Why Your Travel Accounts Are More Vulnerable Than Your Passport — And What To Do About It
You’ve probably memorised where your passport is right now. Maybe it’s in a hotel safe, tucked into a zipped compartment of your carry-on, or wrapped in an RFID-blocking sleeve you bought after reading one too many horror stories. You’d never leave it sitting on a café table in an unfamiliar city.
But here’s the uncomfortable question: when was the last time you thought about the security of the airline app on your phone? Or the hotel loyalty account with 80,000 points just sitting there?
Travel accounts hold some of the most sensitive personal data imaginable — passport numbers, driver’s licence scans, dates of birth, full itineraries — yet most of us protect them with a six-character password we’ve reused since 2017.
According to USA Today, these digital repositories are prime targets for hackers precisely because they bundle so much exploitable information in one place.
The threat isn’t theoretical. It’s industrialised, automated, and surprisingly patient. This article walks through the attack patterns that specifically target travellers — and the defences that actually work.
The Scale of the Problem: Travel Account Fraud by the Numbers
The numbers are worse than most travellers realise, and they’ve gotten worse fast.
Start with loyalty fraud. Large travel and hospitality companies lose over $1 billion annually to loyalty point theft. Airline loyalty fraud alone accounts for 46% of all fraudulent transactions in the airline industry. That’s nearly half of every dodgy transaction these carriers deal with — and it’s not slowing down.
Why is it so easy? Because 45% of loyalty program accounts are inactive or rarely checked. That’s the fraudster’s sweet spot.
An account nobody’s looking at can be quietly drained, sometimes over months, before anyone notices. The same TransmitSecurity research flagged this as a structural vulnerability that the industry hasn’t addressed.
And it’s an accelerating problem. A Mastercard analysis of the 2024 Global Fraud Trends report from Ravelin found that fraud increased for 75.7% of travel-sector merchants in the past year. Three out of four companies saw things get worse, not better. When you dig into how this fraud happens, one method dominates: over 60% of travel account fraud cases are linked to account takeover, per research from CrossClassify.
Behind those takeovers sits a relentless army of bots. Data from Imperva’s 2024 Bad Bot Report, cited by Ecommerce News UK, reveals that malicious bots now make up 44.5% of traffic in the travel sector — nearly half of everything hitting these sites isn’t a real human.
The acceleration is staggering. According to Forbes, bot attacks on airline loyalty accounts surged 166% between Q4 2023 and Q1 2024 alone. Cybercriminals aren’t dabbling here — they’re scaling up fast.
And the worst part? Nobody notices until it’s far too late. Mastercard points out that people simply don’t check loyalty accounts as often as bank accounts, and security around these platforms isn’t as comprehensive — even though points effectively function as currency. That’s a gap fraudsters are happy to exploit.
How Hackers Target Travellers: The Common Attack Patterns
Public Wi‑Fi: The Convenience Trap
That free airport or hotel Wi‑Fi you connect to without thinking? It’s a problem. A Forbes Advisor survey of 1,000 American travellers found that 41% have had their online security compromised on public Wi‑Fi while travelling. Hotels were the location for 56% of these compromises; aeroplanes came in at an alarming 67%.
The scale of vulnerable networks is enormous. Zimperium detected over 5 million unsecured public Wi‑Fi networks globally since the start of 2025, with a third of users connecting to these unprotected access points. When you’re on an unsecured network, your login credentials for booking platforms, loyalty accounts, and email can all be intercepted — and the cafes and hotel lobbies where this happens are precisely the places travellers rely on for connectivity.
Fake Portals and Booking Scams
Some of the most convincing scams don’t touch your Wi‑Fi at all. They build perfect copies of things you already trust.
Criminals now create sophisticated fake visa and travel authorisation websites that look identical to the real thing, charging inflated fees for documents that are either unnecessary or completely bogus. In the process, they collect everything — passport details, payment card numbers, home addresses. A July 2025 warning from travel insurance experts at Quotezone.co.uk, reported by TTR Weekly, flagged a sharp rise in these copycat portals targeting holidaymakers.
Hotel booking scams have evolved in parallel. An ESET investigation documented how the Telekopye scam toolkit — already used by dozens of criminal groups — has pivoted heavily to travel. The method is devious: compromised hotel accounts send phishing messages through legitimate platforms like Booking.com, with the messages pre-filled using the victim’s real booking details. You get a message, it references your actual reservation, and it asks you to verify payment or re-enter credentials. It feels authentic because the attackers are working with stolen data.
The scale is staggering. Booking.com warned of a 500% to 900% increase in travel phishing scams in the 18 months leading to June 2024, driven in large part by generative AI making fraudulent communications more convincing and harder to spot. ESET also noted that by July 2024, Telekopye-based accommodation phishing detections had, for the first time, more than doubled the toolkit’s original marketplace scam detections.
These patterns aren’t hypothetical. If you’re heading to Egypt, for example, the Complete guide to Egypt on The Historian Traveller specifically warns travellers about fake visa portals and recommends trusting only the official Visa2Egypt portal. In Morocco, the site’s practical advice is blunt: if anyone asks for money for a visa on arrival, it’s a scam — because the real thing is free.
These are exactly the scenarios fraudsters exploit, and armchair research won’t protect you unless you’ve secured the accounts that hold your itineraries and identity documents.
Phishing and Credential Theft
Phishing remains the most direct route into your accounts. The Zimperium 2025 Global Mobile Threat Report notes that nearly one-third of mobile threats targeting travelling employees are phishing attempts — including SMS-based lures disguised as booking confirmations or urgent account alerts.
These attacks work because they exploit a fundamental human weakness: convenience. And that weakness is amplified by the password reuse crisis. Enzoic reports that 65% of users reuse passwords across multiple accounts, with the average password repeated 14 times. If one travel booking site gets breached — and plenty have — that same password unlocks your airline account, your hotel loyalty program, and possibly your email. Fraudsters don’t need to crack anything; they just need to try the key you already handed them.
The Forbes investigation into loyalty point fraud discovered that compromised accounts are sold in bulk on Telegram and WhatsApp at around 80% of the points’ value or less, sometimes with a time guarantee on access. The tools to do this are openly sold by cybercriminal networks. As the CEO of Arkose Labs told Forbes: “You don’t need to be a developer anymore.”
Physical and Surveillance Risks
Some threats don’t even require a network. Security firm Global Guardian has warned that in higher-risk travel environments, hotel networks and Wi‑Fi should be assumed accessible to hostile actors. High-resolution cameras can be trained on keyboards to capture credentials as they’re typed.
USB charging ports in hotel rooms can be compromised to install malware on connected devices. It sounds like something from a spy thriller, but it’s a documented operational reality for business travellers and, increasingly, for anyone carrying valuable data.
Why Your Loyalty Points Are Prime Targets
Loyalty accounts sit in a perfect storm of weak defence and high value. Most hotel and airline chains don’t require multi-factor authentication because they’re loath to add friction to the booking experience. That trade-off — speed over security — has created a landscape where loyalty accounts are significantly easier to penetrate than bank accounts, as Forbes highlighted in its 2024 investigation.
Points are liquid. Compromised loyalty accounts are sold on encrypted messaging platforms at roughly 80% of the points’ face value, often bundled with guarantees that the buyer will have sustained access. It’s a functioning grey market, and the barrier to entry keeps dropping. Credential-stuffing tools are commercially available from networks in Vietnam, China, and Russia.
The user behaviour side of this is equally bleak. With 45% of loyalty accounts inactive and 65% of passwords reused across an average of 14 accounts, the attack surface is enormous. A fraudster who successfully stuffs one set of stolen credentials can often walk through the front door of a dozen loyalty programs without triggering a single alert, because nobody is watching.
Practical Defences: Securing Your Digital Travel Kit
You don’t need to become a security expert to close most of these gaps. A handful of deliberate habits makes you a much harder target.
Start with a password manager. The 65% password reuse statistic alone should be enough motivation, but a password manager like Proton Pass addresses the root cause directly.
Proton Pass is an end-to-end encrypted, open-source password manager trusted by over 100 million users. It stores passwords, passkeys, and two-factor authentication codes, auto-filling them as you need them across devices.
It also lets you generate email aliases — decoy addresses that forward to your real inbox without exposing your actual email to every booking site. If one alias gets compromised in a breach, you burn it and move on, while your real account stays untouched.
Why Proton Pass specifically? Wired reviewed it in September 2025 and called it “one of the best password managers on the market,” praising its consistent updates, best-in-class free plan, and fully open-source applications.
For travellers, the combination of strong credential generation, built-in 2FA handling, and disposable email aliases makes credential-stuffing attacks against loyalty and booking accounts nearly impossible to execute. If every account has a unique, complex password and a unique email, the reuse attack chain breaks.
Enable multi-factor authentication wherever it’s offered. Yes, many airlines and hotel chains still don’t support it — and that’s on them — but for the ones that do, turn it on. Proton Pass can manage and auto-fill those 2FA codes, removing the friction that usually makes people skip this step.
Avoid public Wi‑Fi — or cloak it properly. With 41% of travellers having been compromised on public Wi‑Fi and over 5 million unsecured networks floating around the globe, the safest move is to avoid them entirely. Use an eSIM with local data, or connect through a reliable VPN that you’ve installed and tested before departure. Mobile data over an eSIM is usually faster than throttled hotel Wi‑Fi anyway.
Monitor your accounts and set alerts. Quick detection through transaction alerts and periodic account checks dramatically limits the damage. Schedule a calendar reminder to review your loyalty balances once a month — it takes five minutes.
Sharpen your phishing awareness. With nearly a third of mobile threats targeting travellers involving phishing, scepticism is your best filter. Treat every unexpected link — whether in an SMS, email, or WhatsApp message — as hostile until proven otherwise. Manually verify URLs. If a booking platform messages you about a payment issue, close the message and log in through the app or website directly.
Caveats and Counterpoints: Even Strong Defences Aren’t Foolproof
Let’s be honest about the limits. Password managers are not magic. On Reddit, Proton Pass users generally express positive sentiment but acknowledge it’s still maturing as a standalone product — the unlimited email alias integration through SimpleLogin is widely praised, though some users note it’s not yet as feature-rich as Bitwarden or 1Password in certain edge cases.
VPNs aren’t a universal fix, either. In restrictive environments like China, VPNs are actively blocked. The Chinese government ordered Apple to remove WhatsApp, Threads, Telegram, and Signal from the China App Store, as documented by Freedom House. If your VPN fails in a heavily filtered network, you’re either cut off or forced onto local connectivity with no protection. Having a backup eSIM or local data plan is not optional in these scenarios.
The industry’s MFA gap remains frustrating. Many loyalty programs still don’t offer two-factor authentication, and no amount of user vigilance can fill that void. It shifts an unfair burden onto travellers who are already doing everything right.
And human error can cut through all of it. Jet-lagged, rushed, and juggling connections in an unfamiliar language, even a security-conscious traveller can click a convincingly faked Booking.com message that references their actual reservation.
The sophistication of AI-generated phishing means vigilance needs to be paired with structural defences — unique credentials, compartmentalised identities, and monitored accounts — because everyone has a bad moment.
Treat Your Accounts Like Your Passport
The passport you guard obsessively is just one key. The digital accounts you’ve accumulated over years of travel — airline loyalty profiles, hotel points, e-visa uploads, booking histories — hold every bit as much value, and hackers have built an industrialised infrastructure to extract it.
Bots are hammering travel sites around the clock. Scammers are cloning visa portals. Phishing operations are using generative AI to craft messages that reference your actual bookings.
None of this requires paranoia. It requires parity. The same attention you give to not leaving your passport on a train seat should extend to the airline app in your pocket, the loyalty number in your browser, and the scanned documents you uploaded to the cloud at 2 a.m. before a flight.
A password manager, two-factor authentication wherever it’s available, a healthy distrust of unexpected links, and cautious connectivity habits shrink your attack surface dramatically.
None of this is complicated. Most of it takes less time than finding your gate.
Leave a Reply