It's true... Scammers don't take time off. They are relentless. And they know you do take holidays and they want to try and take advantage of the fact.
That's why they use phishing scams that are focused on holidays. Here's just a few that you should be aware of...
The fake travel agent
Scammers message you pretending to be a travel agent, and try to sell you a deal over text or social media. This is especially prevalent when a travel agent or booking service has been hacked. All they need to know is your email or telephone number and they can target you.
Booking verification scam
Criminals pretend to be hotels and ask customers to provide payment information to verify bookings.
The cancellation refund scam
Fraudsters impersonate travel companies or your bank, claiming your flight or holiday has been cancelled and saying they can help you get a refund. This is extremely effective as your reaction will be either "Oh no! My holiday is ruined!!" or "What?! I didn't book a holiday... who has used my details?"
How NOT to be a victim.
You've probably been told to look for grammatical errors or spelling mistakes in emails and messages. And while this is still good advice, keep in mind that Scammers are using AI to improve their spelling and grammar - just like many of you do.
The best thing you can do is to consider what emotion is being evoked by the message. For example, is it anger, lust, fear, greed? Think of the '7 deadly sins', because these are often the feelings that make us react... when in fact we need to respond.
Think...
- Is this plausible?
- Is this reasonable?
- Is this trying to get a reaction out of me?
If you're concerned about anything you receive, don't react. Respond.
RESPOND
R – Recognise
- Spot the signs of trouble early.
- Look for unusual system activity, unexpected logins, or phishing attempts.
- Train staff to recognise suspicious emails, phone calls, and links.
- Use threat intelligence feeds to stay informed.
E – Evaluate
- Quickly assess the scope and severity.
- Is it an isolated incident or signs of a wider breach?
- Identify what data, systems, or people might be at risk
- Log all evidence from the start — it may be needed later.
S – Speak
- Don't keep this to yourself, speak to trusted advisors, colleagues, or your family
- Speak to your bank about additional security controls they can put in place for you
- Speak to the people where the message is purporting to come from (Contact them directly, as you normally would. NOT through the message received)
P – Pause
- If the message is saying you must respond in XXX amount of time, it's probably a scam
- Take a moment to think about the message and what you're being asked to do... don't react or reply immediately. Grab a cuppa, and think about it.
O – Organise
- Coordinate resources and information.
- Keep any messages you receive as evidence
- If possible, engage key stakeholders — IT, legal, PR, management.
- Ensure accurate and consistent updates are provided. Remember that if you are scammed, you may need to speak to the police, the ICO, or your clients.
N – Notify
- Remember that you have a legal duty (under the GDPR) to report personal data breaches to the ICO and affected individuals within 72 hours.
- Notify clients, partners, and affected individuals as necessary.
- Avoid speculation — stick to verified facts.
D – Document
- Record everything for recovery and learning.
- Maintain a detailed incident timeline.
- Store logs, screenshots, and evidence securely.
- Review the incident afterwards to improve defences.
You may not need to do all these things, but they are a useful guide. If you don't have an incident response plan... consider the above as your starting point.
I hope that helps.
If you're concerned you may have been a victim of cybercrime then please get in touch. We're here to help.
Consultants Like Us
GB Shared
