Cyber crime is on the rise

Travel remains an easy target for hackers and cyber crime. Hotels, airlines and even car rental companies require personally identifiable information in order to reserve a room, book a ticket or hire a vehicle. They hang onto client information, as well, which makes them prime pickings for bad actors, and they share data with third-party vendors to help deliver the right travel experiences for their customers. 

In the past six months travel suppliers and airports have experienced numerous high-profile breaches. Just this week, Tulsa International Airport was hacked by Russian cybercriminal syndicate, Qilin, a prolific ransomware operator that hacked more than 1,000 victims in 2025. Japan Airlines’ baggage delivery reservation system also got hit this month, impacting up to 28,000 customers. In November, a third-party vendor for Spain-based Iberia Airlines exposed customer data. In August, a third-party breach exposed Air France-KLM customer names, phone numbers and email addresses. This followed a June breach at Qantas that compromised approximately 6 million records, including contact details and frequent flyer numbers.

Hackers know no geographical boundaries and they aren’t just targeting big travel suppliers. They are also targeting individual travellers, including business travellers, who are highly connected to their company systems via their mobile devices and subject to sudden changes due to flight delays and cancellations and, more recently, to increased entry and exit volatility, thanks to changing requirements and regulations in the US, UK and across Europe. 

It’s a situation that security experts predict will be ripe for exploitation by bad actors in 2026 and beyond – both government sponsored and independent cyber crooks – who feed on uncertainty and chaos to find easy entry points for larger digital theft schemes. 

For travellers, though, a broader category of digital risk goes beyond cyber crime. There are a number of countries – and more are joining the list as global borders tighten – where reviews of an individual traveller’s online activity, social media and search and seizure of laptops and mobile devices during the immigration process can lead to situations like detention that every business and business traveller wants to avoid. 

The following are critical strategies for mitigating digital risks for business travellers as part of an overall duty-of-care commitment to employees. 

High-risk international markets

Understand the inherent risks of carrying laptops and mobile devices into a foreign country. Depending on where business travel takes place – Russia, China, Myanmar are some clear examples but not at all exhaustive – a company’s security team and traveller must decide whether it makes sense to take any devices into the market. If it is a high risk for digital intrusion, “think about whether it’s possible not to bring that laptop,” said International SOS senior security advisor Stevan Bernard, who co-authored an ISOS report late last year on rising cyber risks for business travellers. “I know it’s hard, but you can give up email for a few days. Or, if it’s really necessary get your IT department to issue a clean laptop for the trip so you don’t have 10 years of emails and business files available.” Bernard also suggested using a “burner phone” similarly wiped of personal and business details that could just be used for SMS messaging in emergencies.”

Any international market

Ensure your devices have the latest updates and security patches prior to travel. “This is basic digital hygiene,” said Bernard. “Purge things that aren’t relevant or file that material in a different way.” Once you are in a foreign country, it is too late to perform updates, he said. “Do not update any devices; no patching, do not change passwords either. And don’t do any banking; that’s a big mistake in my view. If you must access your account, let your bank know where you will be during that time period.”

Domestic & international markets

No matter where employees travel on business, they should be educated about vectors of digital exposure. 

Much has been made recently about “juice jacking,” a tampering technique bad actors use to turn airport or hotel charging stations into mini-spying stations. When travelers plug their cables into the USB port, it still charges their device but also collects personal information, passwords and other business credentials as they continue to use the device. 

Other basics include discouraging travellers from using public wifi in airports, hotel lobbies or cafes, where bad actors can “spoof” the wifi connection, set up “evil twin” login sites and ask for room numbers or loyalty programme numbers or even credit card information. Such connections often appear stronger in the “available wifi” list in order to attract users. Utilising a personal mobile hotspot or at least using VPN can help protect travellers from these fakery tactics. 

A safety check – and possible technique for clearing a compromised device – is simply rebooting. Bernard said he restarts his devices at the end of every day of business travel, just as a precaution. “People think, ‘oh, that’s inconvenient.’ But it really isn’t.”

Travelling or not

Every single day, whether travelling or not, employees should pause before clicking on messages coming in from unknown senders to their mobile devices. 

“Everything is mobile now and there’s just so much of it,” said Bernard. “The bad guys are getting really good at phishing scams – it’s probably 80 per cent of the way that vulnerabilities are found and breaches occur.” Phishing is when scammers go online and find out all about their target: what they are interested in, jobs they’ve had, social media, etc. and then they target you with relevant messages. “As soon as you click on those, they’re in and you don’t even know it,” said Bernard. 

Phishing techniques bring us back to specific travel risks – especially as entry and exit regulations change quickly and somewhat chaotically. One travel buyer, speaking in a private group, voiced her concerns about the vulnerability of business travellers to phishing attacks that may start to resemble warnings or requests about entry and exit documentation – especially now that many of the new US, UK, and EU systems are to be executed almost entirely online via mobile devices. 

Asked about that specific concern, Bernard emphasised it was just the kind of confusion that opportunistic bad actors were likely to exploit for their scams. “And,” he added, “these adversaries are getting smarter all the time. Add artificial intelligence into the picture and deep fakes, and you really have scenarios that are difficult for people to decipher – someone who’s not educated about these issues beforehand.”

Education is the key to protecting both individual travellers and their companies from falling victim to cyber scams and ensuring anyone traveling for the organisation knows they have official communication channels through which their company will contact them. 

“The company needs to have protocols,” said Bernard, “but it’s also up to the employee to act responsibly and if something seems ‘off,’ they need to verify before taking any action. They have a responsibility as well.”