Booking.com Scam Is Spreading

Your Holiday Is At Risk: The Sophisticated Scams Targeting Travellers

Criminals are deploying highly convincing tactics, leveraging compromised hotel accounts and artificial intelligence to defraud holidaymakers. An urgent warning has been issued as reports of financial losses continue to climb, leaving travellers thousands of pounds out of pocket and eroding trust in online booking platforms.

After you reserve a hotel, a sense of excitement builds. You start anticipating a well-deserved break. Then, an unexpected message arrives. It alleges an issue occurred during payment and demands immediate action to keep your holiday reservation. The communication appears legitimate, arriving either within the official application for Booking.com or as a professional-looking email. Reacting quickly to avoid cancellation, many people provide their financial data, only to discover they have fallen victim to a sophisticated scam.

As the peak summer holiday season approaches, travellers fully expect to receive communications from hotels and booking agents. This period of heightened communication creates a perfect storm for fraudsters. They exploit the trust consumers place in these platforms. One prevalent scheme targets customers using Booking.com, a global leader in online travel reservations. The methods are so convincing that even vigilant travellers can be deceived.

The scale of this fraud is significant. Between the start of June in 2023 and the end of September in 2024, there were 532 reports of this specific deception filed with Action Fraud inside the UK. The total losses that victims reported amounted to a staggering £370,000. This highlights the urgent need for greater awareness. Experts believe the actual figures are likely much higher, as many incidents go unreported due to embarrassment or a lack of awareness about how to report the crime.

The Anatomy of the Scam

The fraud begins not with the traveller, but with the lodging's operator. Cybercriminals use targeted phishing attacks to infiltrate the hotel's account within the Booking.com system. These attacks often involve deceptive emails sent to hotel staff, perhaps referencing guest complaints or account verification needs, which trick employees into revealing their login credentials. Once inside the system, fraudsters have access to genuine booking details, including guest names, stay dates, and contact information. This access is key to their success.

Armed with this legitimate information, the criminals then contact the guests. They often use the platform's own messaging service, which adds a layer of authenticity to their communications. The message might also come via a WhatsApp message or a professionally crafted email that perfectly mimics Booking.com’s branding. Since the message contains correct personal and booking information, the recipient has little reason to suspect it is fraudulent. The usual red flags, like unfamiliar email addresses, are absent.

The criminals create a sense of urgency. Their message will typically claim a problem happened with the original payment or that your card information requires reverification for security. To pressure the victim, they often impose a tight deadline, threatening to cancel the reservation within hours if the person does not take the requested action. A link is provided, directing the traveller to a fraudulent payment page that looks identical to the real thing. Unwittingly, the victim enters their banking information, and criminals then harvest it for financial theft.

Image Credit - Perception Point

The Escalating Threat of AI

The increasing prevalence of artificial intelligence has made these scams even more potent. Cybercriminals now use AI to craft phishing emails and messages that are grammatically perfect and highly convincing, eliminating the spelling and grammar errors that were once tell-tale signs of fraud. AI can analyse vast amounts of data to personalise messages, making them appear more legitimate and increasing the likelihood of success. Some reports indicate a 1,265% increase in malicious phishing emails since the widespread availability of generative AI tools.

This technological advancement allows fraudsters to automate and scale their attacks, targeting hundreds of people simultaneously with customised messages. Booking.com has acknowledged the growing challenge, stating that online scams are increasingly targeting e-commerce businesses, with AI enabling criminals to create more sophisticated deceptions. The company has invested in its own AI and machine learning technologies to detect and block threats, but the battle is ongoing as fraudsters continuously evolve their tactics.

Beyond text-based scams, AI poses a future threat through deepfake technology. This allows for the creation of hyper-realistic videos and voice clones that are almost indistinguishable from the real thing. While not yet widely reported in deceptions targeting Booking.com users, the potential for criminals to impersonate hotel staff on video calls or leave convincing voice messages presents an alarming future risk for the travel industry. A recent deepfake scam in the corporate world saw a finance worker tricked into transferring $25 million after a video call with a "deepfake" of his chief financial officer.

A Global Problem

The international nature of platforms like Booking.com means this scam affects travellers worldwide. It is not confined to a single country or region. Regulatory bodies in several nations, Australia among them, have issued warnings to their citizens about this specific issue, underscoring its global reach. The consequences for victims are not just financial. The emotional distress of having a long-awaited holiday ruined can be significant.

Consumer champions have also raised concerns about the security measures on some booking platforms. An investigation by a leading consumer group found that it was possible to list a fake holiday home on Booking.com in under 15 minutes without providing identity verification. This lack of robust checks could leave the platform "wide open" to fraudsters. In the summer of 2024, a search of Booking.com reviews for the word "scam" revealed hundreds of complaints from customers who had paid for non-existent accommodation.

While Booking.com stated that many of these were not scams but owners who had failed to update their availability, the impact on the traveller was the same: a ruined holiday and a difficult battle for a refund. This highlights a potential gap in platform accountability and the need for more stringent verification processes for hosts.

How to Protect Yourself

Vigilance is the primary defence against these scams. Travellers should treat any unsolicited request for payment or financial details with extreme caution, even if it appears to come from a legitimate source. Resisting the pressure to act immediately is crucial. Scammers rely on creating panic to make their victims act without thinking. Before taking any action, take a moment to verify the request.

First, check the accommodation's payment policy on your original booking confirmation. Booking.com advises that if no pre-payment or deposit was outlined in the policy, any subsequent request for one is probably fraudulent. Never click on links in suspicious messages. Legitimate payments will always be handled through the official Booking.com digital portal or its mobile application, not via an external link sent in a message.

If you have any doubts, get in touch with the hotel or rental's management directly using the contact details from their official website, not the ones provided in the suspicious message. It is also advisable to contact Booking.com’s 24/7 support staff to report the message and verify its authenticity. Forwarding suspicious emails and fraudulent text messages to the relevant authorities can help them track and combat these scams.

Image Credit - Forbes

Steps to Take If You Are a Victim

If you believe you have fallen for a scam and have provided your banking information on a fraudulent website, the first and most important step is to contact your bank or the company that issued your credit card immediately. They can block your card to prevent any further financial loss and may be able to reverse the fraudulent transaction. Reporting the incident to national fraud and cybercrime reporting centres is also essential. This helps build a clearer picture of the scale of the problem and provides valuable intelligence to law enforcement agencies.

Under UK law, protection may be available if you used a credit or debit card for payment. Section 75 of the Consumer Credit Act makes the firm that issued your credit card jointly liable for any breach of contract or misrepresentation by the retailer or trader. This means you can claim your money back from them if you paid more than £100. For debit card payments, you may be able to use the Chargeback scheme, although this is not a legal requirement and is at the discretion of your bank.

Finally, remember to report the scam to the platform where it occurred. While their systems may not be foolproof, they have a vested interest in removing fraudsters and improving security. By reporting the incident, you can help protect other travellers from falling victim to the same crime. The fight against travel fraud requires a collective effort from consumers, platforms, and law enforcement to ensure that everyone can book their holidays with confidence.