I travel for a living, yet I nearly fell for this common booking scam
Robert Jackman
When you travel for a living, you pride yourself on being able to spot travel scams from a mile away. You certainly don’t expect to almost fall for someone and give your credit card information to a Russian hacker in the process. Consider my story a timely warning as the January holiday booking season approaches.
In my defense, this particular scam was probably the most sophisticated scam I have ever seen. At the very least, the criminals running this were able to target me using personal information I had supposedly provided safely and securely to Booking.com.
How did they get this information in the first place? It turns out that fraudsters stole the password for a Dubai-based hotel on Booking.com and used it to review the contact information of customers like me who booked on the platform.
The scam started a few days after I made the reservation when I received a polite WhatsApp message claiming to be from the hotel manager. It said there was a problem with my credit card details and that I needed to sign in to Booking.com to confirm them.
When I clicked on the link in the message (starting with booking.confirmstay.com), I was directed to a web page similar to one I’d seen many times before. To make it even more convincing, the details of my private account and booking were filled in, as if I had already logged in.
Of course, this site was actually a complete scam. Instead of a legitimate website, it was almost identical to the real Booking.com web page. Most importantly, it was also filled with identical text fields that would forward any information entered (including my credit card information) to the criminals who set the trap in the first place.
There’s a reason you’re warned not to respond to messages sent from outside the platform, and I almost learned that lesson the hard way.
As impressive as the scam is, I realize it still raises some questions. First is the obvious: What was I doing opening a WhatsApp link, given that hotel platforms warn you not to do so?
So I throw my hands up in the air. But I have to say, having traveled to Dubai and Abu Dhabi many times, I know how absolutely everyone in this part of the world uses WhatsApp for business. I’ve received completely legitimate messages like this from hotels and airlines over the past few years.
Then there’s the bigger question: How did the scammers get their hands on my personal information? I definitely don’t have the answer to this question, and it also raises serious questions about how secure Booking.com actually is.
What is almost certain (though Booking.com doesn’t say either way) is that hotel staff were tricked into handing over their business account login details via a clever phishing email. Once the criminals received this information, they could stay in the account as long as they wanted and collect personal information of everyone who made a reservation.
Since Booking.com processes all payments directly, the fraudsters were not able to see my credit card information. So they use personal information they have about me (like my name and email) to create a custom scam website designed to trick me into handing over the final pieces of the puzzle.
How often does this happen? Quite a lot, from the sound of it. Consumer experts at UK consumer site Which? Say one in 10 Booking.com users report receiving a scam message via text or email.
Can the platform do more to stop this? One option would be to require all hotel accounts to use two-factor authentication (which means a text must be sent to their phone to sign in, as with online banking). However, at this time this is only recommended and not mandatory.
Can Booking.com detect accounts that may have been compromised? When I examined the scam site in detail, I found fragments of Russian text in the source code. Surely, accessing the account of a hotel in Dubai from nearly 5,000 kilometers away should be a sign that something was wrong?
When I put these questions to Booking.com, it refused to comment. It also declined to say what its policy would be if customers actually fell for the scam or what steps it would take to secure the accounts of hotels targeted by criminals. In short, it wasn’t very useful.
Under these circumstances, it is difficult to see how this problem will go away in the near future. At least AI now makes it easier for scammers to create professional-looking emails in seconds; This is something consumer groups have been sounding the alarm about for more than a year.
In the meantime, I recommend that everyone using booking platforms be extremely careful. There’s a reason you’re warned not to respond to messages sent from outside the platform, and I almost learned that lesson the hard way.
Telegraph, London
Sign up for the Traveler newsletter
The latest travel news, tips and inspiration delivered to your inbox. Sign up now.
