Booking, the popular hotel reservation portal, is being the perfect hook for cybercriminals to scam users through phishing campaigns in which they impersonate the accommodation with the aim of stealing personal information and bank details from those who have previously made a reservation.
It is not Booking itself that has suffered a vulnerability, but many of the hotels registered on the platform are being hacked by cybercriminals. These access the accommodation database to obtain the personal information of those who have reserved a room, such as the telephone number or email address.
After, They impersonate the hotel and send a message or email to the guest posing as Booking customer service and detailing that there has been a problem with the reservation and that you need to confirm your details or make payment so that it is secured. According to some victims, the email arrives with an interface very similar to the Booking website, and with a very similar URL.
Furthermore, and although in most cases users have already made the payment, the message implies that the purchase has not been completed correctlyand that they must pay the amount before the accommodation cancels the reservation.
“Dear guest, we want to inform you that our systems have detected that your credit card has been marked as invalid/inactive, so we have sent you a personalized page to confirm your details. This email has been sent to your email address. If you ignore this message, we will be forced to cancel the reservation.”
It can be read in one of the fraudulent emails sent to some Booking customers.
Neither Booking nor the hotels are responsible
Booking has confirmed elDiario.es that its platform has not suffered any type of cyber attack, and that The problem is that cybercriminals are accessing hotel databases to steal reservation data and be able to contact users.
The hotels, however, they are not taking responsibility and they are refusing to return money to users who have fallen for the scam. “We will never charge you twice for the cost of accommodation paid in advance. The emails requesting payment are fraudulent and cannot be refunded,” details one of the hotels after a customer claimed to have been the victim of a phishing campaign.
In any case, there are a series of guidelines that users must follow to avoid falling for these types of campaigns. One of them is to check the email address of that email, as well as the link. Also, if in doubt, contact the accommodation.