Introduction: The Most Predictable Phishing Window of the Year
Memorial Day weekend is not when attackers get more creative. It is when their targets get less careful.
You are packing. You are checking flight times. You are waiting for a hotel confirmation to land. Your phone is buzzing with reservation updates, price alerts, last-minute change notifications, and loyalty programme emails. The volume is high, the pressure is real, and your threshold for scrutinising each sender drops accordingly.
That is the whole strategy.
Here are the four patterns hitting inboxes this weekend, what they look like, and how each one is designed to get past the version of you that is already mentally on holiday.
1. The Booking.com Impersonation
This one has a documented history and an active threat actor behind it.
Starting in December 2024, Microsoft Threat Intelligence tracked a campaign targeting hospitality businesses and travellers by impersonating Booking.com. The group behind it, tracked as Storm-1865, has been running variations of this attack since 2023. The campaign was described as rapidly evolving and was still active as of early 2025. A separate investigation by BlueVoyant found more than 1,500 lookalike domains created to support the campaign, with names following predictable patterns: verifycard-booking.com, confirmation-id-booking.com, guestverify-booking.com. Industrial scale.
The attack uses a technique called ClickFix. You receive an email that appears to be from Booking.com, raising an issue with your reservation, a guest review requiring action, or an account verification. The email looks real. The branding is accurate. The urgency is calibrated to how you feel when something is wrong with a booking you have already paid for.
If you click through, you land on a fake page with a CAPTCHA puzzle. Solving it triggers an error message with instructions to fix the issue by running a command on your device. That command downloads malware: credential stealers, remote access trojans, infostealers that pull saved passwords and payment data from your browser.
The reason this works on Memorial Day specifically is that people are actively expecting Booking.com emails. You are not suspicious of a reservation-related notification when you have three reservations in flight. You click before your brain has time to slow down.
The tell, as always, is underneath the display name. The sending address does not match booking.com. The link routes through a domain registered recently and named to sound legitimate. Ṣọ flags both before anyone clicks.
2. The Fake Booking Confirmation
McAfee's 2026 travel scam report found that fake booking confirmations are among the travel emails Americans are most likely to fall for. The mechanics are straightforward. You booked a flight three weeks ago. An email arrives today confirming the booking, but something is slightly different: there is a payment outstanding, a seat selection required, or a check-in step you need to complete urgently.
According to McAfee research, 41 percent of travellers trust messages that appear to come from airlines or hotels without double-checking them first. The email matches the airline's real design closely enough that verification does not feel necessary. You click the link and enter payment or login details on a page that looks exactly like the airline's real site.
The pattern to recognise: a legitimate booking confirmation you already received does not need you to do anything else unless you initiated the change. Any email requiring an action on a booking you have not touched is a signal to verify directly through the airline or hotel app, not through the email link.
3. The Unpaid Toll Follow-Up
Road-trippers this weekend are a specific target. The unpaid toll variant follows a now well-documented pattern. You drive somewhere new over the weekend. A day or two later, a text or email arrives claiming you have an outstanding toll from a specific state highway. Because you actually did drive that route, the claim feels plausible. The FTC has documented this as one of the most effective post-travel scams precisely because the timing creates false confirmation.
Scammers also place fake QR codes over legitimate ones on gas station pumps, parking kiosks, and public signs. When you scan, you are redirected to a convincing-looking payment or login page that captures your financial information. According to AARP, more than half of adults have received a scam text about an unpaid toll in the last year.
The fix is the same as every other variant: do not click the link in the message. Go directly to the state toll authority's official site and look up any outstanding balance there.
4. The Fake Charity Email
The Better Business Bureau is warning veterans and military personnel that they may be the target of scammers around Memorial Day. Veterans reported more than $419 million in fraud losses in 2024, the Federal Trade Commission confirmed, a sharp rise from $350 million the year before.
Fraudulent charity emails surge around Memorial Day because the emotional context is real and the generosity instinct is high. The emails impersonate legitimate veterans organisations with near-identical branding, urgent donation requests, and links to payment pages that do not route to the real charity.
The check before donating: go directly to the charity's website via a search, not a link. Verify on Charity Navigator or GuideStar before entering payment details. A legitimate charity does not need you to act within the next hour.
What Connects All Four
Every one of these attacks runs the same play. They arrive during a window when you are expecting emails that look exactly like them. They create enough urgency to compress your decision time. They route you to a page or action that looks legitimate but is not.
The human check fails not because people are careless but because the attack is timed and designed to arrive when your attention is divided. You are not reading your inbox this weekend. You are scanning it.
Ṣọ analyses the sending address, the link destination, and the content pattern of every email before it reaches you. The Booking.com lookalike domain gets flagged. The redirect to a credential harvester gets blocked. The impersonation pattern in the fake confirmation gets caught. Not because you slowed down. Because the system was already looking.
FAQ
What is the Booking.com phishing campaign? Microsoft Threat Intelligence documented an active campaign starting December 2024, attributed to a group called Storm-1865, that impersonates Booking.com to deliver credential-stealing malware. The technique used is called ClickFix, which tricks users into running a malicious command on their device. Over 1,500 lookalike domains were registered to support the campaign.
How do I spot a fake travel confirmation email? Check the actual sending address, not the display name. A legitimate airline or hotel will send from a domain that exactly matches their official website. Any email requiring urgent action on a booking you have already completed should be verified by opening the airline or hotel app directly, not through the email link.
What is the unpaid toll scam? A phishing pattern where victims receive a text or email claiming they have an outstanding toll charge from a road they recently travelled. The timing makes it feel legitimate. The link in the message leads to a fake payment page. Always verify toll charges directly through your state's official toll authority website.
How does Ṣọ protect against travel phishing? Ṣọ analyses every incoming email for sending address mismatches, lookalike domains, and malicious link destinations before the email reaches your inbox. The Booking.com pattern is detectable at the infrastructure level regardless of how convincing the email content appears. Email content is processed and immediately discarded. Zero retention.
Encrypted processing. Zero retention. Ṣọ never retains your email content.
Free to start at soemailsecurity.com