Security Alert: New Travel Rewards Email Scam

Share on FacebookTweet about this on TwitterShare on Google+Email this to someone

You’ve been saving and saving – and not just 10% like the financial experts recommend – but all of them. Yes, them, your airline miles and hotel travel rewards points, of course! If points and miles were retirement dollars, you’d be set for life. But how sure are you that they will still be there when you go to finally redeem them? After all, it’s not like they are high value items like diamonds, cash or your social security number… right?

Travel rewards points targetedSecurity alert: Your travel rewards are the focus of a new summer scam

According to a new State of Email Trust Report from email security firm Agari, the assumption that travel rewards points are not a cyber-theft target is far from the truth. We already knew that loyalty rewards passwords were a target, but the points and miles themselves appear to be a hot target right now. There are two big reasons that your next free trip or hotel stay might be cancelled due to theft:

  1. Financial institutions and organizations that protect high value goods and information are taking much more advanced measures to secure against cybercrime, while hotels, airlines and travel companies struggle to stay as competitive.
  2. Hackers have discovered that travel rewards are actually quite useful – they are their own form of currency, and can even be traded for cash in black market deals.

In an article with CIO, Agari founder and CEO Patrick Peterson notes that cybercriminals have turned to these easier targets, and are finding success. Since the beginning of 2015 alone, Lufthansa, British Airways and the Starwood Preferred Guest program have all been attacked. Especially in terms of online travel websites, “It’s quite surprising they got away for so long with so little security,” says Peterson. The report’s list of ‘Vulnerable’ sites includes AirTran, American Airlines, Expedia, Marriott, SkyWest, United Airlines and USAirways. (United Airlines is now taking measures to reward hackers with miles who find and report system flaws.) Also at risk are popular travel search sites like, Travelocity, TripAdvisor and airlines like Virgin America and JetBlue. Those rated ‘Safe’ where far fewer, but included and Delta Air Lines.

How travel rewards scams work

The most popular way that cybercriminals are stealing points is through the tried-and-true method of sending phishing emails to the points’ owners. You might see a coupon for a travel voucher, an invoice for a travel-related purchase you didn’t make or even a fake ticket sent to you in an email or text. They often contain links to copycat travel websites that start to request information like user IDs, passwords, and identification. In these cases, it is always a good reminder to be wary of emails and messages that indicate you’ve ordered or purchased something that you, in fact, did not take action on. If you are unsure – don’t click. Instead, pick up the phone and call the company’s customer service directly to inquire.

Security alert: Your travel rewards are the focus of a new summer scam (SpeedyPassword)Not only could you lose the value of free flights and hotel stays, but the further risk with these scams is that the hackers can then take the usernames and passwords they’ve obtained and test them across different banking and shopping accounts belonging to the user. Having strong unique passwords protecting each of your accounts individually is your best protection in this case – and the easiest way to set this system up is with a password manager. Knowing your accounts are safe and secure with a password manager means that you can jet off on that free summer vacation without worry… except for sunburns. You’ll still have to worry about sunburns.

Share on FacebookTweet about this on TwitterShare on Google+Email this to someone