If an airline ticket deal you’ve seen recently seems too good to be true, it probably is.
Fake websites that appear to offer free tickets for Delta Airlines DAL, +0.14% , easyJet and Ryanair RYA, -1.12% re actually part of a phishing scam designed to glean people’s sensitive details, according to a report released Aug. 13 by cyber data solution company Farsight Security.
Farsight researchers said that after Delta was informed of the scam, the website disappeared, leading the researchers to believe Delta told the web host disable it. Delta did not immediately respond to a request for comment. The fake sites advertising free tickets for Ryanair and easyJet remain online. Ryanair did not respond to a request for comment.
The fraudulent sites claim visitors can get free airline tickets if they answer four questions and share the “offer” with 15 of their friends, according to the Farsight report.
A spokeswoman for easyJet noted that the scam is not a hack of any of the airline’s systems. “Genuine competitions of this nature will only be hosted on easyJet’s official channels,” easyJet spokeswoman Holly Mitchell said. “We work hard to identify and report fake offers and encourage customers to flag any fraudulent promotions of this kind so we can work to get them removed.”
The URLs for the scams in question are “homographs,” meaning they look nearly identical to the real websites, but they use one or two characters in Russian or other languages, said Paul Vixie, researcher and chief executive officer of Farsight Security.
Victims are lured in by the enticing flight deals, and then can have their log-in data and credit card information stolen by the criminals who created the spoofed sites. If a victim is already a customer of Ryanair, for example, they may see the deal and input their log-in data on the site and the scammers could then use it again in the future.
“It is the perfect crime because once you have gathered someone’s real username and password, you can impersonate them on the airline’s website,” Vixie said.
Vixie didn’t know whether any consumers had lost money to the scam.
It’s getting harder to avoid these online traps. Phishing scams are on the rise, said Kaelyn Lowmaster, principal analyst at One World Identity, an independent advisory firm on the data economy.
“Phishing is still by far the most used breach vector, and even experts get fooled by increasingly realistic-looking fake pages and domain names,” she said.
Here are tips for avoiding scams like these.
Don’t click on links in emails
To avoid scams, consumers should never click on a link sent to them by email, Vixie said. He recommends people instead bookmark frequently visited sites or type them in manually when surfing the web.
Book flights on a desktop computer
This particular scam appears to be optimized for mobile phones, said George Avetisov, chief executive officer of decentralized authentication company HYPR. Booking flights on a desktop could make it easier to avoid such scams.
Assume free giveaway sites are a scam
As the old adage goes: if it sounds too good to be true, it probably is. Avoid any free giveaway deals and only find discounted flights from trusted sources.
“The free giveaway scam is almost as old as the internet itself,” Avetisov said. “Treat these websites like the internet version of ‘taking candy from a stranger’ and just walk away.”
Copy and paste the website URL into a document
Fake sites like these sometimes use non-English characters to disguise themselves as legitimate URLs. It’s easier to spot a fake URL if you look at it outside of your browser’s URL bar. Instead, copy and paste the website address into Notepad, Google Docs, or an email draft where it will probably be easier to spot the bogus characters.
But keep in mind, these scams are difficult to spot, Vixie said.
“Don’t imagine you can outsmart the bad guys, because they have a lot more time than you,” he said. “This scam is a way people can fool even the most street smart.”
