In This Issue

Title Story

The Vacation Trap: Don’t Let a Criminal Ruin Your Getaway

Vacation scams are booming—and not just the old-school kind. As travel surges back to pre-pandemic levels, cybercriminals are cashing in with fake rental listings, bogus booking sites, and “you’ve-won-a-cruise” scams that convince travelers to pay upfront fees for trips that don’t exist. These scams cost consumers hundreds of millions each year, and that’s just what gets reported.

The danger lies in how real it all looks. Criminals craft polished websites, spoof well-known brands, and send convincing emails with real-time confirmations. Even as platforms like Airbnb crack down, scammers still exploit lesser-known sites, social media listings, and classified ads to slip through the cracks.

And the threat doesn’t stop once you’re on the beach. Tourists are prime targets—distracted, unfamiliar with their surroundings, and glued to phones for directions, bookings, and payments. In many destinations, scammers are as common as sunburns. Modern travel traps range from phishing texts and sketchy QR codes to fake Wi-Fi networks and card skimmers. Today’s fraudster doesn’t need to grab your wallet—they just need you to click the wrong link.

Before the Vacation is Booked

Last summer, Jennifer thought she’d found the deal of a lifetime: a cliffside villa in Santorini, complete with a private pool, sweeping ocean views, and a price too good to ignore. She discovered it on a travel site she hadn’t used before but that looked legitimate enough. The listing had beautiful photos, glowing reviews, and promised availability during peak season. After a brief back-and-forth with the “owner,” who asked her to pay by wire transfer to lock in the reservation, Jennifer sent $3,200. A week later, she tried to confirm the details—only to find the listing had vanished. So had the owner. Calls went unanswered, emails bounced back, and her summer escape turned into a financial sinkhole. It was a reminder of how sophisticated and costly vacation scams have become.

Fraudsters know the thrill of landing the “perfect” travel deal is a powerful motivator. Whether it’s a once-in-a-lifetime resort or heavily discounted airfare, the scams often start where your excitement begins—online.

Some of the most costly vacation scams in recent years include:

• Fake rental listings. Scammers copy real Airbnb or VRBO listings and repost them on third-party sites or classifieds, then ask for payment via Zelle, wire transfer, or crypto. Victims often find out they’ve been duped when they arrive and someone else is already in the rental—or it doesn’t exist at all.

• Fraudulent booking sites. Criminals create fake travel agency websites or ads offering too-good-to-be-true flight and hotel bundles. After you pay, either the reservation is never made, or you get fake confirmations and a canceled trip.

• “Free” vacation prize scams. These often arrive via email, text, or robocall: you’ve “won” a luxury cruise or resort stay, but must pay “fees” or taxes upfront. The result? No trip—just a lighter bank account.

Think Like a Spy Hunter Before You Book a Vacation:

A little digital skepticism can go a long way. Here’s how to stay safe:

• Use a credit card for all bookings. Never pay for travel using Zelle, Venmo, wire transfers, or cryptocurrency. Credit cards offer critical fraud protection.

• Vet every site before booking. Search the name plus “scam” or “complaints.” Check domain age and look for red flags like missing contact info or poor grammar.

• Cross-check rental listings. Use reverse image search to confirm photos aren’t lifted from other sites. Avoid listings that urge you to “book direct” outside the platform.

• Avoid clicking travel deals in emails or ads. Go directly to trusted travel websites rather than following links, especially from unsolicited messages.

• Lock down your personal data. Enable two-factor authentication on travel and financial accounts, use strong passwords, and avoid storing sensitive data in unsecured apps or notes.

While on Vacation

When the Carrington family landed in Barcelona for their long-awaited European summer, the last thing on their minds was cybercrime. They were too busy soaking in the sunshine, posting selfies outside Gaudí cathedrals, and chasing gelato-fueled kids through cobblestone alleys. That changed quickly after Liam, the father, got a text from what appeared to be their bank. It flagged “suspicious activity” on his card and asked him to verify some recent transactions. He clicked the link and entered his login info. Within minutes, their vacation fund—nearly $7,000 in a travel-specific checking account—was drained. It wasn’t a text from the bank. It was a smishing scam, and the criminal who sent it knew exactly where they were and how to strike.

Scammers love travelers because they’re distracted, unfamiliar with local customs, and heavily dependent on their phones for navigation, payment, and communication. From digital cons to low-tech tricks, here’s what to watch out for once you’re on the ground:

• Skimmers and fake ATMs. Found in tourist-heavy areas, these can capture your card data the moment you swipe. Even worse are “helpers” who offer assistance at ATMs with an eye on your PIN.

• Phishing texts or emails. These mimic messages from airlines, hotels, or banks, often warning of account issues or itinerary changes. One click, and your credentials may become compromised.

Think Like a Spy Hunter to Stay Safe While On Vacation:

Scams don’t stop at the border, and neither should your defenses. Here’s how to protect yourself on the go:

• Avoid public Wi-Fi unless using a VPN. Confirm the exact network name with staff and never conduct sensitive transactions without encryption.

• Turn off auto-connect. Prevent your phone from automatically joining unfamiliar networks by disabling this setting in advance.

• Be cautious with QR codes. If the code looks like a sticker or seems out of place, don’t scan it. Navigate to websites manually.

• Use mobile wallet or contactless payments. Tap-to-pay systems are harder to skim than magnetic stripe or chip readers. Stick to official, indoor ATMs.

• Verify bank or airline messages independently. Never click on links in unsolicited texts or emails. Use official apps or websites to check account activity or flight changes.

Stay safe out there and here’s hoping you have an amazing vacation lined up this summer! 

Cybersecurity Breach of the Week

The Marco Rubio Deepfake

Last week, someone pretending to be U.S. Secretary of State Marco Rubio contacted foreign officials with a bold request.

Except it wasn’t someone. It was no one—just a synthetic voice, a string of AI-generated messages, and a convincing deepfake campaign orchestrated by an unknown (but likely nation-state) cyber actor.

They didn’t stop at emails. The impersonator used AI to craft Rubio’s voice, mannerisms, and writing style with frightening accuracy. They sent voice messages and Signal invites to foreign ministers, a sitting U.S. governor, and a member of Congress. Several replied, engaging directly—under the assumption they were speaking with the real Secretary of State.

This intelligence-grade deception campaign was designed to extract access and sensitive information from government leaders. It’s espionage, 2025-style.

I’ve warned that trust would become the most endangered resource in cybersecurity. This is that moment. We’ve officially crossed into the era of AI deception—where a convincing fake human can now be spun up from training data and a few clicks.

Act Like a Spy Hunter

Here’s how to avoid becoming the next victim:

• Confirm identities using multiple channels—especially for requests that seem urgent or unusual.

• Never rely on voice alone. Voice cloning is easy and disturbingly effective.

• Be wary of inbound contact from high-profile figures. If someone in authority suddenly texts you on Signal, pause before responding.

• When in doubt, call a known number—not the one that contacted you.

Every message, call, or video you receive could be real—or an illusion. In this new age of synthetic influence, your default setting should be skepticism.

Tech of the Week

Hidden Camera Detectors

You finally settle into your vacation rental, unpack your bags, maybe even crack open a welcome bottle of wine. But before you get too comfortable, here’s a question worth asking: Is anyone watching?

According to a Fidelity National Financial survey, nearly 6 in 10 Airbnb guests are worried about hidden cameras in their rental. With good reason! There’s a steady stream of headlines featuring vacationers discovering concealed cameras tucked into alarm clocks, vents, smoke detectors, and electrical outlets. These aren’t rare incidents. They’re just the ones people catch.

I personally use the Scout—a hidden camera detector developed by SpyGuy—when staying in vacation rentals. Unlike traditional “bug detectors” that scan for wireless signals, the Scout is designed to detect all types of cameras—wired, wireless, even the sneaky battery-powered kind that record locally onto SD cards and transmit nothing. It works by emitting a powerful red light and scanning for the reflective glow that camera lenses give off—like catching the glint of a predator’s eye in the dark.

That said, I’m not endorsing one product over another—there are plenty of detectors on the market. In fact, the best low-tech version is a dark room and a flashlight (or your phone’s light). Slowly scan the room, watching for any sparkle of glass where it shouldn’t be. Cameras can’t help but reflect.

Appearance of the Week

60 Years Later—The Brush Pass Still Delivers

Last Saturday, The International Spy Museum and I orchestrated a gathering at The Mayflower Hotel—where the iconic Brush Pass was first approved—to commemorate 60 years of one of espionage’s most subtle and elegant techniques: a nearly undetectable handoff of intelligence between operatives.

It was a packed house of curious minds, espionage buffs, and history lovers who joined us for a covert-worthy brunch, complete with re-enacted spy scenes, code-cracking puzzles, secret messages tucked into napkins, and—yes—a custom “mole-mosa” cocktail that would make even the most seasoned double agent crack a smile.

I was honored to serve as the featured speaker, sharing real tales from my days in the FBI’s counterintelligence unit. But what truly made the event memorable was our guests and covert operatives—who brought energy, insight, sharp questions, and a palpable curiosity about the world of spies, lies, and tradecraft.

Here are some of the great photos from the event. As a subscriber to Spies, Lies & Cybercrime, you will be the first to know about exclusive events like this in the future!

Preorder Spies, Lies, and Cybercrime

My new book releases on October 7, but you don’t have to wait to make sure you are one of the first to get it delivered into your hands! Preorder now with this link.

Spies, Lies and Cybercrime will appeal to every person curious or frightened by the prospect of a cyberattack, from students and retirees to the C-Suite and boardroom. 

Join me and take up arms in the current cyber war instead of fleeing while the village burns. Only then can we begin to move the needle toward a world safe from cyber-attacks.  

Like What You're Reading?

Don’t miss a newsletter! Subscribe to Spies, Lies & Cybercrime for our top espionage, cybercrime and security stories delivered right to your inbox. Always weekly, never intrusive, totally secure.

Are you protected?

Recently nearly 3 billion records containing all our sensitive data was exposed on the dark web for criminals, fraudsters and scammers to data mine for identity fraud. Was your social security number and birthdate exposed? Identity threat monitoring is now a must to protect yourself? Use this affiliate link to get up to 60% off of Aura’s Cybersecurity, Identity monitoring and threat detecting software!

Want to start a newsletter?

Use this Link to get a 30 days trial + 2-% Beehiiv!

Ready for Next Week?

What do YOU want to learn about in my next newsletter? Reply to this email or comment on the web version, and I’ll include your question in next month’s issue!

Thank you for subscribing to Spies, Lies and Cybercrime. Please comment and share the newsletter. I look forward to helping you stay safe in the digital world.

Best,
Eric

Let's make sure my emails land straight in your inbox.

Gmail users: Move this email to your primary inbox

On your phone? Hit the 3 dots at top right corner, click "Move to" then "Primary."

On desktop? Close this email then drag and drop this email into the "Primary" tab near the top left of your screen

Apple mail users: Tap on our email address at the top of this email (next to "From:" on mobile) and click “Add to VIPs”

For everyone else: follow these instructions

Partner Disclosure: Please note that some of the links in this post are affiliate links, which means if you click on them and make a purchase, I may receive a small commission at no extra cost to you. This helps support my work and allows me to continue to provide valuable content. I only recommend products that I use and love. Thank you for your support!