Travellers using Booking.com are being warned not to fall for scam messages that appear to be from hotels they have booked through the platform, asking for their credit card details.
Customers all over the world have reported receiving the messages via the official [email protected] email address, as well as the messaging feature in the Booking.com mobile app.
Andrea of Christchurch, who requested her last name not be used so as not to attract more attention from scammers, told Stuff Travel she had been hit by the scam twice in one week, and initially almost fell for it.
She had used the platform to book hotels for an upcoming trip to Europe, and last Wednesday received an email that appeared to be from one of the properties, which said she needed to provide an “additional card verification” to finalise her reservation.
She was sent a link and told she had 24 hours to enter the details, or her reservation would be cancelled.
Andrea said she had previously messaged the property via the Booking.com app, and the messages showed up in the same chain.
“It all looked quite authentic.”
But she grew suspicious when she clicked on the link to enter her credit card details, and found it looked different to other online payment forms.
Have you been scammed? Email [email protected].
“It wasn’t working so I messaged back, and they said ‘you need to use Mastercard’. I thought, ‘that’s a bit weird’, and said, ‘I haven’t got one of those’.”
Before she got any further, she then received another message from the property, telling her not to enter any details as it was a scam.
Andrea said while no money had been taken, as she had clicked on the link, she contacted her bank to cancel her credit card, and changed her Booking.com password.
She also shared the message chain with her son, who works in IT, and agreed it was “very sophisticated”, but figured it was a security breach limited to that particular hotel.
But a week later, she was targeted again, receiving a message appearing to be from another property she had booked via the platform.
While the wording of this message was different, the request was the same, asking her to click on a link and provide a new payment method.
The message said this was a “mandatory process to prevent credit card fraud”, and that if she did not provide the details in 12 hours, her reservation would be cancelled.
This time Andrea messaged back asking the hotel to confirm the messages were a scam and that no further action was required.
A manager replied confirming its Booking.com account had been hacked, and that she did not need to submit any more details.
He also revealed she had not been the only one targeted, and that “quite a few” upcoming guests had been fooled into sending money. The hotel had alerted police to the fraud.
Andrea and her son then came across an article about the scam in The Guardian, which made them realise how widespread the issue was.
“Many of my friends use Booking.com all the time… people need to know about it,” she said.
“Now I can see the red flags… but initially, when I’m in the middle of a day’s work, and someone says ‘we have to verify this’, you go, ‘that’s fine’… and you just go ahead and do it.
“I think it would be very easy for people to get sucked into it.”
Booking.com has denied the problem is at their end, saying it’s the hotels that have been hacked.
“We have been made aware that some accommodation partners were recently targeted by phishing emails,” the platform said in a statement.
“While the security breach was not on Booking.com we know that the accounts of some of our accommodation partners were affected. It’s important to highlight that neither Booking.com’s backend systems or infrastructure have been breached in any way.”
Booking.com said it has teams dedicated to account security of both customers and accommodation partners, with “robust measures” in place.
“As a rule, it’s important to remember that Booking.com will never require customers to provide credit card details by text, message or email,” it added.
“Should customers have any questions or concerns about a payment message, we strongly recommend that they contact our customer service team, who are available 24/7 to support.”