top of page
  • Writer's pictureESET Expert

Don’t get stung by these common Booking.com scams



From sending phishing emails to posting fake listings, here’s how fraudsters hunt for victims while you’re booking your well-earned vacation.


Booking.com has become one of the main go-to platforms for travelers looking for holiday accommodation deals, but also for services like car rentals and airline tickets. In fact, it is the most visited travel and tourism website worldwide, having processed more than a billion bookings in 2023, double the number recorded in 2016.


Obviously its popularity hasn’t escaped the attention of cybercriminals, who invariably flock to online services with high traffic. Vacation booking websites are highly lucrative hunting ground for victims.


Booking.com itself has acknowledgement the magnitude of the problem and said that it has seen a staggering “500 to 900% increase” in travel scams in the past 18 months – and that this increase is largely driven by cybercriminals’ misuse of tools such as ChatGPT since November 2022.


With vacation season in full swing, let’s review some of the most common scams exploiting Booking.com and what to look out for when using this platform.


Phishing

Phishing emails, texts and social media messages are a staple in fraudsters’ arsenals. In these scams, they impersonate a reputable platform or organization to trick the victim into believing they are in contact with the site’s official representative.


Obviously Booking.com isn’t immune to these scams, and fraudsters continue to churn out campaigns where they pose as the platform or representatives of the hotel or another service that the targets have booked via the site.


They often come up with a plausible story where they drum up a sense of urgency and seek to dupe the victim into clicking on a link where they need to make a new payment in order to fix a purported error or face the prospect of losing their reservation.


Figure 1. Scam attempt (Source: Reddit)


The easy availability of generative AI tools has opened the floodgates to waves of more convincing and effective scams. By generating phishing emails that are grammatically correct, contextually appropriate, and free of typical red flags that might alert the recipient, they can easily trick people and businesses into downloading info-stealing malware on their devices or into divulging sensitive information or transferring money.


Hijacked chats

Some scammers may go a little further than sending out random phishing messages. There have been a number of reports of attackers finding a way to dupe their victims via the platform’s messaging system.


After finding their way into the accounts of the hotels where holiday-makers made their reservations, they have contacted large numbers of people directly via the in-app chat and urged them to make a payment to confirm the booking.


The ruse involved an alleged error with the previous payment, requiring them to pay again and avoid missing out on their holiday. In other variations of this ploy, the fraudsters requested credit card or passenger data to verify or confirm the booking.


While this didn’t occur as a result of a breach of the platform’s backend systems or infrastructure, you’re well advised to look out for any communications that request your personal or payment data.


Non-existent accommodation

Many holiday properties appear to be straight out of a fairy tale. Indeed, some of them are, quite literally, unreal. Over the years, many holiday-makers have fallen victim to fake listing scams where cybercriminals advertise a luxury holiday home that can be rented at an irresistible price and instruct people to pay, even via Booking.com. Upon arriving, you’ll find that the accommodation doesn’t exist or the property is not for rent.


In fact, soon enough, the platform’s own systems kick in – the fake listings are discovered and removed. However, your vacation may be ruined by then, so you’re better off doing your diligence before booking.


Look for reviews and ratings for the place, check if the price is roughly similar to those for “competing” houses or apartments, and reverse-search the image to see what comes up – it is likely a free stock image or it was stolen from other websites. The bottom line is, if something looks too good to be true, it usually is.


Fake job offers

The text or social media message is straightforward enough: “We need someone to evaluate hotel bookings. We pay between $200 and $1,000. All you need to do is rate or like the hotel on (a fake Booking.com link).” This is how the message offering an irresistible side hustle, supposedly from Booking.com, begins. It’s also a variation on popular work-from-home scams.


Figure 2. Bogus job offer (source: Reddit)


You’re then asked to pay an advance fee to secure their jobs and/or to send their personal information like Social Security numbers or other details, which can be used to commit identity theft. In some cases, the scammers may be after your bitcoin or other crypto.


How to stay safe? Booking.com doesn’t hire people to review hotels, and they don’t hire people via unsolicited text messages. Hiring as such takes place through Booking Careers, and there is no job vacancy on the platform requiring people to review hotels.


12 tips for avoiding Booking.com and other travel scams

These tips will go a long way towards helping you stay safe while using Booking.com:


  • Whenever you’re contacted by someone who represents Booking.com or a hotel where you’ve booked your stay, watch out for the typical signs of a phishing email, such as requests for urgent action.


  • Always verify that emails came from their official domain and be wary of slight misspellings or variations. A number of trusted email addresses are also listed on the site itself.


  • If you receive any suspicious communication, go directly to the website and log into your account to verify any claims.


  • Booking.com never asks for information like your full credit card details, social security number, or passwords via email or chat.


  • Avoid clicking on links in unsolicited emails or messages.


  • Make payments through the official Booking.com platform. Avoid transferring money directly to the accommodation provider.


  • Check reviews and ratings of the accommodation on Booking.com and look for reviews that are authentic and detailed. Inspect and cross-check the accommodation details and images on other travel websites or review platforms.


  • Ensure your devices have up-to-date security software to protect against malware and phishing attempts.


  • Keep your operating system and other software updated to protect against security vulnerabilities.


  • Protect your online accounts with strong and unique passwords or passphrases and two-factor authentication.


  • If you encounter any suspicious activity, report the issue to the platform’s customer service.


  • If you suspect that your payment information has been compromised, inform your bank or credit card provider immediately.


Bon voyage!


by Christian Ali Bravo, ESET

Comments


bottom of page