Don’t fall victim to a new wave of holiday scams this summer: Four ways your devices can be easily hacked in hotels – and how to protect yourself
- Hotel rooms one of the riskiest places for your data on holiday
- ‘Evil twin’ WiFi connections can be used to steal your passwords
- Watch out for modified USB ports when charging devices
There’s a new wave of scams to watch out for this summer.
With millions of travellers preparing for holidays in the coming months, experts warn they need to be on their guard for what is now one of the biggest scam hotspots – hotels.
Fraudsters can set up fake ‘evil twin’ WiFi connections to steal passwords and even modify USB ports to grab data with a technique called ‘juice jacking,’ according to a report from Nord VPN.
Account takeover fraud – fuelled by data-stealing – accounts for around 15 per cent of all fraud globally. That’s around 136 million instances last year, according to a LexisNexis report which compiles data from businesses globally.
Britons should be on their guard against scams in their hotel rooms where scammers set up ‘evil twin’ WiFi to steal personal and financial details
Nord VPN claims hackers can use cybersecurity vulnerabilities at hotels in several ways to reach holidaymakers – even in rooms.
Jason Lane-Sellers, director of market planning at LexisNexis Risk Solutions, said: ‘Packed holiday resorts full of relaxed tourists letting their guards down will no doubt be seen as a tempting opportunity for fraudsters over the summer months.’
Below, Nord VPN reveals four ways scammers can steal data this summer – and how to avoid them.
1. Fake WiFi networks
Hackers can use a hotel’s WiFi to steal travellers’ passwords and personal information in two ways.
One is to connect to the hotel’s WiFi and install malicious malware.
The second is to create a so-called ‘evil twin’ – a fake, unprotected WiFi hotspot with an unsuspicious name like ‘guest WiFi’ or ‘free hotel WiFi’. They can then steal private information this way.
‘All the fraudster has to do is set up a fake WiFi network with a convincing looking login page that asks for your name and email address and asks you to create a username and password.
‘It’s not much more complicated than setting your phone up as a hotspot,’ says Lane-Sellers.
Once they have this, they will use a technique called ‘credential testing’ to attempt to login to the victim’s online accounts, like bank or credit services.
This is made even easier as many people still use the same username and password combinations for all of their online accounts – so once the fraudster has one set of login details, they have a good chance of success.
‘Once they have your details, they could also call you and try a scam scenario. For example they call pretending to be your bank and say there’s a problem – and of course, they say they can ‘see you’re on holiday from your transactions’ – to help convince you it’s genuine,’ explains Lane-Sellers.
Andrianus Warmenhoven, cybersecurity expert at NordVPN said: ‘To avoid being hacked through hotel WiFi, travellers should ask the person at the reception desk to give the exact name and password for the provided WiFi to avoid connecting to an ‘evil twin’ network.
You could also use a VPN service to encrypt your data and prevent third parties from intercepting it.
Warmenhoven also says ‘it is always a good idea to enable a firewall while using public WiFi.’
2. Dodgy USB charging ports and chargers
Some hotels install USB charging ports in hotel rooms for the convenience of visitors. This is a tempting way to charge a device, especially if the guest is coming from a location with a different kind of plug.
However, this could introduce the risk of becoming a victim of cybercriminals.
Hackers can charging cables in public places to install malware on phones to perform an attack called ‘juice jacking’.
This type of attack allows hackers to steal users’ passwords, credit card information, address, name, and other data.
Warmenhoven said: ‘Usually the safest way to charge your device is with a socket. Otherwise it is a good idea to carry a power bank or USB data blocker.’
Look out for the plug, Lane-Sellers adds: ‘If a charging point looks odd, or tampered with, don’t use it.
‘If you plug your phone into a charger and your phone prompts you to ‘allow access to this device’ do not allow it.’
3. Smart TV cyberstalking
A smart TV can become a gateway for cybercriminals. They have an established connection to local WiFi to allow travellers to access apps and streaming platforms.
A hacked smart TV could be used for cyberstalking travellers with built-in microphones or cameras, or stealing personal credentials used to log in to apps on smart TV and selling them on the dark web.
The best thing to do according to Nord VPN is to keep the smart TV unplugged from power sources when it’s not being used.
Covering the webcam and avoiding logging in with personal credentials also mitigates cyber risks.
4. Automatic connections to WiFi
Keeping the automatic connection function disabled on your devices helps to mitigate cybersecurity risks on a trip because devices may be surrounded by public and insecure internet connections.
This way, even if the device connects to Wi-Fi, it remains protected from cybercrimes, Nord VPN says.
The cyber-attack group DarkHotel has been known to compromise the Wi-Fi of luxury hotels by combining spear phishing, dangerous malware, and botnet automation designed to capture confidential data.
Unfortunately, complete prevention of cyberattacks can be challenging, especially when it comes to professional hackers aiming for high-value targets.
Because the group seeks out only high-value targets — C-level executives, politicians, representatives from military-related organisations, and pharmaceutical company representatives — phishing emails are tailored to each target and are highly convincing.
Warmenhoven said: ‘Travellers should always be aware of phishing attacks – verify the authenticity of suspicious emails and executable files and pay attention to odd spelling.’
Overall, if you think your data or your device may have been compromised while away, change any banking or credit card passwords straight away, then contact your bank to let them.
Never reuse passwords or use easy to guess passwords, especially for things like financial services.