Summer Phishing Surge: Why Scammers Love Holidays

Here we look at how phishing scams spike in summer, including fake travel bookings, delivery text traps and urgent invoice fraud, and why UK businesses and individuals are especially vulnerable during the summer holiday season.

Phishing Peaks in Summer as Risk Awareness Drops

The summer season is increasingly being exploited by cyber criminals as a prime window to launch targeted phishing campaigns. For example, according to Action Fraud, UK consumers lost over £11.6 million to holiday-related scams in 2024 alone, with July and August seeing the highest volume of reports.

Why?

Experts point to a combination of seasonal distractions and increased online transactions, particularly for travel and leisure, as key drivers. With staff taking annual leave and workflows stretched thin, businesses are also becoming easier prey for invoice fraud and impersonation attempts.

Proofpoint, a global cyber security firm, recently warned that over one third of major UK travel booking platforms are failing to implement basic email authentication protections, such as full DMARC rejection policies, leaving customers vulnerable to spoofed messages. “Criminals know people are more likely to be booking trips or awaiting parcels,” said Adenike Cosgrove, cybersecurity strategist at Proofpoint. “That makes them more likely to click without thinking.”

Fake Travel Sites and Booking Confirmations Are Widespread

A common scam involves fake travel booking websites or emails posing as legitimate platforms such as Booking.com, Airbnb or Jet2. In many cases, victims are lured through paid adverts on social media or search engines, where fraudulent domains are made to closely resemble real travel brands.

In one incident recently flagged on Reddit and verified by multiple users, scammers exploited Booking.com’s internal messaging system to pose as hotels, sending follow-up messages asking guests to confirm payment via a malicious third-party link. The impersonators mimicked the platform’s branding and messaging style with alarming accuracy.

Fake Accommodation Offers

According to Action Fraud, 44 per cent of holiday-related phishing reports in 2024 involved fake accommodation offers. For example, many victims were contacted after initially engaging with a legitimate booking site, suggesting criminals are monitoring and hijacking booking journeys to insert phishing attempts at key points.

Delivery Text Scams Continue to Catch Holidaymakers Off Guard

One of the most persistent phishing threats this summer is smishing, where fraudulent text messages impersonate delivery companies such as Royal Mail, Evri or DPD. These scams typically claim a parcel is delayed or requires a small fee to release, directing the recipient to a fake website that harvests card details or personal information.

The problem is growing. According to Proofpoint and UK Finance, fake parcel delivery texts accounted for 67.4 per cent of all reported smishing attempts in the 30-day period to mid-July 2025, up from 53.2 per cent in previous months. Financial impersonation scams, by comparison, made up just 22.6 per cent over the same period.

This reflects a longer-term trend. The National Cyber Security Centre reported a 174 per cent year-on-year rise in smishing attacks as of mid-2024, and industry data indicates that the increase has continued well into 2025. A recent consumer survey by Ofcom found that 42 per cent of UK mobile users had received a suspicious call or SMS in the past three months.

Mobile Scam Filters Still Falling Short

While mobile operators claim that scam filters are improving, independent testing has raised concerns. In one 2025 study by cyber firm MetaCert, every simulated smishing message was successfully delivered to UK phones. These included texts spoofing well-known brands and containing malicious links, suggesting that current filtering systems are still failing to block even basic threats.

Why Summer Timing Makes These Scams More Effective

The seasonal context plays an important role. During the summer, people are more likely to shop online for travel items, gifts or personal deliveries while away from home. This makes messages about missed or rescheduled parcels seem believable and time-sensitive, creating the urgency that scammers rely on.

According to advice published by Age UK Barnet, for example: “scam texts often appear to come from delivery companies, like Evri or Royal Mail, saying that a parcel is on its way and asking for payment.” The charity warns that people may click without thinking, especially when expecting a delivery, and highlights that older users may be particularly vulnerable if they are unfamiliar with digital services or not used to checking links carefully.

The growing sophistication of these scams, including the use of personalised names, postcodes or local courier references, makes them harder to detect. This is especially true on mobile devices, where links and sender details are less visible at a glance.

Fake Invoices and Business Email Scams Surge Before Holiday Deadlines

For UK businesses, the summer period brings another kind of cyber threat. Business Email Compromise (BEC) and invoice phishing scams often spike around end-of-quarter deadlines or during peak holiday handovers, when key personnel may be absent.

Scammers typically insert themselves into existing email threads by using a near-identical address to impersonate suppliers, contractors or internal staff. They then request urgent payments to altered bank accounts, citing things like updated banking details or changes to invoice terms.

With this in mind, the North East Business Resilience Centre (NEBRC), for example, has issued multiple alerts this summer urging firms to verify payment details verbally before transferring funds. “Organisations should treat every payment change request—no matter how routine it seems—with extreme caution, especially when staff are away,” said the NEBRC’s cyber lead. “We see companies lose tens of thousands of pounds in a single transaction.”

According to UK Finance, invoice and mandate scams cost UK businesses over £56.7 million in a single year, with construction, legal and property sectors among the most targeted.

Quishing Attacks Using QR Codes Are Also on the Rise Too

Perhaps a less familiar but growing trend is the use of malicious QR codes in phishing campaigns, often referred to as “quishing”. These codes may appear in emails, event posters, parking meters or travel itineraries, and lead to malicious websites once scanned.

Security researchers at Check Point have identified a significant increase in such attacks since spring 2025, with many targeting travellers by mimicking airline boarding passes or local information portals.

The real danger lies in the perception of safety associated with QR codes, particularly when presented in a printed or semi-official context. In several recent cases, scammers have replaced public QR codes on transport signage or tourist maps with fake stickers that lead to credential-harvesting sites.

UK businesses operating physical locations or QR-based digital services are being urged to regularly check signage, validate their own codes, and educate staff on the risks of scanning unknown links.

Criminals Exploit Social Context and Emotional Cues

What links all of these attacks is timing and emotional manipulation. For example, summer, with its relaxed atmosphere, frequent purchases and disrupted routines, creates ideal conditions for social engineering.

For example, as cyber security firm Barracuda reports, seasonal phishing emails tend to use more emotionally charged language, including urgency, fear of missing out or appeals to customer service or refunds. Phrases like “Your booking is at risk”, “Re-delivery needed today” or “Outstanding invoice requires attention” are designed to provoke rapid reactions.

The NCSC encourages UK users to follow its “Stop, Challenge, Protect” guidance—pausing before clicking or paying, questioning the legitimacy of the request, and reporting suspicious messages to the Suspicious Email Reporting Service (SERS) (at report@phishing.gov.uk).

Many Attacks Are Enabled by Gaps in Email Security

A report by Proofpoint revealed that as of summer 2025, only 61 per cent of the UK’s top 50 travel websites had enforced full DMARC rejection policies, which is a basic email authentication setting that helps prevent domain spoofing. This leaves both individual travellers and business clients exposed to fake emails that appear to come from trusted brands.

Similarly, smaller organisations often lack the cyber hygiene measures to filter out high-risk attachments or check for lookalike domains. In phishing simulations conducted by KnowBe4, UK companies saw click rates of over 33 per cent during peak summer periods, compared to 24 per cent in winter, suggesting seasonal distractions increase user vulnerability.

Also, the British Chambers of Commerce has called on smaller firms to step up basic security practices, especially during holiday periods when decision-making may be rushed or decentralised.

Cybercriminals Are Adapting Faster Than Users Can React

The final concern raised by many experts is the speed with which scammers adapt. While businesses and individuals may learn to spot one kind of scam, attackers quickly switch tactics, changing domain names, targeting new seasonal trends or using AI tools to personalise their phishing lures.

Check Point’s threat intelligence team recently found that Google, Microsoft and Apple were the top three brands impersonated in UK phishing campaigns during Q2 2025. These impersonations often come in the form of bogus security alerts, fake travel subscriptions or seemingly legitimate service confirmations.

The summer of 2025 is no exception. As more people head off on breaks, and companies operate with skeleton crews, phishing attacks are exploiting every opportunity to slip through the cracks.

What Does This Mean For Your Business?

What emerges from this summer’s phishing surge is a clear pattern of opportunism that cuts across both consumer and business behaviour. It seems that cyber criminals are not relying on sophisticated infrastructure or zero-day exploits. Instead, they seem to be exploiting timing, familiarity and human distraction. For UK businesses, especially smaller firms, this creates a persistent operational risk that does not end with the holiday season.

Attacks linked to fake bookings, delivery texts and invoice fraud are not only rising in volume but also in precision. Social engineering tactics have become more convincing, and the tools behind them more accessible. As the examples in this report show, scammers no longer need to breach systems to steal money or data, but they just need to catch someone at the wrong moment with the right message. This is particularly dangerous in summer when staff changes, out-of-office patterns and dispersed decision-making leave more gaps than usual.

The ongoing failure to implement email authentication standards such as DMARC, and the unreliable performance of mobile scam filters, suggest that many organisations are still relying on outdated or partial defences. Without investment in basic technical controls and regular user awareness training, UK businesses will continue to see preventable losses from phishing, whether in the form of misdirected invoice payments, stolen credentials or damaged trust.

For individuals, especially those booking holidays or expecting deliveries, the lesson is equally pressing. The presence of a recognisable brand or a plausible message is no longer a guarantee of safety. Personal vigilance, combined with public reporting and institutional support, will remain critical.

Looking ahead, the challenge is not just seasonal. Cyber criminals will continue to adapt their tactics to whatever events, platforms or behaviours dominate public attention. However, the summer phishing spike is a useful case study in how quickly attackers can exploit simple human habits, and how slow many defences still are to catch up. For both UK organisations and their customers, tackling phishing will require more than just summer warnings. It demands consistent, year-round resilience.