According to the Association of British Travel Agents, some 81% of holidays were booked online last year. However, despite saving consumers time and money by making it easy to compare prices, travel websites may be putting travellers at risk of phishing scams.
Phishing scams in the United Kingdom increased 648% year-over-year on Cyber Monday. As spending increases, consumers become less aware of the money that goes out of their bank accounts, offering cybercriminals potentially lucrative opportunities.
And yet, new research by SSL security certificate provider Sectigo shows that those in the travel industry – which attracts high-spending customers that would undoubtedly appeal to scammers – is doing little to protect customers from falling victim to these crimes.
Research shows that just 29% of travel sites offer full protection against phishing attempts.
Sectigo looked at a total of 104 websites belonging to airlines, hotel groups, travel comparison websites, car hire firms and train operators. Of those, just 31 displayed company-branded SSL bars, which shows the company is using high-level Extended Validation SSL Certificate and proves that the website is being operated by that said business.
SSL (Secure Sockets Layer) Certificates provides a secure channel between two machines connected or the internet or an internal network. This is commonly used to facilitate secure communication between a web server and a web browser.
Websites with a secure connection will have an address starting with HTTPS, while unsecured websites will start with HTTP. Unsecured sites will also display a “Not secure” warning next to the URL.
Of the websites that Sectigo checked, six of these had outdated, unsecure connections. These were:
There are services available on at least three of those websites that require users to enter an array of personal information, such as banking details, name and address and passport numbers.
The majority of websites had HTTPS connections. However, these were often free, unbranded certificates. This means that users are unable to verify that the secure connection is being offered by the website’s operator.
The concern is, without a SSL certificate that verifies the true operator of a site, cyber scammers can set up fake sites that mimic the appearance of real site in order to trick travellers into handing over their details.
Lacking cybersecurity in the travel industry
Sectigo’s study comes in the wake of a two major cyberattacks on travel companies in 2018.
A breach on the British Airways website led to the data of 380,000 customers being stolen back in September.
In the wake of that breach, industry expert Paul Farrington, head of EMEA at CA Veracode, warned that “IT issues are not only affecting BA”, but also the “wider airline industry”.
That was followed by hotel chain Marriott International confirming that the data of 500 million guests had been exposed last month, resulting in one of the largest data breaches in history.
However, there is now a real need for businesses, both in travel and other industries, to start taking cybersecurity seriously. New regulations like the General Data Protection Regulation (GDPR) now put businesses at risk of huge fines if they fail to protect customers. However, perhaps more costly would be the 70% of consumers that say they would stop doing business with a company if they were involved in a cybersecurity incident.