X
CNET logo Why You Can Trust CNET

Our expert, award-winning staff selects the products we cover and rigorously researches and tests our top picks. If you buy through our links, we may get a commission. Reviews ethics statement

Scammers Look to Hook Vacation Shoppers With Phishing Emails

Be careful while shopping online for your summer vacation. That great deal might actually be a scam.

Bree Fowler Senior Writer
Bree Fowler writes about cybersecurity and digital privacy. Before joining CNET she reported for The Associated Press and Consumer Reports. A Michigan native, she's a long-suffering Detroit sports fan, world traveler, two star marathoner and champion baker of over-the-top birthday cakes and all-things sourdough.
Expertise Cybersecurity, Digital Privacy, IoT, Consumer Tech, Running and Fitness Tech, Smartphones, Wearables
Bree Fowler
6 min read
gettyimages-542736893

Be careful where you click. Here's how to spot phishing in all its forms.

Getty Images

It's officially summer and that might have you looking for a good deal on some fun in the sun. But experts say consumers need to think before they click when shopping online for vacations.

Researchers for the cybersecurity company Check Point say they're seeing a rise in summer vacation-related phishing emails, fake websites and other online scams designed to dupe people out of their money, corporate credentials or personal information.

The uptick isn't a surprise. It's an annual seasonal twist on the phishing where scammers often tailor their emails to reflect what's going on in the world.

The now-often-sophisticated attacks can also come in the form of text messages, social media posts and even QR codes. They're also a lot less spammy than they used to be; including personal details about you mined from your social media accounts and other pieces of your online footprint, making them look a lot more convincing than they used to.

For example, it might be an email asking for donations to help Ukrainian refugees or maybe the victims of the latest earthquake or hurricane. It could even be a text message telling you that your antivirus software is expired, or an ad on social media pushing what looks like an amazing deal on designer sunglasses.

And more and more, that increasing sophistication, speed and massive volume is being powered by artificial intelligence tools similar to ChatGPT that enable cybercriminals to create and launch their campaigns faster than ever.

As for the recent vacation-related phishing emails, they're taking a couple of different forms, Check Point says. Some look like they're coming from company human resources departments and claim to include corporate calendar information and instructions for how to put in for time off. Those targeted are asked to click on a link that takes them to a fake Microsoft login page where they're asked to enter their credentials, which are then stolen by the scammers.

Other emails impersonate major airlines and claim to offer monetary compensation for past flight delays. Consumers who click on the link in the emails are taken to a fake website that mimics that of the airline and steals the person's credentials.

Regardless of the pitch scammers use to try to reach consumers, in terms of quantity, phishing continues to increase. Last year, it accounted for more than 300,000 of the more than 800,000 complaints made to the FBI's Internet Crime Complaint Center, making it more prevalent than any other kind of cybercrime, though it's worth mentioning that its combined losses of $52 million fell well behind those of investment fraud-related crimes, which accounted for a total of $3.3 billion in losses.

More recently, cybersecurity researchers say volumes of phishing emails, already vast, are skyrocketing. For example, the cybersecurity company Vade says the number of phishing emails detected by its systems more than doubled in the first quarter of this year to about 560 million compared with the fourth quarter of 2022.

Those numbers don't include phishing attempts sent by texts or in social media posts. And law enforcement including the FBI have spotted rare phishing attempts in the form of QR codes, specifically stickers put on parking meters in places like Austin, Texas, that send motorists to fake websites that steal their credit card and other information.

At the same time, phishing attacks are getting more convincing. Gone are the grammatical errors and broken English of the past. Today's phishermen use technology to mine social media and other data sources for personal details that can be sprinkled throughout an email to make them more convincing. They may know where a person banks, who their relatives are or where they went to school.

Labor-intensive research that was once reserved for the highest-profile targets can now often be automated for a minimal cost, allowing scammers to target more people in more convincing ways. And open-source AI tools make the writing process quick and easy, even for non-native English speakers.

All of that may seem pretty frightening. After all, if a person can't tell the difference between legitimate communication and a scammer, how can they avoid them?

But don't despair. There are things you can do to avoid getting caught in a phisherman's net. Here's what you need to know.

What does phishing look like?

Emails, texts and social media posts that you didn't ask for. If a person or a company reaches out to you and you didn't contact them first, you probably should ignore it. It doesn't matter if it's an email saying that your Windows subscription has expired, a text from your bank saying that your account has been compromised or a post on Instagram pushing a great deal on designer sunglasses. Mass layoffs in a handful of industries also have scammers targeting the unemployed. Don't clink on any links or download any attachments. Instead go straight to the bank or company's website. If a "recruiter" reaches out to you, only send your personal information to the company you're applying to. Any unsolicited job offer that looks too good to be true should be treated as such.

Requests for payment in gift cards or cryptocurrency are red flags. Does it seem weird that a retailer, government agency or debt-collection service wants payment in these forms? It's probably a scam. These are the preferred ways of payment for cybercriminals, because they largely can't be traced and can be liquidated easily. The IRS, for example, won't take payment for alleged back taxes in either of these forms. On a related note, the IRS also won't reach out to you by email, text or phone. They work exclusively by snail mail.

Pleas for money from people you don't know. (They might even say they're in love with you.) Think nobody falls for romance scams? Think again. According to the Federal Trade Commission, online romance scams accounted for a staggering $1.3 billion in losses last year. The email might come from a woman who claims she's trying to escape the war in Ukraine or a guy serving in the military who just thinks you're cute. Regardless, if they can't meet you in real life for whatever reason, be very skeptical. The same goes for if they ask for gift cards or crypto.

Charity scams are a thing, too. Just like with the romance scams, these scammers are also looking to take advantage of people with big hearts. They'll say they're looking for donations to help victims of the latest natural disaster, war or what looks like a legit aid organization. They'll say you need to give now in hopes you'll do it before you think. Don't. Only donate to verified and established charity groups. Go straight to their websites or connect to them through a trusted source.   

How can I protect myself if I think I've been phished?

Use good antivirus software and update everything. A big part of the antivirus software mission is to filter out spam and scam emails, as well as stop malware that might be attached to them. But AV can't stop threats it doesn't know about, so make sure that yours is updating constantly to stay on top of all the new ones. Meanwhile, updating your devices' operating systems and your apps will fix bugs that cybercriminals could potentially exploit.

Great passwords are a must. If your email account gets compromised, it could be used to swindle your contacts out of their money or identities. It also could be used to help reset the password for your financial and other super-sensitive accounts. As a rule, passwords should be long (at least 12 characters), unique ('password123' is always a bad idea). Resist the temptation to reuse them, even if you think they're really good. If that's too hard, password managers can help.

Two-factor authentication is a no-brainer. Even the best passwords can be cracked. Two-factor authentication (2FA) will go a long way toward protecting you if that happens. It requires a second form of authentication like a biometric indicator, push notification sent to your phone or the connection of a physical key, in addition to your password. But avoid the SMS text version of this. While it's rare, phones can be "SIM swapped," allowing cybercriminals to intercept those texted codes.

Think about a credit freeze. If you think that your Social Security number or other super-private details have been compromised, freezing your credit will prevent cybercriminals from taking out loans in your name or otherwise using that information for identity theft. Some security experts recommend freezing the credit of children until they need to use it, since identity theft committed against them can often go unnoticed.