Hackers target travelers using third-party booking agency

It’s peak holiday travel season and scammers are at it again, but this time – they’re targeting people who use the popular third-party booking agency, Booking.com.

Within the last several weeks, customers who’ve either checked in for their hotel reservation or were soon to do so reported receiving emails from what appeared to be Booking.com’s communication system.

The emails threaten customers, suggesting their reservations may be canceled unless they supply their bank card information within hours, but what's so troubling about the scam is that it’s not that easily detected.

The result of a click gives hackers access to all the guests at a hotel using Booking.com.

"This is actually coming from Booking.com website," said Paul Oster. "It's their official messaging platform."

Oster is from Better Qualified, based in New Jersey, and believes the new threat for consumers is a result of an elaborate phishing attack where hackers target hotel employees first.

"They send an email to a staff member that looks like it’s coming from one of their guests and it says, ‘I left my passport in my room, here’s an image of the passport, and they click on it,'" Oster explained.

The result of the click gives hackers access to all the guests at the hotel using Booking.com. 

The urgent demands in the phony emails are meant to cause panic, but the urgent tone itself should be a red flag, according to Clint Henderson, with The Points Guy.


Expedia unveils 2024 Air Travel Hacks

With more than half of Americans reportedly finding planning a trip more stressful than a dentists' visit, Expedia has released a new set of tips to help make traveling a easier, less stressful experience.

"Look for the email sender address," Henderson warned. "That sometimes can be a dead giveaway. Sometimes it won’t be a legitimate email or there will be grammar mistakes or spelling mistakes."

Even when the dead giveaways are absent in emails, the request for sensitive information just isn't common practice outside of the initial booking process, he said.

For those booking through the agency, if you receive an alert suggesting you give up your private information, experts suggest you contact the hotel directly to confirm your reservation is still in good standing.

In a statement to FOX 5 NY, a spokesperson for Booking.com said:

Safety and security is our top priority and we heavily invest in keeping our accommodation partners and customers safe, through dedicated technology and teams that monitor and block suspicious activity around the clock. While this is not a breach of Booking.com’s backend systems or infrastructure, rather a coordinated effort by attackers to commit fraud against both guests and accommodation partners by targeting them with phishing emails, we are acutely aware of the implications of such scams by malicious third parties to our business, our accommodation partners and our customers, who can fall victim to professional scammers. Our teams are working diligently to support our partners in securing their systems as quickly as possible and helping any potentially impacted customers accordingly, including with recovering any lost funds.

While there is no silver bullet to eradicate all fraud on the internet, our dedicated account security team is always monitoring and stopping new threats, as well as implementing new measures to assure the account security of both our customers and partners. This includes new security features to lock or block inactive partner extranet accounts, which is where we have seen fraudulent activity take place once scammers get unauthorized access to the hotel’s Booking account, after they have clicked-on phishing links and downloaded malware onto their own computer systems. Furthermore, if we detect suspicious activity on a hotel’s account then we take swift action, including immediately disabling the ability for links to be shared via messages on our platform, to help stop fraudulent requests for payments.

Phishing attacks continue to pose a significant challenge for travel and many other industries, with criminals using the dark web for years as a means to target consumers. While not unique to Booking.com, we remain fully committed to proactively helping our accommodation partners, who list their rooms on our platform from small independents to large hotel chains, to stay protected. We are supporting our accommodation partners by helping them understand what happened, and how they can help protect themselves in the future. We have been sharing tips with partners about how to keep their accounts secure, with a focus on offering guidance, support and training. We have also been continuously updating and expanding the dedicated cybersecurity advice hub for partners – to include more information on malware and phishing – so that our partners are as up to date as possible on the latest trends we’re seeing.

In terms of practical tips for customers, here are a few key things we recommend: 

  • Set up a two-factor authentication for your Booking.com account.
  • Carefully check the payment policy details outlined on the property listing page and in the booking confirmation. If a property appears to be asking for payment outside of what’s listed on their confirmation, reach out to our 24/7 customer service.
  • Remember that no legitimate transaction will ever require a customer to provide their credit card details by phone, email, or text message (including WhatsApp).
  • Utilize Booking.com's Trust and Safety Resource Center for information on how to stay safe online and report potentially suspicious activity.