The Rise of Travel-Based Phishing Scams in Australia
Cybersecurity experts are sounding the alarm on a new wave of increasingly convincing phishing scams targeting Australian travellers. These scams are leveraging personal travel details, which have become a prime target for cybercriminals. Recent large-scale data breaches of travel companies, such as Booking.com earlier this week and Qantas last year, have provided scammers with valuable detailed personal information.
Adrianus Warmenhoven, a cybersecurity expert from NordVPN, warned that the latest attack on Booking.com would likely result in a spike in phishing emails, fake payment requests, and “verification” messages targeting affected users. This type of breach is particularly dangerous not because of financial data, but because of context. When attackers gain access to booking details such as names, travel dates, and accommodation information, they can craft highly convincing, personalised scams that are much harder to detect.
Why Are Hackers Targeting Travel Companies?
Travel-related data is particularly valuable to scammers because of the nature of the information provided. Tyler McGee, a cybersecurity expert from McAfee, explained that when you look at travel sites compared to other sites, typically people provide a lot of information when they are purchasing—such as credit card details, sometimes passport information, and all the requirements needed to purchase a plane ticket or book hotel accommodation. That’s the type of information that scammers are very interested in, because it gives them a good insight into you as an individual.
Travel data is also especially sensitive because it introduces a time element. Scammers know exactly when you’re due to travel, which makes their messages feel urgent and legitimate—whether it’s a “problem with your booking” or a “last-minute payment request.”
What Do Hackers Do With My Travel Data?
Collecting the illicit data is just the first step in a sophisticated multi-layered operation often involving multiple black market businesses. McGee said, “This is not a couple of scammers sitting in the garage of their house. This is an industry. These are sophisticated businesses.”
Once the data is collected, hackers will typically sell that information on the dark web to another organisation, such as one specialising in phishing scams. This organisation can then contact individuals with highly personalised and convincing emails purporting to be from Booking.com, a hotel provider, or another travel provider. Imagine receiving a message that references your exact stay, dates, and property—it immediately feels legitimate. This is exactly what cybercriminals rely on.
The email may request payment to lock in accommodation or state that you’ve been overcharged and request bank details, often including a link to a convincing lookalike website designed to steal your details. But all will attempt to extract something from you, whether that is a direct payment or credit or bank account details, which can be used for further scams.
How Can I Detect a Phishing Scam?
The days when a cursory glance at a generic, grammatically incorrect message from a dubious email address urging you to click through was sufficient to detect a scam are over. Artificial intelligence is helping scammers craft increasingly convincing emails and even fake websites duplicating those of legitimate organisations, such as booking.com itself or a hotel company.
“Historically, it was easier to catch out. It was more generic and there were common mistakes—the website didn’t look right or the spelling wasn’t right,” McGee said. “Typically now with AI that’s easily fixed, so it’s almost foolproof in the information that they are sending to you.”
However, there are still two key checks you can do to weed out any potential scams. The first is simple: check that the email address is an exact match to that of the legitimate organisation. If you aren’t sure of the correct email address or still have concerns, the next step is to contact the organisation to verify whether they did in fact send the query or payment request.
My Travel Data Has Been Hacked. How Can I Protect Myself?
As a first step, anyone caught up in the Booking.com data breach should immediately change their login details and passwords, McGee advises. This should at least prevent hackers from having ongoing access to your account and any new personal data.
Always verify information and make payments through official platforms, not by directly clicking on links inside emails or text messages. You can also consider installing scam detectors, which can flag suspicious activity, warn when potential scams pop up on your phone or computer, and block risky websites if you do inadvertently click on a scam link.
“Then I would just be very, very careful and very suspicious if you’re getting emails or texts asking you to click on links to either get a refund from booking.com or to pay the balance of your trip,” McGee said. “If you believe you do owe them money for a trip, then maybe just contact them before you actually do the transfer.”






