Agoda Nightmare: Falling Victim to the Booking.com Phishing Scam

I am very vigilant about avoiding scams and identity theft. I take extra care with my passwords, avoid clicking random Facebook links, and exercise caution in all aspects of my online life. Despite all my efforts, I recently fell victim to the Booking.com scam. One that has been recurring for about five years. To defend myself, it’s important to note that this wasn’t entirely my fault.

In this scam, it appears that Booking.com’s data has been compromised, as cybersecurity experts at Perception Point reported. This compromise seems to be ongoing. Through whatever vulnerabilities exist, scammers have gained access to Booking.com’s hotel client information, including names, booking dates, hotel specifics, and payment methods.

The scammers then exploit this data by sending messages to individuals with upcoming bookings. They claim that their reservations are at risk of cancellation within a day unless they verify their credit card details. To make this more convincing, they direct the victims to a fake landing page resembling Booking.com’s official website.

The message appears to come from the hotel, adding credibility to the ruse. Furthermore, the landing page is pre-filled with some of the victim’s personal information, making it even more convincing. Researchers believe this incident might be part of a larger pattern, with past infostealing campaigns targeting the accommodation industry.

Booking.com is one of the largest online travel agencies. It is headquartered in Amsterdam, and is a subsidiary of Booking Holdings which had $US17.1 billion in revenue in 2022 who own Agoda.com, Cheapflights, Kayak.com and Priceline.com,

Here’s how the drama unfolded for me:

a map of italy with cities and roads

Last August, I booked a hotel in Italy for this week. through Agoda.com and I received confirmation through Agoda in the Agoda app.


Then, I got detailed information about my booking and arrival details from the hotel in the Agoda app. All was normal.

A week before my check-in, however. I received a message from the hotel through the Agoda app, warning me that my credit card needed to be updated, or my booking would be cancelled.

I have emphasised that all of this occurred in the App because Agoda keeps telling customers that this is the safest way of communicating

My instincts told me something wasn’t right. The hotel then sent another message through the app, reiterating the potential cancellation. They provided a payment link, but it was indecipherable, and my own security settings likely marked it as suspicious.

I reached out directly to Agoda to confirm the email’s authenticity. I expressed my doubts about the link’s genuineness, but Agoda assured me that the message was indeed authentic.

a screenshot of a chat

They verified that it was coming from the hotel directly through their app, and they supplied the payment link to a Booking.com payment page.

a screenshot of a customer service

Agoda explained that Booking.com was the actual supplier and that the hotel required my payment information.

a chatbot with yellow emojis

Following Agoda’s advice, I made a payment of 94 euros using the link they provided (see above). I authorised that transaction of 94 euros. Of course, I had actually been directed to a scam site that looked like I was on Booking.com by Agoda themselves. The scammers attempted multiple unauthorised debits, eventually succeeding in taking 427 euros. I felt 1. like an idiot and 2 very angry with Agoda.

I took immediate action:

  1. I investigated the booking link provided by Agoda.com more closely and realized it was indeed a masterful imitation of Booking.com.
  2. I contacted my bank, which promptly froze my card.
  3. I reached out directly to the hotel (not through the Agoda app) who quickly confirmed that the emails were not legitimate.
  4. I contacted Agoda, who initially seemed to think it was a simple hotel error.

I continued to receive emails from both the scammers and Agoda through the Agoda.app The correspondence has become so intertwined that distinguishing legitimate from illegitimate is daunting.

To add insult to injury, Agoda then cancelled my original booking! I had to rebook directly with the hotel.

Lessons Learned that I suggest you follow

  • Do not use Agoda or Booking.com until the leak situation is fixed.
  • Staying extra Vigilant: exercising caution when receiving emails and social media messages from hotels, especially those conveying urgency and demanding immediate action. Such messages are usually going to be part of this widespread scam affecting numerous hotels If an email or communication seems dubious, I need to trust my instincts
  • Direct Contact: When in doubt, contact the accommodation provider (which I did not do) directly to confirm any unusual or potentially fraudulent communication. Even when the booking provider assures you that the payment process is legitimate.
  • Beware of Deceptive Imitations: Scammers can craft remarkably persuasive imitations of legitimate websites. Always double-check the website’s URL and look for signs of deceptive pages.
  • Seek Immediate Resolution: In the event of a scam, reach out to the booking platform without delay and insist on the engagement of their fraud department. This is the stage I am at.

Has anyone else been phished in this way?

Pingbacks

Comments

  1. It just happened to me too they send me the link Via Agoda app but my phone and my computer don’t show any link so I can’t click it, do you already mailed to Agoda service?

  2. It happened to me too this morning in Japan with an email I received this morning from Agoda ( or at least from an almost perfect imitation of their site ) but I had suspicions and did not click on the link provided and contacted the hotel by email with the booking reference. Now waiting for an answer from the hotel.
    Seeing that this happened to you in October and to me in December, it looks like they are unable to fix their problem …

  3. I just got a very similar email in feb 2024,
    it is a little concerning that this is still happening! I emailed the hotel directly based on your article
    thank you for your effort to detail your experience

  4. Exactly the same thing with me today! Agoda “fake” sent an email threatening to cancel my reservation if i would not pay through the link they provided “before 22:11” tonight. Fortunately i did not click the link, but when i tried to inform the hotel, the phone receiver said i should contact Agoda. I replied to Agoda and sent message through the app, no one answered. Now Agoda cancelled my reservation, but the app showed that the booking was cancelled by me. So far they have not charge my money yet, but i am afraid they would do so later, and accuse me as no show or cancel late or something. What else they not dare to do?

  5. I was a victim on this exactly same matter today.

    I lost 707 Australian dollars, they charged me 40000 KGS, which I know its strange currency so I contacted Agoda immediately and also crypto.com visa card, which I used to settle this payment.

    I do not know if they are going to compensate me on anything or if the bank is able to stop this transaction immediately. I wish something can be done because this message came directly from the hotel property messenger through Agoda APP.

  6. I was a victim on this too on 25th March 2024, I am from Indonesia.
    Has anyone here tried complaining to Agoda directly?
    Because the message was indeed from Agoda app.
    They got KGS 40.000,- from me, now trying to dispute to my credit card company.

    Maybe there’s a class action suit against Agoda for this problem?
    I know there are many others who got this scams as reported on the Straits Times Singapore website.

  7. Was your bank able to dispute the charge for you?

    My back was not willing to because I already verified OTP for this transaction therefore they cannot dispute the charge as an unauthorised transaction.

    I now had to continue to escalate this matter with Agoda, they have not yet got back to me.

    Just want to ask, based on experiences like this whom you have had, did Agoda compensate you by anything?

  8. I experienced similar things. The hotel that I have an upcoming reservation with sent me a message through agodas messaging system saying agodas rules had changed and I need to reconfirm my credit card info within 24hrs, and I was given an url (with a space in between, so I need to actually copy the URL, remove the space and go to that link myself.).
    I contacted Agoda customer service right away. And they dare to tell me they actually sent it out due to technical issues, but strong advise me not to open the URL. Ha! How lame it is that they even try to cover it up.

  9. I fell victim too and felt like a complete idiot.
    Here is the message I received through the property message in agoda. The message appears to be sent out from the property and I wasn’t suspicious at all, furthermore it says that it is to confirm my card and it will be refunded. Notice the letter “k” in the message is not your typical “k”

    “Неllо, dеаr __ !
    Duе tо uрdаtеs in thе Аgоdа rulеs, in оrdеr tо соnfirm yоur reservation and guarantee your arrival, we ask you to additionally confirm уour card. If you refuse to confirm your card we will send you a request to cancel yоur rеsеrvаtiоn, thаnк yоu fоr yоur undеrstаnding.
    Funds аrе rеsеrvеd thrоugh thе bооking guarаntее systеm аnd will bе rеturnеd tо yоur саrd within 5 minutеs оf rесеiрt.
    То vеrifу аnd соnfirm yоur rеsеrvаtiоn, рlеаsе usе thе dirесt linк

    We thаnk you fоr your understanding and lооk forward to your imminent arrival.
    Уоu havе 24 hоurs to cоnfirm.То vеrifу уоu nееd tо соpy thе linк bеlоw. Раste it intо аnу соnvеniеnt brоwsеr

    Linк → agoda.offerxxxxxx”

    I foolished paid 16,000 KGS by keying the OTP received (the amount was similar to my hotel stay). Then the page load very slowly and the same page asking for OTP again. This time, I got the OTP on my phone but it says for the payment of 40,000 KGS. Only then I start becoming suspicious and found this blog.

    I don’t think I will get back the money as this is an authorised transaction by me.

  10. Happened to me today. KGD 40.000 charges. Im an Indonesian also. Reply from agoda:
    “As mentioned, our internal team is doing their best to resolve this matter. At the moment what you can do is to contact your issuing bank to stop the transaction by raising to dispute the charges. If the bank insisted that Agoda should take action, please request them to provide us with the bank letter mentioning they are unable to dispute the charges.”
    From the bank they couldn’t do anything because I entered the OTP consciously because the link was so convincing. Does anyone have their money return? Please share it here. Thanks

  11. Received similar message from notifications@agoda-messaging.com with details on booking information. Not sure how the scammer got the details perhaps they managed to break into accounts.
    Got suspicious and contacted Agoda, customer support said their system is not breached, repeating the same thing again and again, not to click the url but not willing to say much. The customer support did suggest canceling that one booking, perhaps suspecting the hotel’s account is breached? I have to google and came upon this site to find out more. I am thinking if other partner’s or employee’s account is compromised/insider, this is a more serious problem affecting more than 1 booking. Thanks!

  12. Hey everyone, I’ve got some great news to share. I successfully managed to get my refund from Agoda.

    Here’s what happened: I first reached out to the property I had booked through email, and they confirmed that it was indeed a scam and that Agoda had been hacked. I immediately forwarded the screenshot of their response to Agoda’s customer service. Agoda was pretty sly, they promptly cancelled my booking and assured me that any charges made through Agoda would be refunded. But the main point is I wasn’t charged by Agoda, so they are just trying sweep it under the carpet.

    There was a period where I couldn’t log in Agoda to check my property messages, but when I regained access, the scam message had been removed. However, I already had it screenshot.

    In my correspondence with Agoda, I kept emphasising that my data privacy had been compromised on their platform, allowing the scammer to send messages posing as the property. This breach enabled them to access my travel details, card information, and phone number, facilitating the scam. I was scammed for 16,000 KGS. It is because of that I requested a refund due to my leaked data privacy from Agoda’s website.

    To support my case, I provided Agoda with all relevant screenshots of the scam transaction, including details of the fraudulent website. Ultimately, Agoda apologized for the inconvenience faced and agreed to refund the full amount charged by the scam link. I was given the option to receive the refund either through Agoda Cash or Hyperwallet, and I opted for the latter, of course. I got the refund within 2 working days.

    Hope this will help some of you to get your refund back. All the best!

  13. hi J, thanks for the share!

    I am in the process of doing what you did. My charges was 2 x KGS 40,000.

    May I know how long it took from the 1st time you contacted Agoda customer service till they agreeed to refund you the amount?

  14. Hi, the back and forth email replies took 3 days until Agoda agreed to refund the scammed amount. They sent me a link to through hyperwallet for the refund detail shortly after that.
    The following day I got an email to claim the refund and after submitting my details, I got the amount in my bank after 2 days.

  15. it happened to me too when i booked a hotel in Paris from 15th March – 22nd March. The property also sent me a couple of PMs, asking for deposit payment, if not my reservation will be canceled. I did not follow that as per the policy on Agoda, so I called and confirmed with Agoda. Agoda confirmed that the booking was confirmed and the property owner was waiting for me. I was kinda relieved. However, on the day I arrived, there was no such property. It turned out to be a scam, while my card was fully charged for more than 1000 euros. I spent around 3 hours calling Agoda CX team, but it was not resolved, and eventually, I had to rebook another hotel on the same day. Agoda promised to cancel free of charge, but nothing has happened since then. They asked me for a bank statement with all details of the merchant, day of transaction, amount, etec, which I provided. After a couple of days checking, they agreed to refund, but only 95% of the booking, which is still better than nothing for me, as I have been so fed up with them. However, after 1 week, I have not seen my money back. Such a lousy and irresponsible company. How can they let this happen right on their apps. Definitely, booking was done via booking.com too, but this shows that they are useless and they just want to get our money as much as they can.

  16. I wish I read this earlier I just fell victim to the same fraud, got a message from Agoda through email and apps, asking me to verify otherwise the booking got cancelled. Usually I was very suspicious about this kind of thing but the message looked legit since it came from the apps. And I panicked a bit because I got the bookings for my whole family. So I went to the link and now my CC got charge about €1,000. Now I’m still hoping either agoda or my bank can refund me but I feel hopeless

  17. After being scammed 3 times I finally found a hacker who is capable and reliable. He helped me gain password to my husband’s email also hacked his whatsapp to provide proof of him cheating on me. he is real and legit You can reach him via Email at Recoverypro247 @ gomail com, thank me later

  18. Agoda choses to ignore my emails after all that the datas (which they asked) I’ve sent them. Eg. the screenshot of the scam link and the cc bank statements that prove I’ve e been charge from the scammer and proved that I’ve asked from the CC bank the dispute letter, the CC bank wont release such letter because the transaction were done authorized by me. Which is make sense. Agoda choses to be a coward and doesn’t want to take responsibility of the customer data leaks that cause us customer material damage!

  19. It’s been a whole month since I started contacting Agoda claiming they should take responsibility of my financial loss, there’s still no progress.
    They keep “suggesting” me to dispute the charges with my banks in a seem to be templated response.
    I think we should not let Agoda get away with this! and should take some kind of legal action against them! I am trying to find more victims and consult with a lawyer on what kind of action can be taken against them.
    I hope in the mean time the victims here keep the notification on if there’s new comment on this post.
    Thank you

  20. Hi,
    Agoda keeps choosing to ignore my email about this data leaks stuff. So hopeless about this. Hope someone could sue this big corporation for what they caused.

  21. I expect this is the same people – I just managed to avoid a credit card scam – they were trying to send 1700 GBP to Agoda.com but I refused to read out the OTP when they called me pretending to be my credit card company’s fraud dept. It sounded like a ‘professional’ scammer.

Leave a Reply

Your email address will not be published. Required fields are marked *