One of the world’s largest online travel agencies, Booking.com, is being used by fraudsters to trick hotel guests into handing over their payment card details.
How do I know? The fraudsters tried it with me.
I’m speaking at an event in London in November, and needed to book a hotel room for the night before. I don’t normally use Booking.com for my travel arrangements, but on this occasion I did – and as a result I nearly fell for a scam that could have stolen my credit card details.
The online booking went smoothly as you would expect. But on Friday, two weeks after I made the original booking, I received a notification from the Booking.com smartphone app that I had a new message from the hotel I was planning to stay at.
I looked in the app, and sure enough I had a message from the “hotel”, straight after a legitimate message from the hotel. It also appears on the website version of Booking.com.
Hello! Dear Graham Cluley, we regret to inform you that your booking may be canceled as your card has not been automatically verified.
● You will need to re-check the card.
● Funds are only temporarily reserved and will be fully refunded within 10 minutes.● Important: The card must have the amount of the reservation for verification, check that there are no restrictions on online transactions on the card.
● This must be done within 12 hours or the reservation will be automatically cancelled.
● We recommend that you use a Mastercard in order to confirm.« Please follow the link below to confirm your reservation »
https://booklng.com-id334112.com/p/965664712
Copy link if you can’t click on it
Regards © Booking 2023 Team
Note that this wasn’t email spam. This was a message sent via the Booking.com website/app.
Here’s how it looked in the Booking.com smartphone app.
The message told me that my booking may be cancelled due to some credit card issue, and tells me to visit a URL to reconfirm my credit card details.
Clicking on the link took me to a webpage that contained my booking details, but was at a domain (com-id334112.com) that had been created just hours earlier. Sure enough, it asked me to enter my payment card data again.
After over 30 years of working in cybersecurity I like to think that I wouldn’t fall for a scam like this. But I received the notification when I was half-way down a supermarket aisle trying to find some aubergines. I could very easily have clicked on the link in my haste to ensure that I didn’t lose my hotel booking.
I can easily imagine how many Booking.com customers would fall for something like this, regardless of whether they were hunting for the ingredients for ratatouille or not.
I did the right thing. I went home, made a ratatouille, and then investigated how to contact Booking.com’s security team.
Unfortunately, Booking.com doesn’t have a “security.txt” file set up on its website listing how to contact it responsibly when a security issue has been found, which would have made things more straightforward.
Fortunately, colleagues in the security community on Mastodon, Twitter and other sites were able to point me in the right direction.
And so I sent the security team at Booking.com an email with all the details of what I had seen, in the hope that they would look into it and get back to me.
They haven’t responded to my email.
But this evening I (and I suspect other Booking.com customers) received the following email. Let’s take a look at what they say.
Some of our guests have reported potentially fraudulent behavior in the form of people pretending to be a representative of Booking.com or a hotel owner. This may happen via email or messages with a malicious link, asking you to confirm the reservation and pay outside of our platform, or via a copycat phishing site. This may compromise access to your device and personal data.
Okay, that sounds like what I’ve experienced.
We actively monitor our systems for fraud attempts and possible security breaches. We promptly investigate alerts and reports, and take the necessary steps to protect you, other customers, and hotels on our website.
Well, that’s good – although you didn’t manage to protect me on this occasion. I protected myself.
To make sure your personal information remains safe and secure, we’d like to inform you about what you can do on your end.
Great, let’s hear your suggestions.
– Never share your log-in details (username, password, pin, two-factor authentication code), personal, or financial information over the phone, by email, or instant messaging. Booking.com will never ask you to share this information with us. If someone – claiming to be a Booking.com employee – asks for your log-in details, personal, or financial information, or requests remote access to your devices, hang up and contact our Customer Service team. We strongly advise you to immediately change your password for your Booking.com account on our website.
I didn’t share my username, password, or any other information with anyone… other than with Booking.com when I log into Booking.com.
– If you used your Booking.com password to access other online services or accounts, we recommend you reset the passwords for those accounts as well.
I haven’t used my Booking.com password anywhere else. I used a unique, strong password.
It’s important to use a unique password for each account you have.
I agree.
– Always check email addresses thoroughly. We’ll only email you from an official Booking.com email address ending with “@booking.com” or “@partner.booking.com”.
Well, the message I received was via the Booking.com website itself (it’s still there by the way) and via the Booking.com app.
But now you mention it, if I look in my email I do see that I received the fraudulent message via email too…
Oh, this is embarrassing – it comes from a @booking.com email address.
In fact, it even contained a Booking.com tracking pixel so the company could tell if I opened the message! (Fortunately my email client warns of such annoyances.)
Anyway, back to the warning email from Booking.com.
Any email addresses using other variations, such as “[email protected],” are not official Booking.com email addresses. To learn more about online security and awareness, check out the section ‘Safety resource center’ on our website, which you can find on the bottom of our homepage.
Good advice, but in my case the messages arrived via Booking.com’s app and website. And the email came from Booking.com.
– Only access your account via the official Booking.com website at www.booking.com
Yes, I did that.
or the mobile app.
And that.
When accessing your account, always check for a secure connection. Look for the security lock icon in the address bar or make sure the address starts with https://. This ensures the page is managed by Booking.com and is genuine.
Hmm.. Err. No, the presence of https and a padlock in your browser does NOT confirm “the page is managed by Booking.com and is genuine.”
If any email or message link directs you to a website that looks like Booking.com but doesn’t have a secure connection, leave the website, don’t enter any log-in details, and don’t click on other links. You can bookmark the official Booking.com page in your browser for quick and secure access.
If you have any other questions, please reply to this message.
I have some other questions.
How are fraudsters using Booking.com to send out fraudulent messages to guests? Your email doesn’t answer that. Is there a fraudster working at the hotel I’m going to be staying in in a few weeks’ time who has access to the hotel’s Booking.com account and can communicate with their customers? Has the hotel’s Booking.com account been hacked? Or is there some other hijinks at play here?
For more discussion of this topic, check out this episode of the “Smashing Security” podcast.
Fraudster will have phished the hotel pretending to be booking.com then once they have control of their account they can contact upcoming bookings.
Thanks for this article. Exactly the same thing has happened to me and if I hadn't read the above I may have been fooled as it's incredibly convincing. I've been around a while and am not often so close to being duped! I've replied to the hotel. Maybe they will press Booking.com to do something about this as it won't be good for the hotel's reputation.
Data from their site was being used by attackers targeting people who had booked accommodation for Eurovision. Having previously been in charge of security at another Online Travel Agency I have a very good understanding of what has happened.
A few months back my credit card information was stolen. The card was immediately cancelled and vendors contacted. Shortly thereafter, I received emails from Booking.com written in a language I could not read, in characters that were not from the English alphabet. I went to check my app and got a message saying my account had been disabled due to security concerns. I knew the stored credit card number wouldn’t work anymore but I was concerned about a reservation I had for an upcoming trip. I also wanted to get any other information about me out of there. Since I was unable to find any contact info for Booking.com I started Googling. No one could help me without me giving them information that I was sure they did not need – they couldn’t look something up under my name? Then I saw something else on Google saying many of these help numbers for Booking.com were run by scammers!! So I hung up and just prayed my 1 and only reservation would stay intact. (I tried calling the hotel but got multitudes of automated menus and messages – never a person.) Fortunately, my reservation was there but I have now deleted the app and do not plan to use it again. I have also blocked all emails from booking.com. It’s a shame. I liked that app a lot! (The scammers writing in that other language still send me messages – I get a weekly rundown on blocked messages .) But it’s not worth the hassle.
I recently (on October 17, 2023) received the similar fraudulent message via booking application. Will contact hotel to inform that their account has been hacked most probably.
I got the exact same message and unfortunately paid the scammers :(
For me a difference is that I have not yet paid for the hotel and I was told the hotel would arrange the payment before arrival. The fake website also had the correct amount I owed to the hotel and I only got suspicious once I approved the first transaction with the correct amount (later I noticed it was in GBP instead of EUR). After the first transaction new requests started coming to my bank account to approve with larger and larger amounts that I kept rejecting and this is when I realized I'm being screwed over and froze my card immediately. Unfortunately the first transaction was authorized and my bank gave no guarantee that they can recover that money for me.
I immediately reported the whole thing to booking as well and they are not responsive via chat. I could get hold of someone in customer service and it seems like the hotel got fooled by phishing email indeed and the scammers got access to their login details and hence to my reservation. The customer service representative said if the bank cannot recover my money then they will pay the lost amount back to me, but there is nothing written down, so I have no hard evidence of this promise (I should have recorded the call)
I hope there are not a lot of stories like mine and people did not get as far as actually sending money to the fraudsters
It happened to me as well. I paid the scammers. Bookings is saying they are investigating, but it’s been 3 weeks and I don’t see any reply from them.
Happened to me in August, recieved message from booking.com but just to be safe I checked my booking.com app where there was also the same message. Still not refunded after phoning, emailing and sending messages multiple times, never any communication from them, all on me to chase. Now they are telling me they are giving hotel five days to pay and if this doesn’t happen they will refund me. I am sceptical.
I had very similar message earlier this week from booking.com receiving it from booking.com via email first but I thought I was being careful by logging into the app to check if it was a legitimate message and same as you, the ‘fraudulent’ message is in the app. So I followed the steps to put in another card details to make sure my booking wasn’t cancelled. I had I initially thought it might have been the hotel
System that got hacked but sounds like this is happening across a lot of different hotels using booking.com (mine was for a Tokyo hotel) so it must be a fault on their own system. I use booking.com a lot but this has put me right off as I do not normally fall for these scams!
I've just had the same thing happen to me.
I didn't trust the email so checked on the booking.com app. The same message was there so now looking very genuine.
I was still suspicious however so decided to call the hotel and check. The hotel confirmed that lots of their customers are receiving these and it is a scam. They didn't know how it was happening though.
Surely booking.com have a duty here as it is technically through their platform?
Thank you, Graham!
I booked an accommodation using Booking. I hope when I arrive at the destination I will have where to stay and my card details will not be shared with third parties.
It looked like the original link (first screenshot, from 13 October) said "booklng", like "book LNG". (Compared to the "i" in "id" in the same link.) Is that just an artifact of the screenshot itself?
Yes – the URL is pretty obviously dodgy. But how many people are going to look closely at that when they are reading a message in the Booking.com app or on the legitimate website? (Graham, obviously. But not everyone.)
It is great that people have been informed of this hack but now Booking.com need to do something about it. For example MFA everytime the hotel logs into the Booking.com app to access customer bookings would solve the problem. Its not rocket science.
Hi Graham,
I can report that this has also happened twice to me when using Expedia to book hotels in Spain and France this summer. Rang Expedia and reported it and they confirmed that had not sent any such notification. Also rang the hotel and they said that the booking was fine.
Did not lose any money, as my golden rule of never clicking on anything that is suspicious seems to work well for me.
Booked two more hotels later this year and did not receive any other notifications, so the spammers have moved on, methinks.
Great Newsletter by the way.
I got this same message today from Agoda(both via email and Agoda app). I tried to contact the hotel but it was 8pm, they told me to contact them again in the morning. I hope my reservation is still fine.😔
The exact same thing happened to me today. Luckily I noticed they had spelt cancelled wrongly so I was suspicious and rang the Hotel who confirmed my card had been verified. They also told me they had 6 other same phone calls today from guests. So it looks like Booking.com have not done anything to resolve this serious issue
Yeah. My mother got scammed through her booking for a hotel in Portugal. After she has paid the scam link- I called the hotel as it all looked suspicious.
The hotel confirmed the exact thing as the article. We contacted our bank with screenshots and Booking.com.
The hotel said many client with many hotel across the platform were getting this message. And booking is doing nothing to stop it. Some clients are being reimbursed by booking.com.
I was victim of fraud on Booking.com in July this year and am fighting with them for a reimbursement since then and there is complete silence on their part. The thing is i have absolutely no Idea what i could have done differently. I have lost nearly $ 1700 including bank charges due to this fraud.
I made a booking for my family trip to London for a property listed on Booking.com. Got the booking confirmed through email with the reservation number for advance payment to be done at a later date. Then i receive another mail from Booking.com mentioning that i should contact the representative( some sophia wayne) of the accommodation to verify details and i may need to pay an advance . Both emails came from Booking.com. I send a message to the lady. She asked me to provide credit card details for the advance .As the number was advised by Booking.com , i paid the advance amount .
Next morning, i kept contacting the lady ( or whoever it was) waiting for a confirmation. Did not get any response. I called Booking.com. They confirmed AGAIN that the reservation is fine and i will receive confirmation shortly. I then suddenly noticed that the property listed earlier on booking.com had now disappeared. I called my bank. They confirmed that the transaction seemed fraudulent as the recipient was from Nigeria.
I called Booking.com. They still had no clue. In another half an hour , they call back , fibbing that the property owner can no longer honor his commitment and i should stop the payment and if the payment is already made, they will help me get it back but first ask my bank to stop the payment . I called the bank . The bank said it is too late to reverse the payment.
The bank refuses any responsibility for this fraud and rightfully so as it was not an unauthorized payment. booking.com officers on the helpline keep asking me to ask the bank for reimbursement as they are covered by insurance and now they dont even bother replying to my many mails. I have original mail from Booking.com confirming this reservation as well as asking me to contact the person who defrauded me. It is shameful that they now take no responsibility for this fraud committed by one of their fraud vendors through their platform.
More or less same thing.
Missus got the spam message, asking for card verification, after the 5th (I know) push notification, I turned to her and asked the simple question "Why did I get 5 push notifications?". Panic ensues.
She showed me the app, it had ALL of our details, name of hotel, check ins etc. Sent from WITHIN their app. Immediate emailed my bank, it was late, hence the lack of brainpower form both of us.
Anyway, she called Booking.com and got the usual "Do not worry we will refund the money, we were hacked etc. etc. etc. We will deal with this and get back to you." Two witnesses to the phone call, I took notes but did not record.
She call again the next day after & same reassurance.
Called the third day and the tome changed, asked if we had blocked the charges with our bank, of course we had and had told them this previously. Then said they are investigating and will get back to us. We asked for transcripts of the calls and also did so in writing.
Three days later no communication AND they have now blocked herself from calling booking.com. As in her number is blocked!!! She calls the phone line, enterers her details and it hangs up. We are talking €4,200 here, and they are in radio silence.
100% scumbag company I will never touch again.
This is really discouraging to read. I have fallen for the same scam. I paid 600 euros. My bank refused chargeback as they say it wasn't fraud because I authorised the push notification. Booking.com upon first call were full of reassurance, but nothing happened. I called again they said that the process was ongoing. Nothing. I called again today and was diverted the app chat, which is ironic as this is where the fraud took place! The chat asked me for a bank statement showing the charge and a letter showing the bank had refused the chargeback. Hilariously the chat only allowed me to submit one file and then closed so I couldn't do anything else. So I turned to twitter and eventually got through via DM to customer service there. They gave me a booking.com email address prefixed by my booking number and told me to send bank letter and statement to that address. So now I'm waiting again. What can you do in a situation like this? Booking.com's system is obviously not very robust. How will I have faith in it again. I don't trust any messages I get. I wonder if anyone ever gets a satisfactory outcome with Booking.com? They say they will refund, but do they?
The booking.com app is essentially malware. I used to use it on my rooted and heavily secured Android. Like all apps on my phone, booking.com was not allowed to run unless I was using it based on the philosophy that the Android app that is not running is the Android app that is not spying.
After an update, this app refused to stop when told to; when I or my task killer stopped it, it restarted itself. Given that it requires internet access to perform its basic function this was absolutely unacceptable. I uninstalled it.
At a much later point (May 2022) I used their website (I started on Trivago and wound up on Booking.com because Trivago pointed me there) to book a room in Medellin Colombia. A few days later, I received a notification in my email that was very much like the one you describe here, but I completely overlooked it, arrived in Medellin, and checked into my hotel without incident.
It was only after that that I noticed the particular email saying my reservation was canceled due to a credit card problem. So it could be that this problem has existed for quite awhile.
I was recently scammed by fraudsters who claimed that my hotel stay could be cancelled. Be very careful when booking anything online – always check the details carefully and don't let yourself be pressured into making a decision.
Booking.com still haven't resolved it as I was being scammed. Can't believe I will fall into scam as I was always very careful. The email got all my bookings details so it must be something wrong from them
I've just been had. Kicking myself! This scam must be making the hackers a fortune.
Has anyone had any success with Booking.com refunding their money out of interest?
I'm three days behind you and asking the same question. Perhaps everyone who has been scammed needs to get together to work on this in numbers rather than as individuals? Is that an idea? There must be hundreds, if not thousands of us (which doesn't bode well for getting a refund). Surely these criminals can't so sophisticated that specialists can't find out who they are?