In a concerning trend, Booking.com customers have become a popular target for scams in 2023, with fraudsters exploiting the platform to deceive unsuspecting users. With so many people itching to travel after multiple pandemic lockdowns, a number of users have been tricked into handing over their personal and banking details in order to secure their hotel bookings.
Since the beginning of 2023, scammers using the online reservation platform’s in-app messaging function have victimised over 30 individuals in Singapore, leading to collective losses of approximately S$41,000 since September. As it is a global platform, the scam has circulated around the world, and customers from at least 68 hotels in Japan have been affected. The scam, as per many news reports, is still circulating as of December.
How it works
In Booking.com’s phishing scam, criminals would send victims fraudulent website links, prompting them to divulge personal and financial information, including one-time passwords and credit card details.
Those affected were due to check in to a hotel they had reserved using Booking.com’s website or app. They would receive an email – from the official firstname.lastname@example.org address – warning their stay may have to be cancelled unless they handed over bank card details via an embedded link. The emails were sent by scammers impersonating Booking.com’s hotel representatives. The messages would announce that the victims’ bookings would be cancelled unless they verified their credit card or payment details via a deceptive link.
Based on the screenshots of similar Booking.com’s fake messages sent to various victims around the world, the link would have the word ‘booking’ in it, but each victim would have different link addresses. What makes their links hard to detect is that fraudulent page would mirror Booking.com’s payment interface, which is often challenging for victims to verify.
Certain hotels have become aware of the scammers’ tactics and sent messages to their customers immediately following such attempts.
Booking.com’s representatives have stated that this is not a breach of Booking.com’s backend systems, but claimed that such scams are done by malicious third parties hacking into their partner hotels’ accounts. Apparently, hoteliers are aware of the situation and have been complaining about the problem.
Staff at Hotel de Colegio have claimed that even though fraudsters logged into their account on the booking app with their login credentials, the hotel didn’t receive any SMS or any sign-in notification.
According to experts, the scam unfolds in two phases, starting with hotels themselves being targeted by scam emails from the fraudsters. The email would contain a link to a Google Drive containing a malware called Vidar Infostealer. The most common way to target a hotel is to pose as a guest who has left valuable belongings during their stay, and then send an email with the Google Drive link purporting to show an image of the misplaced item. Once hoteliers click the Drive, the criminals have access the Booking.com account portal.
From there, the scammers can target the customers.
It’s a well-designed scam that less tech-savvy people would find very difficult to identify. Once the users key in their personal and banking details, the fraudsters would then sell the information on the dark web. According to cybersecurity firm Secureworks, Booking.com credentials are being sold on dark web forums for up to USD2,000 (SGD2,647).
What can you do?
The easiest advice is to avoid clicking on any external sites. If in doubt, contact the hotels directly through their official contact details listed on their webpages.
If there’s been a fraudulent transaction, report it to your bank immediately.