Cyber threats facing every business traveller

When your laptop leaves the office, the risks travel with it. Make sure your company’s data is protected while you’re on the road.

Johannesburg – Cybercrime shows no sign of slowing in 2026, with attacks not only increasing in volume, but also in sophistication as criminals use AI to make their attacks harder to detect – and easier to fall for.

It’s a reality for everyone, but business travel creates a perfect storm of vulnerability: unfamiliar networks, distracted travellers and sensitive data in motion. Cybersecurity experts agree that the data carried by business travellers – names, addresses, credit card details, IDs and passport numbers – is like a goldmine for hackers.

And the stakes are high. Statista predicts that global cybercrime losses will reach 15.63 trillion U.S. dollars by 2029. As an example, South African telecoms operators were hit hard in 2025, with Comric reporting that the industry “absorbed R5.3bn in fraud and cyber losses” last year alone.

Herman Heunes, GM of Corporate Traveller South Africa, says every employee who boards a flight with a company laptop, logs into hotel Wi-Fi, or approves a transaction from an airport lounge is at risk.

The threats you’re most likely to encounter

Public Wi-Fi remains the most immediate risk on the road. Whether it’s the airport lounge, a hotel lobby or a conference centre network, these connections are a playground for cybercriminals looking to intercept sensitive data. Bluetooth connections are similarly exposed, a detail many travellers overlook while focused on getting online quickly. Modern Bluetooth can reach up to 100 metres, meaning attackers don’t need to be beside you or even visible to you. In public spaces like airports and co-working cafes, ‘bluejacking’ and ‘bluesnarfing’ are a very real threat.

Phishing is still the entry point of choice. Phishing defence specialist Cofense estimates 91% of successful cyberattacks start with a phishing email – and for a traveller receiving a flood of booking confirmations, itinerary updates and hotel offers, a convincing fake is easy to miss. In 2025 and 2026, these attacks have become significantly harder to spot, with criminals using deepfake technology and AI-generated content to deceive even the most vigilant among us.

But business email compromise (BEC) is where things get expensive. In these attacks, hackers impersonate executives or trusted partners to redirect funds or extract sensitive information. Travelling executives who are approving decisions remotely – often quickly, sometimes in noisy environments – are especially susceptible.

Then there are deepfakes, which represent the fastest-evolving threat on this list. Fraudsters are now using deepfake video and audio to impersonate senior executives on live calls, leading to unauthorised transfers of funds. Scarily, a traveller on a video call with what appears to be their CFO may not be talking to their CFO at all.

Don’t overlook airport charging stations either. Public USB ports can be compromised in a tactic known as “juice jacking,” where malware is silently installed on connected devices. And ransomware has evolved beyond data encryption into extortion campaigns that threaten to expose sensitive information publicly if ransoms aren’t paid.

AI tools themselves present a different risk. When travelling, it’s tempting to use common AI platforms to summarise documents, draft emails or plan meetings – but entering sensitive information into public AI platforms can expose confidential data. In South Africa, this has direct legal implications: the Protection of Personal Information Act (POPIA) places strict obligations on how personal data is handled, stored and shared. This is your reminder to never upload traveller details, client information or financial data into AI tools, and always follow your organisation’s POPIA protocols when working with data of a personal nature.

“Any cyberattack is stressful,” says Heunes. “But for small businesses it’s devastating. One successful attack can drain millions from your company’s accounts, and smaller businesses might never recover from that kind of financial loss. Obviously, you need to do a full security audit on your software and systems to see where you’re vulnerable, but you also need to train your team to spot red flags and mitigate their risks – especially when on the road.”

It’s a view that puts travel managers squarely in the frame, not just as policy-setters, but as the first line of defence. Cybersecurity briefings, Heunes argues, should be as standard a part of pre-travel admin as visa checks and travel insurance.

What travellers should do

• Password-protect your laptop. It seems simple, but if your device is lost or stolen, it’s the difference between an inconvenience and a full company data breach.
• Always use a VPN. A virtual private network encrypts your internet activity, protecting passwords and payment details even on public Wi-Fi.
• Enable multi-factor authentication (MFA) on all corporate accounts before departure.
• Avoid public USB charging points. Carry your own cable and use a wall outlet or a personal power bank instead.
• Update all devices before you leave. Automated scanning tools can identify unpatched systems within hours of a vulnerability being disclosed – don’t give attackers that window.
• Verify before you act. If an instruction to transfer funds or share sensitive data arrives while you’re on the road, confirm it via a separate channel – not the same email thread.
• Treat hotel Wi-Fi like public Wi-Fi. Even password-protected hotel networks can be compromised.
• Be POPIA-aware when using AI tools on the road. Never upload personal, financial or client data into public AI platforms – this may constitute a data breach under South African law, regardless of where you’re travelling.

What travel managers should do

• Build cybersecurity briefings into pre-travel protocols. Travellers should know the risks before they reach the departure gate.
• Ensure all company devices are patched, encrypted and VPN-ready before any trip. Don’t leave this to the individual.
• Establish clear verification procedures for financial approvals that remain in force when the approver is travelling.
• Train travellers to recognise deepfake red flags and instruct them to confirm video call participants through a secondary channel when approvals or sensitive information are involved.
• Include AI tool usage in your data compliance policy. Employees should know which platforms are approved for business use and understand that uploading sensitive data into public AI tools may expose the company to legal liability under POPIA.
• Consider a clean device programme for high-risk destinations: loan devices with no stored company data, used only for the duration of the trip.

“The good news is that cyber resilience is achievable,” says Heunes. “It requires preparation and education – and a recognition that the moment an employee leaves the office, their cybersecurity habits impact the entire company.”

-ENDS-

MEDIA CONTACT

For more information about Corporate Traveller, or to interview Corporate Traveller South Africa GM Herman Heunes, call Sonnette Fourie on 081 072 2869 or email sonnette@bigambitions.co.za.    

About Corporate Traveller

Corporate Traveller is a division of the Flight Centre Travel Group, dedicated to saving businesses across Southern Africa time and money. Corporate Traveller has the benefit of being part of the world’s third-largest travel retailer, leveraging its global negotiating strength. It has access to over 50 of the world’s leading airlines and deals with more than 100 000 hotels around the world to guarantee savings for clients. Corporate Traveller provides clear, consolidated reporting of all its clients’ travel activities, helping them to control travel spend and identify opportunities to save costs.

Issued by:

Big Ambitions

Sonnette Fourie

sonnette@bigambitions.co.za

+27 81 072 2869