I’ve had an accident. They won’t let me go until I’ve paid a deposit. Help me, please!”, it’s not easy for anyone to stay calm. But however difficult that may be, it is the first important step you need to take. You should then hang up and contact that family member directly or ask other friends or family who may know what’s going on.

Fake letters, tax returns or parking tickets

And despite all the digitalisation: paper letters can also be faked, and they may also include a QR code in the text which takes you to a fake website, this is a particularly insidious form of fraud. The fake letters could also purport to be from your bank, but also a fake invoice from a business which has changed its bank account details or tax returns demanding late payment fees – but the bank account given is not that of the real tax authorities, it is one that can be accessed by the scammers. So, you should also beware of “analogue” letters and tax returns.

Many internet users have been victims of online fraud. You can find a list of the typical scams and frauds, and how to protect yourself and prevent online criminality on the Association of German Banks’ cybersecurity glossary. The Verbraucherzentrale also publishes current warnings in its ‘phishing radar’.