This year, Spring Break vacationers are packing more than their flip-flops, bucket hats, and sunglasses—they’re also packing a few cybersecurity anxieties for the trip.
According to new research from Malwarebytes, 52% of people said they “worry about being scammed while traveling,” while another 40% admitted that they “worry about my kids or family sharing trip details online.” While most people said they will act on these concerns—63% will make sure their security software is up to date, 53% will back up their data—roughly 10% of people said they will take no precautions whatsoever into protecting their security or privacy while on vacation.
The findings reveal that the public approaches cybersecurity as a patchwork quilt, implementing some best practices while forgoing others, and engaging in a few behaviors that carry significant risk online.
For this research, Malwarebytes conducted a pulse survey of its customers in March via the Alchemer Survey Platform.
Broadly, Malwarebytes found that:
- 52% of people “agreed” or “strongly agreed” that they “worry about being scammed while traveling.”
- 20% of people “agreed” or “strongly agreed” that they “don’t really think about protecting my data while traveling.”
- 38% of people said they will book their next travel opportunity through a “general search,” which could leave them vulnerable to malvertising.
- Apps are a way of life, as 66% of people said they use between one and six apps specifically for travel (such as hotel apps, airline apps, and translation apps). A particularly plugged-in 8% of people said they manage more than seven apps for the same purposes.
- To stay cybersecure and private on vacation, the majority of people will backup their data (53%), ensure their security software is up to date (63%), and set up credit card transaction alerts (56%), but 10% will take none of these—or other—steps.
- 53% of people refuse to take a single laptop with them on vacation, whereas just 1% leave even their smartphone behind—talk about a holiday.
Risky business break
The cybersecurity risks around personal vacations are unlike those around the holidays for major organizations and businesses, in which cybercriminals know that low staffing will leave companies more vulnerable to an attack or breach.
Instead, far-flung Spring Breakers can engage in a series of behaviors both before and during their holidays that leave them open to online scams and theft.
Take, for example, the 38% of people who told Malwarebytes that they would conduct a “general search online” in booking their next vacation. While Google searches are probably one of the most common tasks for any vacation planning, the results that people see can be manipulated through a type of cybercrime called malvertising, short for “malicious advertising.”
In malvertising, cybercriminals will create a fake website that looks like a popular service, like Facebook, Slack, or eBay. Cybercriminals will also pay a small sum so that these fake websites show up near the top of Google’s sponsored results for relevant searches. Once users click on the websites, which appear legitimate, they’re tricked into downloading malware or handing over sensitive information to scammers.
A safer option for vacationers is to book travel directly with an airline or hotel chain. Many participants wrote this approach into the Malwarebytes survey when selecting the “Other” option (14%). Interestingly, the 29% of respondents who said they use a travel agent for booking likely also receive some extra safeguards, simply because another, experienced, person is involved in the process.
But in the same way that cybercriminals have begun abusing Google search results to send victims to dangerous websites, they’ve also done the same to trick users into downloading fake versions of popular apps.
Android “phishing” apps are a serious threat to users today—Malwarebytes detected 22,800 of them last year alone—and, as we wrote before, they represent the next step in camouflaged cyber-scamming:
“By disguising themselves as legitimate apps—including for services like TikTok, Spotify, and WhatsApp—Android phishing apps can trick victims into typing in their real usernames and passwords on bogus login screens that are controlled entirely by cybercriminals.”
The threat here endures long after the app is installed. If enough victims unwittingly send their passwords, cyber thieves could bundle the login credentials for sale on the dark web. Once the passwords are sold, the new, malicious owners will attempt to use individual passwords for a variety of common online accounts—testing whether, say, an email account password is the same one used for a victim’s online banking system, their mortgage payment platform, or their Social Security portal.
This wouldn’t be too much a problem if modern traveling didn’t involve so many apps.
According to our survey, 44% of people manage between two to four apps specifically for travel purposes, and 9% manage between five and six apps. And while 20% of people use zero apps for travel and 14% use just one app, there are 8% of people who rely on more than seven apps strictly for travel purposes.
That could include airlines apps, hotel apps, translation apps, and more. But as more apps help with traveling needs, more opportunities arise for those apps to be falsely emulated and maliciously advertised online.
As for what people do while physically on vacation, many engaged in online behaviors that could prove risky, but they can hardly be criticized for it.
For example, 25% of people said they scan QR codes while on vacation. These codes could lead people to malicious websites, but QR codes have become normalized at restaurants that no longer have physical menus. And 33% of people “log into financial institution sites or apps to manage [their] budget, check purchases, etc.” This type of activity was susceptible to online eavesdropping many years ago, but everyday internet connections have become far more secure in the past decade. That said, it’s inspiring to see that 41% of people “download or install a VPN” to provide an extra level of security when browsing on public Wi-Fi.
Safe travels
Cybersecurity is probably the last thing people want to “pack” before going away on a break, but, thankfully, it’s something that a majority of people said they do.
For instance, 63% said they “check that [their] security software is up to date,” while 53% said they “backup [their] data.” Similarly, 56% said they “set up credit card transaction alerts.” And while it isn’t quite a majority, 47% said they turn on “Find my Device” features which can help in case of a lost or stolen device. Interestingly, people do not commit to the same precautions for their bags—just 21% of survey participants said they “put a tracker in [their] luggage.”
Still, there’s progress to be made.
Not only did 10% of survey participants share that they take zero cybersecurity or data privacy precautions before traveling, but 20% also agreed or strongly agreed with the statement “I don’t really think about protecting my data while traveling.”
For safety abroad, here are a few tips travelers can take before and during their next vacation:
- Backup your data before you head out. Losing a device or having it stolen while on vacation won’t just ruin the trip itself—it will return the return journey, too. Backing up your data will help ensure that any lost device doesn’t lead to lost files.
- Turn on “Find My” features. To respond to a lost or stolen device, turn on the “Find My” features on iPhones and Androids before your vacation so you can track a device’s location in real time.
- Protect your devices with antivirus and cybersecurity tools. Modern cybersecurity tools don’t just stop viruses from landing on your devices, they also warn you about dangerous websites and links that could steal your info.
- Update your software. Ensure that your devices are running on the latest versions of their operating systems. This helps prevent any known weaknesses from being exploited by cybercriminals.
- Use a password manager and 2FA. Your most sensitive accounts shouldn’t just have a unique password. They should also be protected by two-factor authentication, which requires more than a password for anyone to login.
- Consider a VPN. If you are doing something sensitive online, it never hurts to use a VPN. Bonus: If you’re travelling to another country where your favourite streaming shows aren’t available, a VPN can help here too.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
