I am very vigilant about avoiding scams and identity theft. I take extra care with my passwords, avoid clicking random Facebook links, and exercise caution in all aspects of my online life. Despite all my efforts, I recently fell victim to the Booking.com scam. One that has been recurring for about five years. To defend myself, it’s important to note that this wasn’t entirely my fault.
In this scam, it appears that Booking.com’s data has been compromised, as cybersecurity experts at Perception Point reported. This compromise seems to be ongoing. Through whatever vulnerabilities exist, scammers have gained access to Booking.com’s hotel client information, including names, booking dates, hotel specifics, and payment methods.
The scammers then exploit this data by sending messages to individuals with upcoming bookings. They claim that their reservations are at risk of cancellation within a day unless they verify their credit card details. To make this more convincing, they direct the victims to a fake landing page resembling Booking.com’s official website.
The message appears to come from the hotel, adding credibility to the ruse. Furthermore, the landing page is pre-filled with some of the victim’s personal information, making it even more convincing. Researchers believe this incident might be part of a larger pattern, with past infostealing campaigns targeting the accommodation industry.
Booking.com is one of the largest online travel agencies. It is headquartered in Amsterdam, and is a subsidiary of Booking Holdings which had $US17.1 billion in revenue in 2022 who own Agoda.com, Cheapflights, Kayak.com and Priceline.com,
Here’s how the drama unfolded for me:
Last August, I booked a hotel in Italy for this week. through Agoda.com and I received confirmation through Agoda in the Agoda app.
Then, I got detailed information about my booking and arrival details from the hotel in the Agoda app. All was normal.
A week before my check-in, however. I received a message from the hotel through the Agoda app, warning me that my credit card needed to be updated, or my booking would be cancelled.
I have emphasised that all of this occurred in the App because Agoda keeps telling customers that this is the safest way of communicating
My instincts told me something wasn’t right. The hotel then sent another message through the app, reiterating the potential cancellation. They provided a payment link, but it was indecipherable, and my own security settings likely marked it as suspicious.
I reached out directly to Agoda to confirm the email’s authenticity. I expressed my doubts about the link’s genuineness, but Agoda assured me that the message was indeed authentic.
They verified that it was coming from the hotel directly through their app, and they supplied the payment link to a Booking.com payment page.
Agoda explained that Booking.com was the actual supplier and that the hotel required my payment information.
Following Agoda’s advice, I made a payment of 94 euros using the link they provided (see above). I authorised that transaction of 94 euros. Of course, I had actually been directed to a scam site that looked like I was on Booking.com by Agoda themselves. The scammers attempted multiple unauthorised debits, eventually succeeding in taking 427 euros. I felt 1. like an idiot and 2 very angry with Agoda.
I took immediate action:
- I investigated the booking link provided by Agoda.com more closely and realized it was indeed a masterful imitation of Booking.com.
- I contacted my bank, which promptly froze my card.
- I reached out directly to the hotel (not through the Agoda app) who quickly confirmed that the emails were not legitimate.
- I contacted Agoda, who initially seemed to think it was a simple hotel error.
I continued to receive emails from both the scammers and Agoda through the Agoda.app The correspondence has become so intertwined that distinguishing legitimate from illegitimate is daunting.
To add insult to injury, Agoda then cancelled my original booking! I had to rebook directly with the hotel.
Lessons Learned that I suggest you follow
- Do not use Agoda or Booking.com until the leak situation is fixed.
- Staying extra Vigilant: exercising caution when receiving emails and social media messages from hotels, especially those conveying urgency and demanding immediate action. Such messages are usually going to be part of this widespread scam affecting numerous hotels If an email or communication seems dubious, I need to trust my instincts
- Direct Contact: When in doubt, contact the accommodation provider (which I did not do) directly to confirm any unusual or potentially fraudulent communication. Even when the booking provider assures you that the payment process is legitimate.
- Beware of Deceptive Imitations: Scammers can craft remarkably persuasive imitations of legitimate websites. Always double-check the website’s URL and look for signs of deceptive pages.
- Seek Immediate Resolution: In the event of a scam, reach out to the booking platform without delay and insist on the engagement of their fraud department. This is the stage I am at.
Has anyone else been phished in this way?