Australia’s consumer rights watchdog has seen a sharp increase in Australians mentioning popular accommodation site Booking.com when they report experiencing or falling victim to a scam.
Scam reports mentioning Booking.com significantly increased in 2023 and caused Australians to lose more than $337,000, according to the Australian Competition and Consumer Commission (ACCC).
The ACCC said its Scamwatch program received 363 reports of scams in 2023 which mentioned Booking.com – one of the most visited travel booking sites in the world.
That’s almost a 600 per cent increase on 2022, during which only 53 reported scams made reference to Booking.com.
Booking.com scam ‘very legitimate looking’, victim says
Queensland resident Robyn, who requested to only be identified by her first name, told ABC News that she received a message through Booking.com in January 2023, which appeared to be from a hotel in Istanbul, Türkiye, where she had an upcoming booking.
Robyn said the message claimed her booking would be cancelled if she did not confirm her payment details. She clicked a link included in the message, which took her to a site that appeared to be Booking.com, as it contained the details of her trip and its costs.
“It was very legitimate looking, it was so good,” Robyn says.
“It was very confusing, and so convoluted … It all looked so real.”
Ironically, after providing her credit card details, Robyn said she was warned her card couldn’t be used due to “security purposes”. She said she entered the details of a second card but was told it also could not be accepted, and was asked to make a bank transfer.
Realising this was suspicious, Robyn messaged the hotel through Booking.com, unaware that the messages were under the control of cybercriminals.
“I had a conversation with people that I thought were in the hotel,” she says. “I got very angry, and they then became very aggressive with me.”
Robyn said a legitimate representative from the hotel eventually called her directly with the grim news.
“The hotel said that their system through Booking.com had been basically hijacked,” she says. “They could see me talking to people, but it wasn’t them.
“They said they couldn’t get into the system to tell me to stop talking to them.”
Robyn’s Istanbul hotel did not respond to a request for comment.
Within an hour after her credit card details were stolen, Robyn said her bank contacted her about a suspicious transaction on her account – a hotel booking in Budapest, Hungary, made through Booking.com.
When she contacted the Budapest hotel to warn them, Robyn said she was told the venue had already cancelled the booking because it was made by a man with a French accent, a Portuguese name and an English address.
Robyn said the hotel told her that scammers sometimes used stolen cards to make bookings, before cancelling them and requesting a refund onto a different card or bank account.
In total, Robyn said her cards were used for a handful of accommodation bookings totalling around $25,000. Luckily, her bank would later return the funds.
Robyn said when she contacted Booking.com about the fraud, the company’s customer service team appeared “uninterested”.
“I said, ‘Your system has been hacked … I was talking to these people through your system.’ And they were just really unhelpful and didn’t care,” she said.
Booking.com told ABC News that a number of its accommodation partners had been targeted by phishing emails “sent by professional criminals, with the intent of taking over their local computer systems with malware”.
“In some cases this has led to unauthorised access of their Booking.com account, which enables these fraudsters to temporarily impersonate the accommodation and communicate with guests via email or messages,” a spokesperson said.
“It’s important to highlight that Booking.com’s back-end systems and infrastructure have not been breached, and the number of accommodations impacted are a small fraction of those on our platform.
“At the same time, we understand the importance of keeping the data we are entrusted with secure. That’s why we continue to make significant investments to limit the impact and have put new measures and alerts in place to update and protect our customers, as well as our accommodation partners.”
Despite Booking.com’s efforts, the scam continues to impact accommodation providers across the world – this reporter even received a scam message from an accommodation provider on Booking.com while writing this story.
Booking.com says customers should report any suspicious messages to the company’s customer service team, check the payment policy associated with their booking, and be careful not to share their credit card details over email, text message or on instant messaging platforms.
The company, which is headquartered in Amsterdam, said it had over 2.7 million properties on its website by the end of 2022, including more than 400,000 hotels, motels, and resorts.
Travellers warned to be vigilant
The ACCC says Booking.com users should protect themselves from phishing scams, like the one experienced by Robyn, by trying to independently verify any emails or messages they receive which include a link or ask for personal or banking information.
Verifying usually involves contacting the accommodation provider directly using a phone number from their official website – and not one provided in an email or Booking.com message.
“Be aware that Booking.com customer service representatives won’t ask you to provide your account password or financial information such as a credit card over the phone,” the ACCC says.
In its advice to accommodation providers that use its property management platform Extranet, Booking.com says provider accounts “can be a tempting target for cybercriminals and fraudsters”, as they contain “a large amount of guest data, including names, addresses, credit card details, and phone numbers”.
“Fraudsters may attempt to mimic our emails in order to phish your username and password for the purposes of taking over your account,” Booking.com says.
“These phishing emails can lead to a webpage that looks very similar to the Booking.com Extranet login page – but if you look at the URL address bar, you’ll notice differences.”
Booking.com says it disables the ability for properties to include links in their messages to guests if suspicious activity is detected on their account.
Robyn said she would be more vigilant with her travel bookings in the future.
“Would I get caught like that again? No,” she said.
“Have I booked through Booking.com again? No.”
2020 Australian Broadcasting Corporation. All rights reserved.
ABC Content Disclaimer
