Holiday Fraud Season Picks Up, and Travel Advisors Need to be Wary

While travel advisors are typically trying to protect their clients from online fraud, they frequently are the target of hackers, too. This holiday season, agents say they are seeing an uptick in campaigns to access their hard drives and their bank accounts.

On Cyber Monday, the Long Island chapter of the American Society of Travel Advisors posted on its Facebook page a warning: “Watch out for scams! I just received an email from Square about a $980 refund being made to a non-existent customer with a link to view. Not only don’t I use Square, but I have no customer that has booked with me that would be getting a refund.”

Square is a company that provides credit card acceptance to a wide range of entrepreneurs. The post was written by LI ASTA chapter member Helen Prochilo, who owns Promal Vacations. She reported that right after the fake Square email, she received one from Stripe with a Square invoice attached.

“The first thing I do when I see an email like this is check who sent it,” Prochilo said. The Square email was from wisdomdread1.yahoo.com@ccsend.com, she said. “When I see something like that, I delete.”

The email very likely was a phishing scam. Phishing is an attempt to collect personal and/or financial information over email, phone, or via text message. Via email, the fraudster likely will direct the recipient to enter personal information in a form at a fake website.

On its website, Square reports that “Square will never ask you to provide sensitive information such as your username, password, social security number, full bank account details, or payment card information over email, phone, or text message.

“If you receive a suspicious email regarding Square, don’t reply to the message, select any links, or open any attachments. Please forward it to spoof@squareup.com to report the incident. Do not include any other information in the email you forward. The appropriate team will investigate and take action if needed.”

The Square scam has been around for years. In a June 2018 website post, the Better Business Bureau (BBB) said scammers are taking advantage of Square’s popularity “by sending phishing emails that appear to be official correspondence.”

The BBB said there are several different versions of the phishing scam, “but they all use the Square logo and seem legitimate. In one common version, the message claims that you accepted a payment and provides credit card details. In another, a client has allegedly requested a refund and funds are being removed from your account. Both messages urge you to click a link and ‘View Full Payment/Refund Details’ or ‘Deposit Now.’”

“Whatever you do, don’t click the links,” the BBB said. “They can download malware to your computer that can acquire your usernames, passwords and even sensitive personal information, such as your credit card number.”

The BBB is asking recipients to report their experience on the BBB Scam Tracker.

On its website, merchant credit card acceptance company Stripe warned business owners that “Stripe emails will come from the “stripe.com” or "e.stripe.com" domains, and you can always reply directly to the message to get in touch with us.”

Stripe also cautioned entrepreneurs to “only type your password into a website after confirming that it is the website you want, not one that was created to look like Stripe,” to “check the domain name for typos (such as “stirpe.com”),” and “check for our Extended Validation Certificate” (which usually looks like a green lock next to the Stripe URL).

Fake banks, and Amazon, too
Agents all over the U.S. reported seeing similar emails recently, and other fraud attempts, including some perennial Facebook Messenger scams.

“It’s not just Square. I received an email from Chase recently, supposedly about a wire transfer to my account, even though I don’t bank with Chase,” said Loulu Lima, owner of Book Here, Give Here, a home-based agency in Austin, Texas.

“It had Chase logos, and even a warning that ‘if you think this email is fake, call this number.’ It looked really authentic,” Lima said. She opened the email on her iPhone and when she swiped up, it appeared to try to forward the email to all of Lima’s contacts. She immediately deleted it and closed any open windows on her iPhone.

Another popular scam Lima has seen recently is from suppliers she doesn’t work with, claiming they are ready to pay her, and attaching a document designed to look like a purchase order.

Her webmail didn’t mark a recent email like this as spam, and also didn’t recognize one of the attachments, with an “.rar” extension, marking it simply with a question mark. “You never click on attachments,” Lima said, “because that could initiate a file downloading on to your device, potentially with malware.”

The Kaspersky computer security company lists .zip files and .rar files as two of the most widely used by online scammers.

Marguerite McMahon, a travel advisor based in Australia, posted on Facebook recently asking friends to not send her videos, chain letters, greetings or holiday games through Facebook messenger, as she has found many of them spread viruses, and initiate a hack on their Facebook accounts.

Valerie Delzer, owner of Travalerie, in Irving, Texas, said she recently saw a Facebook messenger scam that imitates coming from a Facebook friend, with “what appears to be a blacked-out image with the words ‘I think you appear in this video. Look at it is it you?’”

Clicking on the attachment “sends you to log into your Facebook account which tells me they're trying to capture login information,” Delzer said.

Other Better Business Bureau tips to protect yourself from online scammers include:

Verify the secure Square URL. Always double-check that you are on the official Square website and that you have a secure connection before you login. How can you tell? Your browser should say https://squareup.com/login and the locked Square, Inc. icon should populate next to this web address.

Be on the lookout for red flags. Typos and grammatical errors, as well as unfamiliar email addresses and scare tactics are all signs of a phishing scam.

Protect your personal information. Never share your credit card numbers, Social Security number or even address and phone number with a stranger, especially if they have contacted you unsolicited.