Business travel can expose individuals to serious cyber threats when connecting to hotel or airport Wi-Fi, so here we explain how to stay secure using practical precautions such as VPNs and mobile tethering.

Why Public Wi-Fi Is a Hidden Risk for Travellers

Public Wi-Fi is one of the most widely used digital conveniences among UK business travellers. Whether in airports, hotels, cafés or train stations, free internet access is often seen as a quick and easy way to stay productive while on the move. But security experts are warning that many of these networks are poorly protected or actively targeted by cyber criminals looking to intercept data or install malware.

A Norton survey found that 60 per cent of travellers were already connecting to public Wi-Fi at least once a week in 2023, with nearly half admitting they’d used unsecured networks to check work emails or log in to sensitive accounts. More recently, a 2024 analysis by cybersecurity firm Inflection Point confirmed that around 70 per cent of business travellers had encountered some form of cyber threat while away from their usual workplace.

For UK businesses in 2025, the operational risk is even greater. Remote access to corporate tools is now standard, while business travel has rebounded strongly across Europe and beyond. Insecure public networks can easily be exploited to steal credentials, compromise cloud accounts or gain backdoor access to business systems. The threat is no longer limited to high-risk environments, it’s embedded in everyday travel routines.

How Criminals Target Public Wi-Fi Users

The main security risk with public Wi-Fi is that it often lacks encryption. This means that the data sent between your device and the router can be intercepted by third parties using basic equipment. One of the most common tactics is known as a man-in-the-middle attack, where a hacker places themselves between you and the network to eavesdrop on your activity or harvest personal and company data.

Rogue Wi-Fi Hotspots

Another growing tactic is the use of so-called “evil twin” networks. These are rogue Wi-Fi hotspots set up to mimic a legitimate service, often with names like “Hotel_WiFi_Guest” or “Free_Airport_WiFi”. Once connected, users may be redirected to phishing pages or silently monitored. According to a recent report from US-based WatchGuard Technologies, it takes as little as £400 worth of off-the-shelf kit to create one of these fake hotspots.

Even genuine Wi-Fi networks can be a risk. For example, hotel systems are often shared across hundreds of users and rarely updated or segmented, making them soft targets. Airports are also ideal hunting grounds for criminals, thanks to the large volume of fast-moving, distracted users and international visitors unfamiliar with local security risks.

What Experts Recommend for Safer Connections

Security experts agree that the safest approach is to avoid public Wi-Fi altogether where possible. However, when access is essential, there are some practical steps that can significantly reduce the risk.

VPNs

The most important measure is to use a virtual private network (VPN). A VPN encrypts your internet traffic, so even if someone intercepts the connection, they won’t be able to read or tamper with your data. As Paul Bischoff, consumer privacy advocate at Comparitech, explains: “A VPN creates a secure tunnel that protects your traffic from snoopers on unsecured networks. For travellers, it’s an essential layer of defence.”

There are dozens of business-grade VPN providers on the market, with options like NordVPN, Surfshark and ExpressVPN all offering apps compatible with laptops and mobile devices. However, not all VPNs are equally secure. Free versions, in particular, may collect data or lack proper encryption protocols.

Tethering

Another option is mobile tethering, which involves connecting a laptop or tablet to the internet via your phone’s 4G or 5G data rather than using Wi-Fi. This method uses your mobile provider’s encrypted network and is generally far safer than connecting to unknown hotspots. Most smartphones have built-in hotspot functionality, though business travellers should check their data limits before relying on this approach abroad.

In situations where public Wi-Fi must be used, it’s also wise to:

– Avoid online banking, file sharing and sensitive logins.

– Stick to websites using HTTPS (look for the padlock symbol in your browser).

– Turn off auto-connect and file sharing features.

– Set the connection type to ‘Public’ in your device settings.

– Keep all apps, browsers and antivirus software up to date.

How Mobile Habits Can Create Unintended Exposure

A recent study by the UK’s National Cyber Security Centre (NCSC) highlighted how user behaviour plays a key role in exposure to cyber threats. In their analysis of business travel patterns, they found that users often relax security habits when on the move, especially during summer holidays or while rushing through airports.

For example, many travellers leave their phones or laptops unlocked, or stay logged in to work systems and cloud services. Others fail to check the legitimacy of a network before connecting, relying on familiar-sounding names. These small lapses, while understandable, can make it much easier for attackers to gain access.

The NCSC advises that staff travelling for work should be briefed on digital hygiene protocols and given the tools needed to work safely while mobile. This might include rolling out managed VPN solutions or providing mobile data allowances specifically for tethering.

The Cloud

One other important aspect to consider is that businesses are now increasingly reliant on cloud-based tools and remote access platforms, from Microsoft 365 and Slack to enterprise CRM systems. This has brought major flexibility gains, but it has also raised the stakes when it comes to endpoint security. For example, a compromised login from a hotel room abroad could open the door to serious breaches back home.

The UK’s Information Commissioner’s Office (ICO) warns that data breaches involving personal or client information (even if caused by insecure Wi-Fi use) can lead to investigations and fines under the UK GDPR regime. For regulated sectors such as legal, healthcare and finance, this risk is even more acute.

Reputational Damage Risk

There’s also reputational damage to consider. In one documented incident investigated by FireEye, a consultant’s credentials were stolen via a compromised hotel Wi-Fi network linked to the Russian espionage group APT28 (also known as Fancy Bear). The attackers exploited hotel routers to harvest guest login details, and those credentials were later used to access corporate systems remotely. Although no malware was installed on the consultant’s device, the breach led to serious trust issues for the consultancy firm involved, who were forced to issue apologies to clients and implement stricter travel security protocols.

Simple Precautions That Reduce the Risk for Everyone

Despite the risks, public Wi-Fi use isn’t going away anytime soon, but business travellers can take control with a combination of awareness and simple protective tools. In addition to using a VPN or mobile tethering, businesses should ensure that staff understand how to recognise suspicious networks and what to do if they think a device has been compromised.

MFA

The NCSC also recommends that all business devices use multi-factor authentication (MFA) and endpoint security tools to minimise exposure. Organisations should also maintain clear reporting lines in the event of a suspected breach so that action can be taken quickly.

Whether on a short-haul trip to Brussels or checking emails from a hotel bar in Singapore, a few small changes in behaviour can significantly reduce the likelihood of an attack. With cyber criminals becoming more sophisticated each year, secure connectivity is now essential travel kit.

What Does This Mean For Your Business?

Cyber security on the move is no longer a niche concern for IT teams. As this summer’s travel season gathers pace, the reality is that every employee logging on from a hotel, airport or conference centre is a potential entry point for a wider breach. Public Wi-Fi remains widely used but poorly understood, and attackers continue to exploit that gap with tactics that are cheap to deploy but costly to recover from.

For UK businesses, the stakes are clear. A single compromised login can lead to regulatory consequences, reputational damage and financial loss. This is especially true in sectors where client confidentiality, personal data or financial systems are involved. Relying on convenience over security, particularly during travel, risks undermining all the investment made in other parts of the company’s digital infrastructure. However, as this article has shown, the tools to mitigate that risk already exist. VPNs, mobile tethering, MFA, and well-informed staff are not just best practice, they are now baseline requirements for secure hybrid working.

What matters next is awareness and consistency. Companies must ensure that secure connection policies are more than a tick-box exercise, especially as international travel becomes routine again.

UK firms are using summer downtime to run cybersecurity quizzes that improve staff awareness, reduce phishing risks, support onboarding, and build a stronger security culture ahead of the September reset.

Why Summer Is the Time to Act

It may seem counterintuitive to launch a cybersecurity initiative during the holiday season, yet security professionals say this is exactly the right time to do it.

Staff returning from leave are often catching up on emails, resetting routines, and switching back into work mode. That makes them particularly vulnerable to phishing emails, credential theft, and misjudged clicks. For example, according to CybSafe, human error still accounts for 95 per cent of successful cyber attacks, with fatigue, distraction and complacency frequently involved.

A 2024 KnowBe4 report found that staff were 29 per cent more likely to click on phishing links in the first week after returning from time off. With many UK employees taking annual leave during July and August, the September return presents a high-risk window.

That is why many IT and compliance teams are opting to launch a light-touch but high-impact quiz or awareness campaign during summer, or just at the end of the holiday period. The aim is to create a timely reset, not a compliance burden. As CybSafe puts it, “It’s like sharpening the tools before we go back into the busy season.”

Back to Business and Back to Basics

The term “back to school” may be figurative, but the principle stands. September often marks a fresh start, Q4 planning begins, new projects launch, and there is an influx of new joiners or temporary staff.

That makes it a natural moment to remind employees of core cyber hygiene habits. Password security, phishing recognition, two-factor authentication, and safe use of cloud platforms are all common focus areas. Rather than relying on lengthy and formal training sessions, many businesses are shifting towards short and interactive formats that nudge behaviour and boost recall.

Awareness Quizzes

For example, firms including CybSafe, KnowBe4 and ESET now offer ready-made awareness quizzes tailored to workplace risks. These tools test employees’ understanding of phishing techniques, device hygiene, credential security, and social engineering tactics. Many offer features such as internal benchmarking, anonymised scoring by department, and follow-up resources based on quiz performance.

Quizzes typically include multiple choice or scenario-based questions, with questions such as, “You receive a Teams message from your manager with an urgent link to an invoice. What should you do?” Feedback is usually immediate, and correct answers are explained to reinforce good habits.

To be effective, questions need to reflect real-life risks. For example, a phishing section might include, “This email asks you to ‘urgently verify your payroll details’ using a link. What should you check first before clicking?” A password hygiene question could ask, “Which of these is the most secure password: Pa55word!, £S78qp*4, John1980, or MyCompany123?” Other useful topics include recognising suspicious attachments, safe use of public Wi-Fi, and what to do if you suspect your laptop has been compromised.

For remote or hybrid workers, practical scenarios can help highlight overlooked risks. One example might be, “You’re working from a café and need to join a video call. What is the safest way to connect?” By focusing on realistic decisions, these questions build familiarity with threats and give staff confidence to make better choices.

As CybSafe notes, “Security awareness doesn’t need to be dry. Gamification increases engagement by up to 60 per cent, and we see higher retention when people enjoy the format.”

New Staff, New Risks

Another reason why late summer is an ideal time for awareness activity is the volume of onboarding across many sectors. Whether it is school leavers entering the workforce or internal moves following the holiday period, new and transitioning employees are consistently shown to be more vulnerable.

Research cited by Keepnet Labs shows that new hires are 44 per cent more likely to click on phishing links, and 71 per cent more susceptible to social engineering tactics within their first three months. This is often due to unfamiliarity with tools, eagerness to make a good impression, and uncertainty around what constitutes suspicious behaviour.

Embedding a cyber quiz into induction materials or using it as part of a post-holiday reset can help mitigate this. According to Keepnet, “Embedding quizzes into everyday culture, not just annual training, helps build shared ownership of cyber hygiene. Awareness becomes a team asset, not an individual chore.”

Campaigns That Stick

Many UK firms are using seasonal branding and lighter messaging to increase participation. For example, naming the initiative “Back to Business: Cyber Reset” or “Security September” helps frame the content as helpful and timely, rather than bureaucratic.

Typical campaign assets include a short online quiz, accompanying infographics or posters on common threats, and a follow-up message sharing results or next steps. Some businesses use this moment to revisit hybrid working guidance or flag updates to bring-your-own-device (BYOD) policies.

The Cyber Security Breaches Survey 2025, published by the Department for Science, Innovation and Technology, highlights just how common incidents remain. 43 per cent of UK businesses reported a cyber breach or attack in the past 12 months, but among medium-sized businesses, that figure rose to 70 per cent, and for large organisations, to 90 per cent.

The same report found that businesses with regular staff training and awareness campaigns were more likely to detect and respond to threats promptly. That strengthens the case for low-friction, repeatable tools like quizzes, especially when timed around known periods of vulnerability.

Metrics That Matter

It seems that quizzes can also generate useful insights. For example, platforms such as CybSafe and KnowBe4 offer dashboards showing which questions are commonly missed, which teams or roles may need additional support, and how engagement varies over time. That helps IT, HR and compliance teams refine their approach and demonstrate value to leadership.

These insights can also support wider objectives. For companies pursuing Cyber Essentials or ISO 27001 certification, regular awareness campaigns count as demonstrable evidence of good cyber governance and staff engagement with security.

Crucially, quizzes offer an approachable format. For example, as CybSafe research shows, campaigns framed around positive reinforcement rather than fear or punishment consistently lead to better uptake, stronger recall and healthier behaviours across the organisation.

Real-World Findings Underscore the Risk

Recent UK data reinforces the need for continued staff education. In the Cyber Security Breaches Survey 2025, phishing was identified as the most common attack method by 85 per cent of affected businesses. 65 per cent said it was the most disruptive type of incident they faced.

In the SME sector, a study by GetApp UK found that 94 per cent of phishing attacks arrived via email, and more than two-thirds of businesses had faced multiple attempts in a short timeframe. The simplicity of phishing makes it hard to block completely through technical defences, placing the onus back on staff to spot and avoid traps.

Also, the risk is not limited to newcomers. For example, as a UK workplace study reported by Insurance Edge found, managers were twice as likely as junior staff to fall for phishing scams, despite being more familiar with systems and policies. That suggests even experienced employees benefit from regular and practical reminders.

Taken together, these findings reinforce why so many UK businesses are choosing to run fun, quiz-based cyber campaigns during the summer, to catch complacency before it becomes costly.

What Does This Mean For Your Business?

This approach is not about ticking boxes. It’s actually about creating a security culture that works with people, not against them. For example, quizzes seem to offer a simple, low-pressure way to reset expectations, surface knowledge gaps, and refocus attention on the behaviours that actually reduce risk. They are also easy to run and repeat, which gives organisations more flexibility than formal training cycles often allow.

For UK businesses, the benefits are both immediate and long-term. A short, well-timed quiz can reduce phishing risk, especially among returning staff and new joiners, while also demonstrating good governance to customers, insurers and auditors. When supported by the right follow-up and metrics, these tools become part of a wider risk management strategy, not a standalone event. In sectors where compliance, reputation or customer trust are central, that distinction matters.

The impact also extends beyond the IT team. HR departments, line managers and internal communications teams all have a role to play in making cyber awareness relatable and consistent. Using seasonal campaigns or friendly team challenges helps embed these habits across different parts of the business, rather than leaving them siloed. That shift is key if organisations want security awareness to feel like part of the culture, not just a requirement.

Suppliers, partners and clients also benefit from this raised awareness. In an interconnected economy, a weak link in one organisation can expose others to unnecessary risk. By encouraging regular, engaging training, UK firms not only protect their own operations, but also contribute to a more resilient digital environment across their wider supply chain.

The timing matters too. With rising attack volumes and continued pressure on internal resources, companies that take advantage of the quieter summer period to prepare for Q4 are putting themselves on the front foot. Awareness may not stop every attack, but it can make the difference between a quick recovery and a costly incident. That is why summer quizzes are gaining momentum, and why more organisations are choosing to turn a seasonal lull into a strategic advantage.

A Seattle startup has taken a significant step toward creating a portable nuclear fusion device, operating its compact reactor at 300,000 volts for extended periods, a key technical breakthrough that could transform the clean energy landscape.

Who Is Avalanche Energy?

Avalanche Energy is a privately held company based in Seattle, Washington, founded in 2018 by Robin Langtry and Brian Riordan. The firm is focused on developing compact nuclear fusion reactors (small enough to fit on a desk!) under the product name “Orbitron.” Their long-term aim is to deliver clean, scalable energy solutions for everything from remote infrastructure to spacecraft.

While nuclear fusion has traditionally involved massive, multi-billion-dollar machines like ITER in France or laser-powered systems at the US National Ignition Facility, Avalanche is taking a radically different approach. Its system is designed to be low-cost, lightweight, and modular, using high-voltage electric fields instead of complex magnets or lasers to trigger the fusion process.

Milestone

The company’s latest milestone, sustaining 300,000 volts in a desktop-scale prototype, represents one of the highest voltage densities achieved in a fusion device of its size. This could prove a critical enabler in the race to demonstrate net energy gain from fusion, a feat that would mean the reactor produces more energy than it consumes.

Why A (Desktop) Fusion Reactor?

The global energy sector remains heavily reliant on fossil fuels, and while wind, solar, and battery technologies are progressing, they all face scalability, intermittency, and storage challenges. Fusion, which mimics the process that powers the sun, offers the potential for a virtually limitless source of clean energy without the long-lived radioactive waste or meltdown risks associated with conventional nuclear fission.

“Fusion offers the highest energy density possible,” Avalanche states on its website. “It’s clean, abundant, and sustainable—exactly what humanity needs as we scale into the future.”

However, making fusion practical has proven notoriously difficult. Traditional approaches require either extreme temperatures or massive magnetic fields to confine plasma. These methods are energy-intensive and require huge, expensive infrastructure, which has kept fusion perpetually 20 years away from commercial reality.

Avalanche believes that its ultra-compact Orbitron reactor, combined with recent advances in high-voltage electronics and materials science, could finally break the cycle.

How the Orbitron Works

Unlike tokamaks or laser-based fusion systems, the Orbitron uses a technique called electrostatic confinement. In simple terms, high-speed charged particles (ions) are trapped inside a vacuum chamber and guided into elliptical orbits around a central, negatively charged cathode.

As these ions accelerate and become more densely packed, they begin to collide with enough force to fuse, releasing energy in the process. The prototype achieved a voltage gradient of 6 million volts per metre, which is a level far beyond typical industrial equipment, and one that Avalanche says is “the real unlock.”

This compact design allows the entire system to operate without massive magnets or complex cryogenics. According to Avalanche, the key breakthrough lies in reaching ultra-high voltages in a small footprint, thereby enabling fast-moving ions to be packed into tight orbits with enough energy to spark fusion. The team says this is what allows the machine to remain physically small while delivering the energy densities required for meaningful power output.

The system is modular and scalable. Individual units ranging from 5 kilowatts (kW) to several hundred kW can be grouped together to create higher-capacity solutions, including mobile power sources, micro-grids, or even space-based applications.

What Makes Avalanche’s Approach Different?

Avalanche is part of a new wave of private fusion startups rethinking the architecture of fusion reactors. For example, rather than pursuing billion-dollar mega-projects, these companies are focusing on speed, agility, and commercial viability. Avalanche’s advantage lies in its compact, electrostatic design, which enables rapid iteration and prototyping.

The company says it can produce and test new components in days, rather than years, and expects this to dramatically reduce the cost of development. It also avoids the need for giant facilities or huge teams, which has historically slowed progress in the fusion field.

Another key difference is its target market. While most fusion developers are aiming to power grids, Avalanche is looking at decentralised applications, such as off-grid infrastructure, maritime systems, and lunar or planetary missions. These use cases demand small form factors, rapid deployment, and minimal support infrastructure, which are the criteria that Avalanche is specifically engineering for.

The Orbitron is also being designed to accommodate a range of fusion fuels, including deuterium-tritium and proton-boron-11. The latter has the potential to minimise neutron production, reducing shielding requirements and extending reactor life.

What Does the 300,000-Volt Breakthrough Mean?

Reaching and maintaining 300,000 volts in a compact machine is actually a pivotal achievement. It demonstrates that the Orbitron can sustain the extreme conditions required for meaningful fusion activity while remaining small, efficient, and robust.

Avalanche is now on track to use this capability to build FusionWERX, a planned neutron-production and testing facility in Richland, Washington. The company recently secured a $10 million Green Jobs Grant from the Washington State Department of Commerce to develop the site, which will allow third-party researchers and companies to test fusion components under realistic conditions.

FusionWERX

FusionWERX is intended to be a commercial facility, generating income through neutron production for radioisotope creation, materials testing, and IP-secure research. Langtry estimates Avalanche could become profitable by 2028, with projected revenues of $30–50 million in 2029.

Avalanche now aims to secure the remaining funding needed to match the 50 per cent cost-share requirement tied to its $10 million grant from Washington State. The company is actively preparing a Series B fundraising round to support the FusionWERX project and scale up its reactor development work. According to Avalanche, a significant portion of the matching funds is already committed, with further investment expected to follow as hardware milestones are met.

What Are the Broader Implications?

If successful, Avalanche’s technology could dramatically lower the barriers to fusion adoption. Rather than relying on centralised mega-projects, future fusion could emerge through a more distributed model, with small-scale reactors tailored to specific use cases and markets.

This could have particular relevance for UK businesses, especially those in energy-intensive sectors, remote infrastructure, or off-grid operations. For example, the potential to access compact, safe, and zero-emissions energy on demand would radically change planning and cost structures.

It could also disrupt parts of the existing nuclear sector. For example, traditional fission reactors are heavily regulated, expensive to build, and politically controversial. Fusion, especially in compact form, offers a way around many of these constraints. That said, whether governments will be prepared to adapt regulations quickly enough remains an open question.

For competitors, Avalanche’s milestone puts pressure on other private fusion firms to accelerate their own timelines. Notable players in the field include:

– TAE Technologies (California), which is pursuing proton-boron fusion using beam-driven plasma devices.

– Zap Energy (Seattle), developing a sheared-flow Z-pinch system with no magnets.

– Helion Energy (also based in Washington), which recently signed a deal with Microsoft to supply fusion-generated power by 2028.

– First Light Fusion (UK), using high-velocity impact fusion derived from research at Oxford University.

Each of these companies is using a different approach, but all share the goal of making fusion commercially viable in the near term. Avalanche’s unique angle, targeting small-scale, rapidly deployable systems, helps distinguish it in an increasingly crowded field.

Challenges and Criticisms

Despite the recent progress, fusion remains a tough nut to crack. While Avalanche’s voltage milestone is impressive, it has yet to demonstrate net energy gain, where the energy produced by the fusion reactions exceeds the energy required to initiate and sustain them.

Electrostatic confinement approaches like Avalanche’s have faced scepticism in the past. Earlier systems such as fusors and polywells showed promise but were ultimately unable to scale to net energy production. Whether Avalanche’s novel design can overcome those physics constraints remains to be seen.

There are also engineering hurdles ahead, including scaling up power extraction systems, managing heat loads, and extending component life under repeated bombardment by high-energy particles.

Some experts have also raised concerns about overpromising. With many fusion startups now forecasting delivery within five years, expectations are high, but public trust could suffer if those timelines slip. A measured, evidence-led approach will be key to sustaining momentum.

That said, the combination of technological progress, public funding, and early commercial pathways is helping to shift fusion from long-term aspiration to near-term opportunity. Avalanche Energy’s latest milestone brings that vision one step closer to reality.

What Does This Mean For Your Business?

Avalanche’s 300,000-volt achievement puts it ahead of many peers in demonstrating that fusion conditions can be created and sustained using a radically smaller and simpler system. While it does not yet mean net energy gain has been reached, the ability to operate a high-voltage, compact reactor continuously is a crucial step toward proving that desktop fusion is more than theoretical. This isn’t just a technical milestone, it’s a signal that fusion innovation is no longer confined to large institutions or national labs.

For investors, the company’s path to near-term revenue through neutron generation, radioisotope production and facility rentals helps to de-risk the commercial model. This gives Avalanche a clearer route to financial sustainability than most early-stage fusion firms, even before full-scale energy production is realised. That clarity may also allow it to attract more patient capital in a sector known for long development timelines.

For UK businesses, especially those in manufacturing, defence, remote operations and advanced research, the potential applications are considerable. Modular fusion systems that require little maintenance and produce no direct emissions could offer a stable and long-term energy alternative at a time when electricity prices and carbon pressures remain unpredictable. In high-value, energy-intensive environments where resilience and clean credentials matter, compact fusion could eventually shift how organisations plan infrastructure, supply chains and investment.

At the same time, regulators, utilities and energy planners will need to consider how small-scale fusion fits into existing frameworks. Questions about safety certification, licensing, integration with grid systems, and waste handling (even if minimal) will all need answering well ahead of any widescale deployment.

For the broader energy sector, Avalanche’s progress underscores a growing shift from slow, centralised fusion development toward smaller, faster, and more commercially agile models. This shift introduces competition and experimentation into a field once dominated by public-sector science programmes. But it also brings new scrutiny. Claims will need to be backed by results. Startups like Avalanche will be measured not just on vision, but on engineering performance, cost, scalability and real-world deliverables.

Avalanche’s milestone, therefore, offers a glimpse of what fusion could look like in practice, i.e., not vast tokamaks on government sites, but flexible machines that power remote labs, isolated communities or advanced industries. If the next set of milestones are met, and if the technology scales as claimed, fusion could become something businesses use, not just something scientists pursue. That would be a real shift, and this breakthrough brings that future closer than it has ever been.

CoPilot now make it easier than ever to run a prompt in the background at scheduled times in the future. It’s like having a magic genie which you can ask to do things for you (in plain english and without coding) and then you simply set and forget … and hope it works!

[Note – To Watch This Video without glitches/interruptions, It may be best to download it first]

Need ChatGPT to respond in a more professional or specialised tone? Just add three words to your prompt to steer it instantly.

How to:

– At the end of your prompt, add: “…like a [role]” (e.g. journalist, marketer, data analyst).– Example: “Summarise this email chain like a data analyst.”

What it’s for:

Delivers more relevant, polished and context-aware replies—ideal for reports, emails, briefings or any task where tone and clarity matter.

Pro‑Tip: Experiment with roles that fit your goal—try “editor”, “consultant”, “lawyer” or “client” to fine-tune the output to match your needs.

Here we look at how phishing scams spike in summer, including fake travel bookings, delivery text traps and urgent invoice fraud, and why UK businesses and individuals are especially vulnerable during the summer holiday season.

Phishing Peaks in Summer as Risk Awareness Drops

The summer season is increasingly being exploited by cyber criminals as a prime window to launch targeted phishing campaigns. For example, according to Action Fraud, UK consumers lost over £11.6 million to holiday-related scams in 2024 alone, with July and August seeing the highest volume of reports.

Why?

Experts point to a combination of seasonal distractions and increased online transactions, particularly for travel and leisure, as key drivers. With staff taking annual leave and workflows stretched thin, businesses are also becoming easier prey for invoice fraud and impersonation attempts.

Proofpoint, a global cyber security firm, recently warned that over one third of major UK travel booking platforms are failing to implement basic email authentication protections, such as full DMARC rejection policies, leaving customers vulnerable to spoofed messages. “Criminals know people are more likely to be booking trips or awaiting parcels,” said Adenike Cosgrove, cybersecurity strategist at Proofpoint. “That makes them more likely to click without thinking.”

Fake Travel Sites and Booking Confirmations Are Widespread

A common scam involves fake travel booking websites or emails posing as legitimate platforms such as Booking.com, Airbnb or Jet2. In many cases, victims are lured through paid adverts on social media or search engines, where fraudulent domains are made to closely resemble real travel brands.

In one incident recently flagged on Reddit and verified by multiple users, scammers exploited Booking.com’s internal messaging system to pose as hotels, sending follow-up messages asking guests to confirm payment via a malicious third-party link. The impersonators mimicked the platform’s branding and messaging style with alarming accuracy.

Fake Accommodation Offers

According to Action Fraud, 44 per cent of holiday-related phishing reports in 2024 involved fake accommodation offers. For example, many victims were contacted after initially engaging with a legitimate booking site, suggesting criminals are monitoring and hijacking booking journeys to insert phishing attempts at key points.

Delivery Text Scams Continue to Catch Holidaymakers Off Guard

One of the most persistent phishing threats this summer is smishing, where fraudulent text messages impersonate delivery companies such as Royal Mail, Evri or DPD. These scams typically claim a parcel is delayed or requires a small fee to release, directing the recipient to a fake website that harvests card details or personal information.

The problem is growing. According to Proofpoint and UK Finance, fake parcel delivery texts accounted for 67.4 per cent of all reported smishing attempts in the 30-day period to mid-July 2025, up from 53.2 per cent in previous months. Financial impersonation scams, by comparison, made up just 22.6 per cent over the same period.

This reflects a longer-term trend. The National Cyber Security Centre reported a 174 per cent year-on-year rise in smishing attacks as of mid-2024, and industry data indicates that the increase has continued well into 2025. A recent consumer survey by Ofcom found that 42 per cent of UK mobile users had received a suspicious call or SMS in the past three months.

Mobile Scam Filters Still Falling Short

While mobile operators claim that scam filters are improving, independent testing has raised concerns. In one 2025 study by cyber firm MetaCert, every simulated smishing message was successfully delivered to UK phones. These included texts spoofing well-known brands and containing malicious links, suggesting that current filtering systems are still failing to block even basic threats.

Why Summer Timing Makes These Scams More Effective

The seasonal context plays an important role. During the summer, people are more likely to shop online for travel items, gifts or personal deliveries while away from home. This makes messages about missed or rescheduled parcels seem believable and time-sensitive, creating the urgency that scammers rely on.

According to advice published by Age UK Barnet, for example: “scam texts often appear to come from delivery companies, like Evri or Royal Mail, saying that a parcel is on its way and asking for payment.” The charity warns that people may click without thinking, especially when expecting a delivery, and highlights that older users may be particularly vulnerable if they are unfamiliar with digital services or not used to checking links carefully.

The growing sophistication of these scams, including the use of personalised names, postcodes or local courier references, makes them harder to detect. This is especially true on mobile devices, where links and sender details are less visible at a glance.

Fake Invoices and Business Email Scams Surge Before Holiday Deadlines

For UK businesses, the summer period brings another kind of cyber threat. Business Email Compromise (BEC) and invoice phishing scams often spike around end-of-quarter deadlines or during peak holiday handovers, when key personnel may be absent.

Scammers typically insert themselves into existing email threads by using a near-identical address to impersonate suppliers, contractors or internal staff. They then request urgent payments to altered bank accounts, citing things like updated banking details or changes to invoice terms.

With this in mind, the North East Business Resilience Centre (NEBRC), for example, has issued multiple alerts this summer urging firms to verify payment details verbally before transferring funds. “Organisations should treat every payment change request—no matter how routine it seems—with extreme caution, especially when staff are away,” said the NEBRC’s cyber lead. “We see companies lose tens of thousands of pounds in a single transaction.”

According to UK Finance, invoice and mandate scams cost UK businesses over £56.7 million in a single year, with construction, legal and property sectors among the most targeted.

Quishing Attacks Using QR Codes Are Also on the Rise Too

Perhaps a less familiar but growing trend is the use of malicious QR codes in phishing campaigns, often referred to as “quishing”. These codes may appear in emails, event posters, parking meters or travel itineraries, and lead to malicious websites once scanned.

Security researchers at Check Point have identified a significant increase in such attacks since spring 2025, with many targeting travellers by mimicking airline boarding passes or local information portals.

The real danger lies in the perception of safety associated with QR codes, particularly when presented in a printed or semi-official context. In several recent cases, scammers have replaced public QR codes on transport signage or tourist maps with fake stickers that lead to credential-harvesting sites.

UK businesses operating physical locations or QR-based digital services are being urged to regularly check signage, validate their own codes, and educate staff on the risks of scanning unknown links.

Criminals Exploit Social Context and Emotional Cues

What links all of these attacks is timing and emotional manipulation. For example, summer, with its relaxed atmosphere, frequent purchases and disrupted routines, creates ideal conditions for social engineering.

For example, as cyber security firm Barracuda reports, seasonal phishing emails tend to use more emotionally charged language, including urgency, fear of missing out or appeals to customer service or refunds. Phrases like “Your booking is at risk”, “Re-delivery needed today” or “Outstanding invoice requires attention” are designed to provoke rapid reactions.

The NCSC encourages UK users to follow its “Stop, Challenge, Protect” guidance—pausing before clicking or paying, questioning the legitimacy of the request, and reporting suspicious messages to the Suspicious Email Reporting Service (SERS) (at report@phishing.gov.uk).

Many Attacks Are Enabled by Gaps in Email Security

A report by Proofpoint revealed that as of summer 2025, only 61 per cent of the UK’s top 50 travel websites had enforced full DMARC rejection policies, which is a basic email authentication setting that helps prevent domain spoofing. This leaves both individual travellers and business clients exposed to fake emails that appear to come from trusted brands.

Similarly, smaller organisations often lack the cyber hygiene measures to filter out high-risk attachments or check for lookalike domains. In phishing simulations conducted by KnowBe4, UK companies saw click rates of over 33 per cent during peak summer periods, compared to 24 per cent in winter, suggesting seasonal distractions increase user vulnerability.

Also, the British Chambers of Commerce has called on smaller firms to step up basic security practices, especially during holiday periods when decision-making may be rushed or decentralised.

Cybercriminals Are Adapting Faster Than Users Can React

The final concern raised by many experts is the speed with which scammers adapt. While businesses and individuals may learn to spot one kind of scam, attackers quickly switch tactics, changing domain names, targeting new seasonal trends or using AI tools to personalise their phishing lures.

Check Point’s threat intelligence team recently found that Google, Microsoft and Apple were the top three brands impersonated in UK phishing campaigns during Q2 2025. These impersonations often come in the form of bogus security alerts, fake travel subscriptions or seemingly legitimate service confirmations.

The summer of 2025 is no exception. As more people head off on breaks, and companies operate with skeleton crews, phishing attacks are exploiting every opportunity to slip through the cracks.

What Does This Mean For Your Business?

What emerges from this summer’s phishing surge is a clear pattern of opportunism that cuts across both consumer and business behaviour. It seems that cyber criminals are not relying on sophisticated infrastructure or zero-day exploits. Instead, they seem to be exploiting timing, familiarity and human distraction. For UK businesses, especially smaller firms, this creates a persistent operational risk that does not end with the holiday season.

Attacks linked to fake bookings, delivery texts and invoice fraud are not only rising in volume but also in precision. Social engineering tactics have become more convincing, and the tools behind them more accessible. As the examples in this report show, scammers no longer need to breach systems to steal money or data, but they just need to catch someone at the wrong moment with the right message. This is particularly dangerous in summer when staff changes, out-of-office patterns and dispersed decision-making leave more gaps than usual.

The ongoing failure to implement email authentication standards such as DMARC, and the unreliable performance of mobile scam filters, suggest that many organisations are still relying on outdated or partial defences. Without investment in basic technical controls and regular user awareness training, UK businesses will continue to see preventable losses from phishing, whether in the form of misdirected invoice payments, stolen credentials or damaged trust.

For individuals, especially those booking holidays or expecting deliveries, the lesson is equally pressing. The presence of a recognisable brand or a plausible message is no longer a guarantee of safety. Personal vigilance, combined with public reporting and institutional support, will remain critical.

Looking ahead, the challenge is not just seasonal. Cyber criminals will continue to adapt their tactics to whatever events, platforms or behaviours dominate public attention. However, the summer phishing spike is a useful case study in how quickly attackers can exploit simple human habits, and how slow many defences still are to catch up. For both UK organisations and their customers, tackling phishing will require more than just summer warnings. It demands consistent, year-round resilience.