By Christopher Elliott
Special to The Washington Post
Sunday, June 13, 2010; F02
A stolen bag. Lost cash. A missing passport.
It had all the hallmarks of a trip from hell. And the e-mail, which ostensibly came from a reader I had corresponded with back in 2008, seemed equally genuine. "I really don't mean to inconvenience you right now," he wrote. But he was stuck in London. Would I be willing to wire him $940 so he could get home?
Only it wasn't real.
As it turns out, the "Lost Luggage in London" scam is a derivative of a so-called "phishing" fraud first identified on the social networking site Facebook last year. Phishing is the act of sending a message that claims to be from a friend in an effort to obtain personal data or money.
"When it comes to travelers, cybercrime and scamming opportunities abound," said E.J. Hilbert, a former FBI special agent who is now the president of Online Intelligence, a New York-based company that specializes in stopping Internet fraud. "One scam will easily lead to several others, simply because the traveler is traveling, thus giving the fraudster time to work, knowing that many travelers will not notice the cybercrime has taken place until they get back from their trip."
You don't even have to travel to get taken. The "lost luggage" con, for example, preys on people who know others who travel often. I was in my office when I received the fraudulent appeal.
Online crimes are a growing problem. Americans lost more than half a billion dollars from fraud perpetrated through the Internet last year, up from $264 million in 2008, according to the FBI's Internet Crime Complaint Center (ICCC). Travelers were hit particularly hard, according to Don Gray, the chief security strategist for the Omaha-based information security company Solutionary. "In many ways," he said, "we're at a bigger risk when traveling."
Apparently, so are the people we know. Michael Sands, a media consultant in Los Angeles, received an urgent e-mail from an acquaintance's address, claiming that she needed $2,500 after leaving her wallet in a London taxi. (Sound familiar?) "I knew the e-mail was fake because the person who [allegedly] sent it to me would never ask me for $2,500 in an e-mail," he said.
Sands forwarded the message to the ICCC Web site (http://www.ic3.gov/default.aspx), which records scams and warns others about them. "I feel one good deed deserves another," he said.
Security experts refer to the kind of e-mail Sands received as "spear phishing," because it's customized to a group of users or a single user, and it's that precision that renders it so dangerous. For a moment, at least, he believed that his friend was in trouble, just as I thought that one of my readers had lost his luggage and needed a hand.
Phishing scams are not the only traps that await travelers. They're also vulnerable to losing their passwords to keystroke-logging software, which records each character typed on a computer in a public place, such as a hotel business center or an Internet cafe, and transmits it to a cybercriminal.
Travelers don't even have to use an infected computer to lose their personal information. An unsecured wireless network at an airport or resort can allow hackers not only to sit back and collect personal data, passwords and e-mails, but also to implant malicious software on your computer, where it can cause trouble long after your trip is over, according to experts.
How do you keep your data safe on the road? "View with suspicion any e-mail or other electronic message with requests for personal identification, financial information, user names or passwords," said Keith Crosley, the director of market development for Proofpoint, a Sunnyvale, Calif., e-mail security firm. If you must provide that information, go to your bank or credit card company's site directly -- never follow a link embedded in an e-mail.
Also, stay away from unsecured computers in public areas, and if you log on to a public wireless network, don't conduct any secure transactions, such as checking your credit card or bank account balance, said Michael Haaren, an Internet fraud and safety expert with Staffcentrix.com in Annandale. "And be sure to log off the network when you're done," he added.
You can take all these precautions but still be in danger, cautions Jeremy Miller, director of operations for Kroll Fraud Solutions in Nashville. "Watch for shoulder surfers who may be looking to collect sensitive data," he said.
And what about the spear phishers? Since many of these crimes are committed by people who don't speak English as a first language, bad grammar is the biggest clue. If you notice any awkward language or phrasing, it should set off alarms. Simply verifying that the person it appears you have received the message from is out of the country -- by phoning or e-mailing him or her at a secondary address or through a social networking site -- is enough to get to the bottom of the scam.
I concluded that I was being targeted after running an Internet search for the first sentence of the e-mail, which showed that the same message had been sent to dozens, perhaps hundreds, of others. After that, the next step was easy.
I hit "delete."
Elliott is National Geographic Traveler magazine's reader advocate. E-mail him at firstname.lastname@example.org.