Digital travel agent booking.com has a problem – one which has seen hundreds of customers scammed out of thousands of pounds in the last 10 months.
Numerous posts have surfaced on various social media sites from customers saying that they have been scammed for payments by messages in the official booking.com app or via emails originating from booking.com domains – and the thing is, booking.com hasn’t been hacked.
Some victims have posted detailed information showing that the messages have definitely originated from booking.com.
The email header above shows that the email received by this victim came from booking.com with the subject header (encoded in Base64) which reads “You have a new message from Sorrisniva Arctic”.
The victim, who posted the email to Reddit also posted a screenshot of the link contained within the email which shows a convincing booking.com site – however, the URL is not part of the booking.com domain.
Fortunately, for this Reddit user, they spotted the scam before it was too late, but others have not been so lucky.
So what’s happening?
From the investigations being conducted by amateur sleuths, cyber security analysts and booking.com it appears that the scammers are social engineering hotel staff and obtaining the hotels’ log-in details to the booking.com platform.
Once the scammers have access to the hotels’ unique account on booking.com they can see all details of bookings and send messages via the booking.com Application Programming Interface (API) to any victim they choose. This send messages via both the booking.com email address, and the booking.com app.
From the perspective of Booking.com – all messages are legitimate as they have originated via the hotels account, so there is little they can do.
Final thoughts
As always – the message to would-be travelers is that even if you have booked through a reputable, trusted agent, if you receive unusual demands for monies, or “issues” with your booking even if they are from the legitimate application / website / email – contact the agent or hotel directly – don’t follow links until you have verified the legitimacy of them first.
Scammers are very good at making their attacks seem legitimate, don’t be one of their victims.