Scammers con Booking.com users by sending messages through its in-app chat function
Holidaymakers often snag good bargains when booking hotels or flights on online travel portals, but scammers appear to have recently sniffed out these platforms as lucrative hunting ground for victims.
In February, there were at least five reports of phishing scams made to the police linked to hotel room bookings using the popular Booking.com portal since the start of 2023, with total losses amounting to at least $8,800.
In the latest spate, at least 30 people lost about $41,000 after falling prey to a similar type of scam after using the same online reservation portal since September.
Both types of scams involved the criminals sending victims fake website links, and asking them to provide personal and banking details, such as one-time passwords and credit card numbers.
In some of the cases, victims received a prompt from the malicious websites to make payments to confirm the reservation. However, the ruse was exposed after they contacted Booking.com or the hotel directly, but by then, it would often be too late to take for victims any action.
Some victims realised they had been scammed when they discovered unauthorised transactions in bank or credit card statements.
Worryingly, the tactics employed by scammers have become more sophisticated.
Earlier in 2023, fraudsters posed as hotel representatives and contacted victims through messaging platform WhatsApp.
Recently, conmen have adopted methods that are harder for victims to verify – sending e-mails or messages using official accounts of hotels directly through Booking.com’s in-app chat function.
A spokesman for Booking.com told The Straits Times that some of its accommodation partners had their accounts compromised after being targeted by phishing e-mails.
“While this is not a breach of Booking.com’s backend systems, we are acutely aware of the implications of such scams by malicious third parties to our business, our accommodation partners and our customers, who can fall victim to professional scammers,” he added.
So, how were the scammers able to contact customers through the portal’s chat tool?
Mr Ian Lim, field chief security officer at the Asia-Pacific and Japan for cyber-security firm Palo Alto Networks, said the system could have been compromised in at least three ways.
One involves an account takeover, in which the computers of employees and booking agents are hacked, allowing scammers to respond from those accounts.
Another is a man-in-the-middle attack, where hackers intercept the conversation in the chat system and possibly alter the information sent to either party.
Lastly, a third party, such as Booking.com’s partners, may have been compromised, leading to scammers being given administrative access to the in-app chat function.
Acknowledging that there is no way to pinpoint which of these methods were adopted by the scammers due to a lack of digital forensics evidence, Mr Lim added: “Customers are more susceptible to in-app messaging scams because the context is appropriate as they are making a reservation and the source of the information is perceived to be trustworthy.”
When asked what measures it adopts to safeguard customer data, Booking.com said it has dedicated teams to oversee the account security of customers and accommodation partners.
The spokesman added that these teams use custom tools to “monitor, block and detect suspicious activity around the clock 24/7”.
A similar approach is adopted by online travel start-up Traveloka.
When contacted, the company’s spokesman said its information security team is responsible for ensuring IT security and compliance across its systems.
“We closely monitor any bad actors that impersonate us, and work with the relevant parties to take them down,” he said.
Although there have not been any news reports of victims falling for hotel booking scams related to Traveloka, its website put up an advisory dated June 21 cautioning customers on potential scams that impersonate the platform.
“As a travel platform, our mission is to simplify travel through technology. Travellers today are more tech-savvy, but travel platforms have the responsibility to ensure that customers are not misled into making unwanted online transactions,” the spokesman said.
Another popular online travel platform, Klook, declined to comment. Other platforms such as Agoda, Dayuse and Expedia did not respond to ST queries.
With scammers constantly changing their tactics, how can consumers protect themselves when using such travel portals?
Booking.com said it will never ask customers to provide credit card details through text messages or e-mail.
“If you ever receive a payment message that raises concerns, we strongly urge you to verify the accommodation’s payment policy, easily accessible on the property listing page, or reach out to our 24/7 customer service team for immediate assistance,” the spokesman said.
Traveloka, on the other hand, urged customers to make bookings only through its website or app, while reiterating that it would never get customers to click on links to key in personal information or account details.
Mr Lim advised consumers to be vigilant, especially if the message seems urgent or unusual.
“Scammers want to spend the least amount of time for the biggest amount of return, so they usually send messages that require immediate action,” he said.
“Individuals need to exercise caution when clicking on any links or attachments contained in suspicious messages, especially those relating to one’s account settings or personal information.”