In recent years, a fraudulent scheme using people's travel plans has been spreading more widely. The most dangerous aspect of it is that scammers often know your real booking details. They know which hotel you will be staying at, when you will arrive, and when you will leave. Sometimes they even know how much the booking cost.
“This is a good example of how modern scams work. Criminals no longer need to collect data themselves. A single account leak or weak password can give them access to hundreds or thousands of customers' travel plans,” says Urmo Keskul, co-founder of the cyber hygiene training platform Phishbite and cybersecurity expert, as reported by Postimees.ee.
Imagine the situation: you have booked accommodation, and a few days later you receive a message via WhatsApp, SMS, or email stating that you need to confirm your booking, complete payment, or update your credit card information. Everything seems correct. The message includes your name, the hotel name, and travel dates.
Most people in such a situation would not suspect that this could be an attempt at fraud. After all, when planning a trip, one has to think about dozens of other things, and that is exactly what the criminals are counting on.
Many mistakenly believe that the problem starts on the client’s side. In reality, criminals often gain access to travelers' data through hotel or travel company systems.
Recently, the Estonian travel software development company Touringery reported that due to the compromise of a single user account, an outsider gained access to booking data, based on which phishing emails were then sent to clients.
In some cases, the data comes from hotel customer database management systems, in others from booking environments or as a result of previous data leaks. But the outcome is the same — the criminals have enough information for their message to appear completely trustworthy.
“A few years ago, I encountered this scheme myself. At first, the message came through WhatsApp. When I did not respond, a similar notification appeared in the Booking.com environment itself. This raised a serious question: if even a message in the Booking app can be fraudulent, how can one tell what is real and what is not?” recalls Keskul.
Later, when contacting the hotel directly, it turned out that they had not sent such a message. The reason is simple. If criminals gain access to a hotel employee's account on the Booking platform, in some cases they can use official communication channels as well. Therefore, one can no longer rely solely on the visual appearance of the message or the sender's name.
And this is not an isolated incident. For example, the police reported a case where a 28-year-old man in Estonia received a WhatsApp message allegedly from Booking.com asking him to confirm his hotel booking. As a result, he lost almost 1700 euros.
In another case, a person was redirected through a message within Booking.com to a payment page, resulting in over 500 euros being deducted from his account.
“Such cases have been recorded for years, and the scheme continues to operate successfully. Not because people are inattentive, but because the fraud is becoming increasingly credible,” explains Urmo Keskul.
“The main advice is simple: do not make any payments through links in messages. Always check the payment request in the official app or on the official website of the booking service. If there are even the slightest doubts, contact the hotel using the contact information provided on its own website, not through the number or link in the message,” recommends Keskul.
“Never assume that a link in a message leads to the right place just because the message contains correct information,” he adds.
Recommendations:
- Use only the official Booking.com app or website for payments;
- Verify all payments directly in the service provider's system;
- Prefer payments through Apple Pay or Google Pay when possible. While this does not guarantee the reliability of the site itself, it reduces the risk of criminals obtaining your credit card information and using it for new charges. In the worst case, you will lose a specific payment amount rather than access to your entire card;
- Report suspicious messages to both the hotel and the police.
Cybercriminals no longer need mass phishing emails promising millions or stories about “helping a prince.” Modern scammers use real data, real travel plans, and real bookings. Therefore, with every unexpected payment request, it is worth pausing for a moment. If a message raises even the slightest suspicion, verify it through an official channel.
Leave a comment