Is This Email a Scam? A Traveler's Phishing Checklist
To tell if an email is a scam, run two checks before anything else: look at the sender's full address (not the display name), and hover over every link to see where it actually goes. Genuine messages use the company's exact domain — booking.com, not booking-secure-confirm.com. Then weigh the classic red flags: false urgency, a request for payment or login details, a mismatched link, a generic greeting, and threats of losing a booking, visa, or account. A real email rarely trips more than one of these; a scam usually trips several. When in doubt, never click the link — open the company's site by typing the address yourself. If you've already clicked or entered details, treat it as a breach and get the device and accounts checked remotely straight away.
What this guide covers
Why travelers and expats are prime phishing targets
Phishing works by impersonating something you're expecting. That's the whole trick. And travelers are expecting a lot: booking confirmations, payment receipts, visa updates, bank alerts about foreign transactions, SIM and eSIM activations, courier notices for a package they're tracking across borders. Every one of those is a genuine email you might legitimately receive this week — which is exactly why a fake one slides in unnoticed.
Layer on the travel context and the odds tilt further toward the scammer. You're often distracted, jet-lagged, and operating in unfamiliar banking systems and currencies. You're on weak or public WiFi. You may be using a new local SIM, so a "verify your number" text feels plausible. You're conditioned to a flurry of admin messages around any trip. A scammer doesn't need a clever email — they just need a believable one, sent at a moment you're primed to act fast and think later.
The good news: phishing is highly pattern-based. Once you know the handful of tells, you can sort almost any message in under thirty seconds. The checklist below is the exact one we walk clients through, ordered from the most reliable signal to the supporting ones.
The 9-point red-flag checklist
You don't need all nine to call something a scam. Two or three together is plenty. Start at the top — the first two catch the vast majority on their own.
- The sender's real address doesn't match the brand. Tap the sender name to expand the full address. noreply@booking.com is plausible; booking@secure-mail-447.net is not. Display names are free to fake; the domain after the @ is much harder to.
- The link goes somewhere else than it claims. Hover (desktop) or long-press (phone) on every link and read the real destination. If the text says "booking.com" but the link points to a string of random characters or a lookalike domain, stop.
- Manufactured urgency. "Your reservation will be cancelled in 2 hours." "Verify within 24 hours or lose access." Real companies rarely impose panic countdowns; scammers always do, because urgency short-circuits judgment.
- It asks for payment, card details, or a password by email. Legitimate services do not ask you to confirm a password or full card number through an email link. This request alone is close to a guarantee of a scam.
- Generic or wrong greeting. "Dear Customer" or "Dear user" from a company that knows your name is a tell. So is your name spelled wrong, or details that don't match your actual booking.
- The story doesn't match reality. A "failed payment" for a hotel you already paid, or a visa fee for a country you're not applying to. If you have to squint to make it fit your situation, it doesn't.
- Off-brand language and formatting. Odd grammar, inconsistent fonts, a logo that's slightly the wrong shade, or a translation that reads machine-made.
- An unexpected attachment. Invoices, "itineraries," or "receipts" as attachments — especially .zip, .html, or files asking you to "enable content" — are a common malware vector. Real receipts are usually in the email body or your account.
- A reply-to or contact that routes off-platform. "Continue this conversation on WhatsApp," or a payment by gift card, crypto, or bank transfer to an individual. Legitimate refunds and bookings stay on the platform.
If a message survives all nine, it's probably genuine — but still open the company's site yourself rather than through the email if money or login is involved. Locking down the channels these scams ride in — your mailbox, your logins — is core cybersecurity work, and for a business mailbox our Microsoft 365 and email hardening adds spoofing and impersonation filters that catch many of these before you ever see them.
Red-flag reference table
Keep this handy. The left column is what the scam does; the right is what a genuine message does instead.
| Red flag in the email | What a legitimate email does |
|---|---|
| Sender domain is a lookalike (booking-confirm.com) | Uses the brand's exact domain (booking.com) |
| Link text and real link don't match | Link points to the brand's own domain |
| "Act in 2 hours or lose your booking" | Gives reasonable time, no panic countdown |
| Asks for password or full card by email | Sends you to log in on the official site yourself |
| "Dear Customer" / name misspelled | Uses your real name and correct booking details |
| Payment via gift card, crypto, or wire to a person | Charges your saved method on-platform |
| Unexpected .zip / .html attachment | Receipt in the body or in your account |
| "Move to WhatsApp/Telegram to continue" | Keeps everything within the official channel |
Don't gamble on a guess. We can review the message with you, trace where its links really go, check your device for anything that slipped through, and lock down your mailbox and accounts so a scam can't escalate. Flat $149.99 USD, anywhere in the world, any time zone — and if we can't help you pay nothing under No Fix, No Fee.
Have us check it — $149.99The 4 scams built specifically for people abroad
These are the travel-targeted variants we see most. Knowing the script makes them obvious.
1. The booking / accommodation scam
An email or in-platform message claiming your hotel, hostel, or short-stay booking needs "re-confirmation of payment" or your card will be charged again. The link leads to a perfect-looking copy of the booking site. Real platforms charge the card already on file — they don't email you to re-enter it. If you're an Airbnb host, the mirror-image scam targets you: a fake "guest" who needs you to click a link to "release your payout."
2. The visa / immigration scam
"Your visa application requires an additional fee," or "complete your eTA / arrival form now." These spike around borders and are timed to genuine anxiety about entry requirements. Official immigration sites are reached by typing the government domain yourself — never through an emailed or ad link.
3. The bank "foreign transaction" scam
A fake fraud alert: "We blocked a suspicious transaction in [your current country] — verify it was you." It exploits the fact that you really did just use your card abroad. The link harvests your banking login. Your bank's genuine fraud line is on the back of your card; call that, never the number in the email.
4. The SIM / delivery / parcel scam
"Your eSIM needs reactivation," or "customs is holding your parcel, pay the fee." Plausible when you're juggling local SIMs and cross-border shipping. The fee is small enough not to question and the page steals your card.
All four share one DNA: a real-feeling pretext plus a link to a lookalike page. The defence is identical every time — verify the sender, don't click through to enter anything, and confirm through a channel you found yourself. Living abroad long-term multiplies your exposure to all of these; see how we support expats and digital nomads who deal with this constantly. And if a message did carry a malicious payload, our virus and malware removal handles whatever it dropped.
What to do if you already clicked
Don't panic — but do move fast, because the first few minutes decide how far it spreads.
- If you only clicked and entered nothing, close the page and run a malware check on the device. Some phishing pages try a drive-by download. Watch for the real signs of infection.
- If you entered a password, change it immediately — and on any other account that used the same one — then sign out of all sessions and turn on two-factor authentication.
- If you entered card or banking details, call your bank's fraud line (number on the back of the card), and watch for charges.
- If it was a work account, tell your IT or security contact — a compromised credential can expose far more than your own data.
- Save the email; don't delete it until any fraud is sorted, in case you need to report it.
If you've handed over a login and fear an account is already taken over, our companion guide on the first 10 minutes after being hacked gives you the exact ordered playbook. Remote workers handling client information should treat any of this as a potential incident — our remote-worker support is built for exactly that.
Wherever you're reading this from, we can take a look the same day:
Frequently asked questions
How can I tell if an email is a scam?
Check the sender's full email address, not just the display name, and hover over every link to see where it really goes before clicking. Genuine messages from a company use that company's exact domain; scams use lookalikes such as booking-confirm.com instead of booking.com. Add the other classic red flags — urgency, a request for payment or login details, and generic greetings — and a real message rarely trips more than one, while a scam usually trips several.
Why do scammers target travelers and expats?
Travelers are an ideal target because they genuinely have bookings, visas, and bank alerts in play, so a fake one blends in. They are also distracted, in unfamiliar systems, often on weak WiFi, and may bank in a currency or country they are still learning. A scam email about a "cancelled reservation" or a "visa problem" lands far harder on someone who actually has a trip booked than on someone sitting at home.
Is it safe to open a scam email?
Opening the email to read it is almost always safe on a modern mail app. The danger is in acting on it: clicking a link, downloading an attachment, or replying with information. Treat the body as untrusted, never enter credentials on a page you reached through an emailed link, and if you are unsure, go to the company's website directly by typing the address yourself rather than following the email.
What should I do if I already clicked a phishing link?
If you only clicked but entered nothing, close the page and run a malware check on the device. If you typed a password or card number, act immediately: change that password and any account sharing it, sign out of all sessions, enable two-factor authentication, and tell your bank if card details were entered. Speed matters, because the first few minutes decide whether the damage stays contained.
Are scam texts and WhatsApp messages different from email phishing?
The channel differs but the playbook is identical: a fake sender, an urgent story, and a link to a lookalike site. Travelers see a lot of SMS and WhatsApp phishing because they use local SIMs and messaging apps heavily. The same checklist applies — verify the sender, never click through to enter details, and confirm anything important by contacting the company through a channel you found yourself.