Case study interview: The Insta-scams conning people out of money

We all know how social media is a powerful tool that businesses can tap into and connect with customers both near and far. Put a little bit of spend behind a post and the audience reach can potentially open doors that might have previously been closed. It’s a cost-effective and highly engaging way to grow your business.


It’s also a playground for cyber scammers, as data is the commodity they’re after and with so much of it publicly available on business social media channels and open personal profiles, they can feed their criminal activity indefinitely.


Social engineering, or phishing, is big business for digital intruders and you can read more about that here. However, the likes of Instagram, Facebook and Twitter are often used in many different ways to con people and an attempt doesn’t necessarily need to happen through an account you own.


We spoke with ECRC member Bridget Keevil, owner and managing director of Travel Stop, a holiday company based in Suffolk. She narrowly avoided being hit by a £11,000 scam. Here’s the account of what happened.



Bridget Keevil
Bridget Keevil of Travel Stop


The incident


In July/August last year, we thrilled to be back open following the easing of lockdown restrictions and business was go2ing well. On one particular day, we noticed four bookings had been made – three at each of our shops across Suffolk and one in Hertfordshire. Great news we thought in the first instance. On the other hand, my colleague had a hunch that something out of the ordinary was going on as they were all made in a very short space of time.


After some due diligence, it became apparent that all the billing addresses for the cards provided by the caller were within a mile of the shop the holiday had been booked at. Again, this seemed a little unusual so for peace of mind, one of the team went to investigate further and stopped by one of the addresses. It wasn’t long before they realised that we were in the midst of a full-blown scam. The kind owner of the property confirmed they had no connection to the booking or credit card and there were no persons of the name supplied that had ever lived there.


Actions taken


On receipt of the information, another team member back in the office then very quickly began cancelling the four transactions. The resorts where the holidays had been booked were contacted and working together, we were able to refund the money back to the credit cards. One of the victims was already half-way through their holiday in Dubai and had to pay again when checking out. Had the concerns not been acted on, or missed through no fault of our own, we would have lost £11,000 in just a few minutes.


Discovering a host of scams on social media


The head of security at our partner tour operator just happened to phone shortly afterwards and drew my attention to Instagram scams. Type in ‘half-price holidays’ into the platform and you’ll see there are many accounts, with little way of determining which are the legitimate ones.


The four victims had quite possibly seen a fake account purporting to be a travel agency with 50% off deals. What we believed happened was these innocent people made the bogus bookings directly with the criminal who took their card details. To make it look genuine, the criminal then called each of our stores and made the same booking using a mix of fraudulent and stolen credit cards.


Had we not intervened when we did, this would have been a very different story. I cannot thank my colleague enough for her sound judgement of the situation and quick thinking, which helped Travel Stop dodge irreparable damage.


Here are some ECRC suggestions on red flags to look out for with holiday scams and fraudulent bookings:


  • If it looks too good to be true, it probably is. If the price for your flight or holiday is considerably cheaper than the average cost elsewhere, you should be suspicious. Flight prices are largely set by airlines – with travel agents having some leeway – so, charging significantly less is often a sign that there may be a scammer behind the offer.


  • Conflicting customer information. One of the first things to look at the customer details provided. Does it tally up, or are there conflicts? For starters, check the email address. Does it match or resemble the name of the purchaser? This isn’t a fool-proof way to spot a fraudulent charge, but it at least gives you something to work with. In most valid transactions, the email will bear some resemblance to that of the purchaser’s name.


  • Lock up your social channels. Make sure your own social media accounts are secure with strong, unique passwords and 2-factor authorisation has been enabled

Bridget from Travel Stop is now a member of the ECRC and continues to better her company’s cyber awareness. To learn how you can do the same, sign up for FREE core membership to receive a toolkit and practical guidance, alongside regular cyber news and updates. If you require more in-depth analysis about potential vulnerabilities with your business, we offer a variety of affordable services tailored to your needs.

The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.