Create world-class traveller experiences using our innovative technology solutions.
Increasingly, everything we do—from managing our businesses to our personal errands—is online. But with this convenience comes a need for vigilance against potential threats.
Phishing is a type of cyberattack where criminals attempt to steal personal information or money, often by convincing you to click on a malicious link or attachment or directing you to a fake website. And while phishing was once relatively easy to spot, AI tools are helping criminals create more sophisticated phishing campaigns, making them more difficult to detect.
Read on for tips and best practices on how to prevent phishing attacks and the actions you can take if you receive an email or message that you suspect may be fraudulent.
How Expedia Group protects partners
At Expedia Group, our Fraud and Risk and Cyber Defense teams work to stay ahead of scammers and protect the travel experience for our partners and travellers.
Fraud prevention services are essential in protecting companies from financial harm, preserving their reputation and maintaining customer trust. Our Cyber Defense team is dedicated to identifying potential risks and working to ensure we are prepared for cyberattacks, including phishing scams.
Our partner portals also give partners the ability to further protect their account from unauthorised access through features such as complex password requirements and multi-factor authentication (MFA).
Best practices for protecting yourself from phishing scams
With more sophisticated phishing scams on the rise, putting best practices into action can help protect you, your business and your travellers. So, what precautions should be taken to avoid falling victim to phishing?
Keep your guard up
Emails and messages that create urgency and fear are usually fake, and the sender wants you to leap before you look. Instead of giving in to the pressure, take your time, evaluate the message and be sceptical. If something seems off, it probably is.
Misspelled words and poor grammar are also red flags that can help you identify scams. However, recent developments in AI tools have made it easier for scammers to craft well-written communications, so it’s important to evaluate other factors.
Ask yourself questions like:
- Is the email or message unexpected?
- Does the request make sense?
- Could it be mimicking a legitimate sender?
Verify the sender’s information
Scammers may use a similar name or email address to those familiar to you or your organisation to catch you off guard. Always check the sender’s email address or contact information before replying or clicking on links. Float your cursor over addresses to make sure they are legitimate—for example, an email from a vrbot.com domain would not be from Vrbo®.
Be aware of deceptive emails or malicious links
Treat all unexpected attachments and links like the potentially infectious threats they are. If the message or the sender’s contact information seems suspicious, it’s likely that attachments or links within the communications are malicious.
For example, the official Expedia Group Partner Central URL is expediapartnercentral.com—any other iterations of the URL such as expediaparrtnercentral.com should not be trusted.
In some cases, you can also inspect URLs by hovering over the links to verify the information before clicking, and check that they begin with ‘https://’ and not ‘http://.’ The former indicates that the site is secure. When in doubt, don’t open suspicious attachments or links.
Ensure that account user information is up to date
One easy way to help safeguard your information is to ensure your dashboard account users are up to date. This includes double checking the people who have access to the account, confirming contact information and regularly updating account passwords for added security.
If any of the contacts are unfamiliar or no longer work with your property, remove them from your account. This activity should be done at least every six months. While you’re at it, consider updating your security questions for an added layer of protection.
Enable multi-factor authentication with mobile push
To enhance the security of your account, we strongly recommend setting up MFA and selecting ‘mobile push’ as your alternative factor. Follow the links below to download the app and visit the help articles to learn how to update your account verification settings. Remember to confirm that the correct email address and phone number are listed for your account’s authentication settings.
Holiday rental guidance
What to do if you think you have been targeted by phishing
If you believe you have received a phishing email that mentions Vrbo or Expedia®, have been targeted by a scam or notice suspicious activity, report it to your account manager or contact Expedia Group via one of the channels listed below.

Kurt John
Global Chief Information & Security Officer, Expedia Group
Kurt John is Global Chief Information & Security Officer at the Expedia Group, where he oversees governance and execution of enterprise information technology, cybersecurity, physical security and privacy. He is also a non-resident senior fellow at the Atlantic Council, where he helps to think through the most relevant cybersecurity challenges at the intersection of geopolitics, business and security facing the United States and its allies. This includes making recommendations for policy makers to help bolster the security of our way of life. Kurt has and continues to hold multiple board positions in private and public organisations including Virginia Innovation Partnership Authority—the Commonwealth’s initiative to drive innovation of the tech economy.
Tell us how we did so we can improve our site.