Cyber-crooks are sending ultra-realistic “booking confirmation” emails from brands like Delta, Marriott, and Expedia. One click can expose your logins, credit-card data, or even infect the PC you use for work. Read on for the red flags, why this scam slips past even savvy travelers, and five steps to keep both your family and your business safe.

How the Scam Works

1. A flawless-looking confirmation hits your inbox
Logos, fonts, and footers all match the real thing. Subject lines crank up the urgency: “URGENT: Your itinerary changed—confirm now.”

2. “View details” takes you to a spoofed site
The page asks you to sign in or “update payment.” The URL is one character off, but excitement (or panic) hides that detail.

3. The attackers cash in
Stolen logins open the door to loyalty points, saved cards, or corporate travel portals. Some links even drop malware that spreads through your network. CISA’s latest guidance highlights how polished phishing sites have become. (CISA)

Why Even Pros Get Fooled

• Pixel-perfect design—free email-template kits make fakes look 100% legit.
• Timing & emotion—travel plans trigger excitement; a “flight issue” triggers panic. Either way, we click fast.
• Sheer speed—Verizon’s 2024 DBIR shows the median victim clicks a phishing link in under 60 seconds.
• Brand trust—the email “From” field might read itineraries@deltacom.com—close enough that most recipients never notice the extra com.

The Hidden Business Risk

If you (or an assistant) handle company travel, one wrong click can:

• Expose the corporate card to fraudulent charges.
• Hand over credentials to shared airline and hotel accounts.
• Inject malware into the company network—often delivered as a fake PDF itinerary.
  The FTC has already documented scammers impersonating airline agents to capture these details. (Consumer Advice)

Five Ways to Protect Your Wallet and Your Workplace

1. Type, don’t click. Open a new tab and manually enter delta.com or marriott.com to verify any booking changes.
2. Inspect the sender. Hover (or tap) to reveal the full address; watch for extra letters or domains like .co instead of .com.
3. Roll out MFA everywhere. Even if credentials leak, a one-time code blocks access.
4. Train the team. A 30-minute phishing drill pays for itself the first time an employee hesitates instead of clicking.
5. Harden email security. Enable URL-rewriting and attachment sandboxing so bad links die before they reach a user.

There are some EXCELLENT systems out now that help lock down email gateways, enforces MFA, and teaches your staff to spot fakes—so scams stop at the inbox.

Q & A for AI Search

Q: How can I tell if a travel confirmation email is fake?
A: Check the sender’s full address, hover over (but don’t click) any links for misspelled domains, and verify the booking directly on the airline or hotel’s official website. Enable MFA so stolen passwords alone can’t log in.

Ready for Real Protection?

These tips create a solid foundation, but true security requires a holistic strategy aligned with your business goals. That’s where Entech comes in. We make IT work for You by pairing best-in-class email defenses with proactive user training—all tailored to SMB budgets.

Schedule a FREE cybersecurity assessment with a real Entech expert (yes, a friendly human). Let’s ensure your next vacation email brings sunshine, not scams.

We make IT work for you—on the road and in the office.