Hackers have obtained the login credentials of an unknown number of hotels on Booking.com. By sending emails on behalf of these hotels, guests are being defrauded. Booking.com has confirmed that hotels on the platform have become the target of a “very credible and sophisticated” phishing attack. The Amsterdam-based rental platform has reported this to the Dutch Data Protection Authority.
The hackers operate as follows: hotels receive an email enticing them to download a file containing malware. This allows them to take over the hotel’s Booking.com account. Subsequently, the hackers send a message via Booking.com’s messaging system to future guests of the hotel, claiming there is an issue with their credit card. If a new payment is not made, the reservation is cancelled. Because the emails are sent in the hotel’s name, and the hackers are aware of their victims’ vacation dates, a relatively high number of holidaymakers fall for the scam.
The exact number of hotels that have been targeted is unknown, and Booking.com is not sharing specific figures. According to Chief Security Officer Marnie Wilking, it affects “only a small fraction of a percent” of the 28 million accommodations registered on the platform. There are numerous stories on Reddit from victims who have lost hundreds of euros in this manner over the past few months.
Booking emphasizes that the hackers have only obtained login information from hotels on the platform and have not breached their own systems. The company’s staff is working diligently “to assist affected partners in securing their systems and supporting customers who may have been targeted,” according to Wilking. Booking.com states that hotel guests who have been victimized can contact customer service, and the company will help them recover their money.
In recent months, Booking.com has been warning hotels on the platform about these phishing attacks. They also employ self-learning systems to detect suspicious activities on the platform. “As a result, the impact of such attacks is gradually decreasing,” says Wilking. Booking.com advises hotel guests to exercise caution when making payments in general and to never share credit card information outside the website.
According to security experts, Booking.com is engaged in an arms race with online criminals. The method of scammers asking for money on behalf of hotels has been in use for years, but the ways of breaching systems continue to evolve.
Every hurdle you impose on your customers translates into less income. So, the most severe measures are not always used in combating this type of fraud. This is especially true for hotel fraud because it’s often the guests who bear the costs. How much resources Booking.com is willing to invest depends on how much damage Booking.com itself incurs.