Ah summer: the time for cookouts and fireworks and long days at the beach trying not to check your email. It's also a time to finally use all those airline miles and hotel points you’ve accumulated to get a free place to stay and free transportation to get there.
If they haven't been stolen, that is.
Those points and miles have become the target of the latest hacking scams, and most travel-related sites haven't done much about it, according to the recently released State of Email Trust Report from email security company Agari. While financial institutions are still attacked with gusto, Agari has found that most of them have put up roadblocks to those attacks. And when one path is blocked, scammers will quickly find one that is not.
"Criminals are still going after the liquid assets in banks and credit cards, but they've found those sites have been locked down," says Patrick Peterson, Agari founder and CEO. "It's much harder to do something with airline miles and hotel points, but it's much easier to get your hands on."
Airline points – a new form of black market currency?
Peterson calls scamming customers out of miles and points the "issue du jour" in travel hacks.
"Criminals have discovered that they can monetize all those wonderful airline and hotel points," he says. "They are very busy doing some very nefarious things with that, and a lot of our hotel chains and airlines are up in arms."
[Related: E-Z Pass drivers warned about phishing scam]
In January, for example, the Starwood Preferred Guest program was hacked. Lufthansa and British Airways saw similar incidents this spring.
Hackers are doing this, Peterson says, because banks and credit card companies have finally gotten serious about security, and even though there's less cash value to miles or points, they're still worth something on the black market – especially if the hacking process can be automated.
"It's quite surprising they got away for so long with so little security," Peterson says of many travel sites.
Two big exceptions in these security flaws, he said, are Booking.com and Delta, which were both ranked "Safe" by Agari's TrustScore rankings.
Multiple travel-related sites, including AirTran, American Airlines, CheapOAir, Expedia, Marriott, SkyWest, United Airlines and USAirways were ranked "Vulnerable," the lowest rank possible. Sites for Hotels.com, Jetblue, Priceline, RentalCars, Travelocity, Trip Advisor and Virgin America ranked "At Risk," which is in the middle.
How the hack works
While the target of these travel scams – points – may have changed, the method of getting the information – acquiring usernames and passwords – has not.
Scammers are still sending phishing emails to get consumer information, and also sending invoices or vouchers for fake tickets to get malware onto consumer's machines, said Peterson.
"There's a lot of targeted emails and texts that are going out right now that are coupons or travel-based," says Jerry Irvine of the National Cyber Security Task Force and CIO of Prescient Solutions. When receivers of those messages click on links, they’re sent to what looks like legitimate hotel or airline or travel websites.
But they’re not legit. If a user lands on one of those websites and starts answering what look like standard questions, "they can at that point in time gather user IDs and passwords or take information," Irvine says.
He adds that some faux sites are even selling rooms that don't exist – or they're selling rooms that they don't have the privilege to sell. "Websites are showing pictures of facilities that are no longer available or just not even around," he says. "They're taking money and then when people get there, there's no reservation for it."
Scammers can also take a consumer's credit card information and steal his or her identity – or sell that information to someone who will. They can also grab a username and password and test them across other sites. If that consumer uses the same username and password across multiple sites, the hacker has unlocked that person's financial world.
It’s costing companies money to reimburse customers their points and miles – especially after rooms or airline tickets have already been paid for and used by the stolen chits. But the bigger price to pay comes from the damage to the company’s reputation.
"It's a much bigger branding problem than it is an economic problem," says Peterson. While a customer's points can be reinstated after a breach, that may not be enough to have them wondering if their information is really safe with a company that's been hacked.
The good news, Peterson says, is that while another new travel scam could pop in July or August, there is no major event like the Olympics that would get the hackers cracking their knuckles and leaning into their keyboards. But he wouldn't put a new online hoax past them, especially since the points and miles scam is "another example of ‘if there's money to be made over time, criminals will innovate.’"