Your Passport to Security: Protecting Mobile Brands from Travel Fraud
Every year, millions and millions of people around the world prepare for a trip to the sun, sea and sand, booking trips through their favorite mobile apps. And it’s getting busier, with many airlines booking record numbers of flights this summer. However, booking a holiday is not a pleasant experience for everyone.
Consumers are tricked into sharing sensitive data with fraudsters; Booking.com revealed that it had seen a 500 to 900% increase in travel fraud over the past 18 months, most of which was carried out through social engineering. Banking companies are also seeing an upturn. Lloyds Bank highlighted that holiday shopping fraud has increased by 7% in the past year, with victims losing an average of £765.
While the convenience of booking holidays, flights or excursions via a mobile app is praised, bad actors are exploiting this through clever social engineering. Unfortunately, successful mobile attacks on consumers can have far-reaching consequences for consumers, including financial loss, identity theft, confusion, embarrassment and fear.
Travel brands that prioritize consumer safety on mobile devices will gain the trust (and wallet share) of most people. But to do this, companies must understand the threats of social engineering and how best to avoid them.
Vishing offers new challenges
Consider this scenario of a typical voice phishing or “vishing” attack, a relatively common form of social engineering in which scammers call their victims posing as reputable companies to extract personal information: a traveler, excited about his upcoming trip, receives a phone call claiming to be from their mobile travel app.
The caller expresses concern about a possible problem and requests personal information for ‘verification’. To ‘verify’ the booking, the scammer may ask for personal information such as their full name, bank card number, passport details and even the one-time password (OTP) sent to the traveler’s mobile phone. Once the scammer has collected enough information, he can use it for identity theft or fraudulent purchases.
Nearly seven in ten working adults and IT professionals worldwide have reported experiencing a vishing attack similar to the example above. This direct human interaction differs from traditional email phishing attacks and can be more difficult to detect because the fraudster can adjust their approach in real time based on the victim’s responses. Vishing’s audio-based attacks present unique challenges, highlighting the importance of consumers being cautious and informed even when answering a simple phone call.
Such vishing attacks slip through the cracks because social engineering exploits human psychology. By better understanding user behavior and human psychology, criminals can manipulate users into believing that a brand is contacting them. Scammers may also use “smishing” tactics (the art of using SMS phishing instead of calling) to trick the user into disclosing confidential or personal information or ask users to download a malicious travel app that claims to have exclusive deals.
To complicate matters further, many criminals are also recognizing the power of generative AI. This means that the “user beware” approach is no longer sufficient. With AI, attackers can impersonate a voice, spoof caller ID, and send fake messages to users that look like they come from the legitimate mobile app. As attacks become more complex to identify, consumers need more protection.
Shift in consumer expectations
In a bid to protect these, Booking.com’s internet security boss has called on hotels and travelers to use two-factor authentication, calling it the best way to prevent credentials theft. But that doesn’t stop all social engineering attacks.
Consumers are also demanding that brands do more to protect them: 57.5% say “the mobile app creator” has primary responsibility for protecting the mobile app experience (up from 2.4% last year).
With more than half of consumers demanding protection, mobile brands must step up and take action. Implementing strong security and anti-fraud measures increases consumer loyalty, increases trust, and reduces churn and customer acquisition costs.
Choose automation over manual methods (or automate your mobile defenses)
Mobile brands must continue to innovate, so developers focus on building the features that attract and delight users to grow downloads, revenue, and five-star reviews. While developers are experts in many things, most are not security engineers. Diverting developer innovation by asking them to figure out how to detect and prevent social engineering problems in a user-friendly way can require months or even years of manual work, which can be detrimental to the business.
Developers could try older SDKs or data protection frameworks if they can find them to address various attacks, but they still consume developer time and distract from core innovation. What’s worse is that they typically crash the mobile app, creating a poor customer experience that can dramatically impact negative user reviews.
The fastest way for mobile brands to proactively protect themselves and their customers is to use solutions that automatically build in-app defenses against social engineering attacks into their Android and iOS applications.
Stop social engineering at the root
Modern mobile defense solutions tackle problems at their root cause, using solutions that automatically build in protection using proven, pre-built defense libraries and protocols. This way, developers can continue to focus on designing new mobile app innovations, while the mobile defense system ensures that protection is always built into every mobile app release, without developer work or delays. Additionally, these modern solutions detect issues, alert users and mobile brands, and guide them through the solution without crashes or user harm, turning security measures into trust that drives more five-star reviews.
At the very least, mobile brands – and travel brands in particular – should offer protections such as anti-tampering, threat protection, code obfuscation, data encryption and real-time threat monitoring. This is intended to protect sensitive information, enable immediate detection of attacks, and ensure that mobile apps remain secure, compliant, and reliable.
Add additional social engineering protections, including anti-vishing and anti-spyware at the core, and mobile brands can now easily and quickly create a more secure environment that interrupts social engineering attacks and protects mobile users and mobile brands.
A united front against travel fraud
As cybercrime continues to evolve, mobile travel brands must remain vigilant. This means staying well-equipped and using the right cutting-edge technology to dismantle the complex networks of manipulation caused by social engineering attacks. By taking a resilient approach to cybersecurity from the start, brands can not only prevent attacks but also build trust and loyalty with their customers. This way, users can plan their vacation without fear of scams or fraud.
It’s time to move beyond reactive band-aid solutions for mobile app security.
We have listed the best mobile payment apps.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we profile the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing, you can read more here: