This reader review is from Duncan. We have previously featured a news article about scammers on Booking.com. Here is a first-hand experience. The moral of the story is to contact the hotel directly rather than through booking.com if this happens.
With the Black Friday Frenzy in full swing and people possibly throwing caution to the wind in their desire to get a bargain or two, I thought it might be appropriate to share a cautionary tale about an attempted scam that I encountered a couple of days ago.
I received an email, supposedly from booking.com, saying that a booking I made with them for a Rotana hotel in the Middle East might be cancelled as my saved credit card was expiring. All the details regarding the stay were correct, and it was true that my stored card expires before my stay.
I thought I was fairly sensible when it came to scams etc. so, instead of using the link provided I signed onto the booking.com app on my phone to check the email’s validity. In the ‘notifications’ I had received from the Rotana hotel in question there was a new notification with exactly the same text as the email, asking for me to update my card details. I didn’t have time to respond to the request immediately, but instead waited until I was at home and signed onto the booking.com website, this time from another device (my PC). Sure enough, once I had signed into my account on the website, in the notifications section on the website the same message that had appeared in the email and my booking.com app was there.
Having signed into my account twice, once on the app, the other on the website, and using two separate devices, I had no reason to believe the request wasn’t genuine. Fortunately, when I went to update the details using the link provided on my account, I got a fraud warning from my bank that stated someone was trying to take ten times the cost of the stay from my account.
Naturally, I was taken aback by this as I thought I had taken the appropriate steps to check the validity of the request.
I have contacted both booking.com and Rotana Hotels. Unfortunately, booking.com has not responded to my concerns.
However, Rotana had this to say:
“We have noticed some unrecognised messages being sent to our esteemed customers, requesting payment arrangements for your booking.
Please be advised that these messages were not initiated by the hotel. Kindly ignore them, and feel free to reach out to us.”
The scammers are getting smarter and are even managing to get into the company’s systems! Be careful out there folks!!
For more Reader Reviews.
12 comments
I hope this is a wake up call for Booking.com. I have a property with them, and have been very disatified with the lack or service, together with the expensive feed, comfared to Airbnb and others. As this article sugests you cant get a reply from this company.
Hi, I got a similar email and message on booking, its was pushy, suggesting I would lose the hotel booking in Saun Jaun in March next year. I didn’t like it so messaged booking and have still not got a response.
So are we seeing here a scammer some how using booking messaging system to send out scam emails??? Very serious if so.
I have currentlty several back to back reservations with booking.com. 2 of them were hacked. I contacted the hotels/hosts and booking.com and had instant replies from all to state that this was a scam and they were investigating. I agree that security seems to be lacking when hackers can get into the system like this, but booking.com was quick in communicating with me and giving advice. Providers may be angry for high fees, but is it fair to bash them if they have been victims of the ever increasing nasty (multiple other adjectives not publishable) hacker brigade?
I had exactly the same with a hotel in New York. Messaged the hotel directly via email and it was confirmed to be a scam. The exact same thing happened a month later with the same hotel. Booking.com don’t seem to care or know how to fix it!
Wow Duncan, that is truly scary.
Like you, I thought that I was fairly adept to recognising a scam but last year I nearly fell into one to, this time with TAP Portuguese airlines.
I had received an email from TAP advising me that I had not claimed compensation I was entitled to for a flight delay on a TAP flight the previous year. It listed the flight number, route, date and even my seat number and indeed it was a flight I had travelled on but I didn’t recall it being particularly delayed.
To be honest, the fact that an airline was contacting ME to tell me I was due compensation was what got my suspicions going in the first place. Any of us that have had to claim compensation from an airline for a delay knows most airlines will find any excuse to refuse a claim. An airline contacting you a year later to ‘remind’ you is unheard of.
There was a link in the email to ‘claim my compensation’ that I clicked on and it took my to the TAP website. Well, what looked IDENTICAL to the TAP website. But I noticed that when I tried to click on other areas of the page (such as flight status/make a booking) it didn’t work. I then did some googling and stumbled across a TAP frequent flyer data hack. And that’s where everything fell into place. The scammers obviously knew passengers contact details and flight history and I guess this combined with a very authentic looking TAP email address and webpage as well as the lure of compensation would have snared some unsuspecting folks.
Hi,
Had the same issue. I initially contacted booking.com who said they will investigate and come back to me in 24h. They never got back to me. I contacted the property and got confirmation is phising and advised to ignore the request. Indeed starting to doubt about booking.com ability to handle security.
Maybe a clever techie can explain this for me? Things I don’t understand include:
You have a genuine reservation via Booking.com, so the scam messages you saw must have included all the correct references etc? If the scammers (let’s stop that cutesy name & just call them thieving bas!@£ds shall we?) can “get into” Booking.com systems then why hasn’t the whole edifice collapsed?
Was this a sophisticated version of pwned emails? Booking.com gets hacked and, by extension, so have you? In that case again, why hasn’t there been a more massive attack?
Booking.com appear to be acting hugely irresponsibly in this regard.
Clever techie here (grrr hate that word!).
We can be pretty confident that booking.com itself hasn’t been hacked. If it had, we’d all know about it and it would be a massive deal. That doesn’t mean it hasn’t happened or can’t happen in the future – think British Airways. But scams like the one reported here have happened a number of times over the last few months and each time the pattern is the same.
Booking.com is an agency or a marketplace if you will. Primarily, it has 2 different types of account – hotels and clients. The hotels have accounts just like you and I, which run on PCs and laptops. These are subject to all the usual hacking issues but arguably more vulnerable than your home PC. Chances are, no one person takes responsibility or ownership of the PC. It will be on a desk in reception, used 24 hours by different shifts and if it runs a bit slow they’ll just grumble and carry on. So that PC itself could be hacked and give an unscrupulous employee access to the hotels booking.com account without management being aware. Even if not technically hacked, there’s all the other usual frailties such as passwords written on post-it notes or PCs left logged in at the end of a shift.
So in my view the most likely culprit is a current or former (sacked) hotel employee. The scam works because the message that they send IS sent from the booking.com system in exactly the same way as a message saying “your room will be ready at 12 noon”. And the content of the message is perfectly reasonable. So far it’s all down to human behaviour and frailty – the technical fraud is the fake payment link.
I’m not trying to defend booking.com but it’s largely outside their control. They offer lots of security advice to hotel management. But even if the hotel realise it’s their fault, for reputational reasons they’re not going to own up to it easily.
Booking.com got hacked a while back, so it seems that certain logins are available to scammers. The moral of the story is don’t ever click a link to update card details, there is a section of the booking.com website/app for maintaining card details, use only that.
Thanks @L Allen. That should be more widely publicised.
I had a similar experience just last week BUT it was the ‘hotel’ fraudulently requesting funds through hotels.com. I had an email from the hotel by via the hotels.com messaging service. I checked with hotels.com in the first instance as I knew I didn’t owe anything. They called the hotel in question (where I HAD had a previous booking) whilst I help and apparently the hotel said it wasn’t them.
So again, cyber thieves in hotel.com system ..
I reported to the NCSC
I was getting odd message from hotels.com saying my booking was cancelled and here’s a 11 GBP COUPON. The text and wording didn’t convince me and the booking ref was incorrect but the hotel name and date was correct. Used the online chat with them and they said ignore it booking still valid. Got about 3-4 emails warning me to accept the coupon etc.
Then 2 weeks later they cancel my booking for no reason. Get back onto chat and they can’t tell me why it was cancelled. I’ve given up with them.
Comments are closed.