Customers booking holiday accommodation on the Booking.com website are urged to be wary of scammers posing as genuine hotels.
This is Money has seen messages from scammers appearing on the site’s secure messaging portal, asking them to make payments to secure a booking.
A reader alerted us to the message, which he received while exchanging messages with the owner of a hotel he had booked for an upcoming trip.
Impostors: Scammers infiltrate messages between hotels and their clients on the Booking.com website and ask them for extra payments
This is similar to a previous Booking.com scam reported in October 2023, when several travelers also said they had received fraudulent messages requesting payment.
In the new case, the reader had exchanged several authentic messages with the hotel he had booked through Booking.com’s internal messaging system.
These also arrived as alerts to his personal email account, which was linked to his Booking.com profile.
This meant that they appeared to come from the address “noreply@booking.com”.
Normally, messages can only be exchanged between clients and hotel representatives who have booked on the platform.
As travelers often share contact details and travel itineraries, the messaging system is assumed to be secure and not accessible to third parties.
But the reader showed us a message that appeared within this chat thread that had all the characteristics of a scam.
It said: ‘The booking may be canceled (sic) due to an unknown error if you do not follow a few simple steps. Please verify your reservation’
It also included the full name of the person who made the reservation and asked them to click on a link to a third-party website where they could “confirm” their reservation.
The website address was not associated with either Booking.com or the hotel, and appeared to be attempting to trick the reader into a scam.
This could have been a phishing scam, in which scammers get people to hand over their personal details through false means; in this case, asking them to enter their name, address and bank details on a website that would send them directly to the scammers.
They could then use this to access the person’s accounts and spend or transfer their money.
The website could also have been a parody of the hotel’s website that asked the booker to transfer an amount of money to “confirm” the reservation, which would instead be sent directly to the scammers.
The website address in question did not appear official and included a mix of random numbers, which is another hallmark of a scam.
False: Booking.com says scammers have accessed a “small fraction” of hotel accounts, meaning they can send messages to customers.
It is important to check the address of the website you are asked to visit, as this is often what gives the game away. This can be done by hovering over the link without clicking.
Fortunately, the reader in this case caught the scam for what it was and did not click on the link.
However, it highlights the risk for other travelers who might mistake something like this for a real payment request.
Some hotels on Booking.com only ask for payment on or shortly before arrival, rather than in advance, which might make the idea of ​​a “confirmation” payment seem more legitimate.
This is Money asked Booking.com how this could have happened and whether its secure messaging system had been breached.
The firm denied that scammers had managed to infiltrate its website.
Instead, he said scammers targeted hotels to gain access to their Booking.com accounts.
This would allow them to send messages to customers posing as hotel staff and then request payments from them.
A spokesperson said: ‘We are sorry to learn of the client’s case you reported to us. As we confirmed previously, there has been no security breach on the part of Booking.com.
‘Some of our hosting partners have been directly targeted by very convincing phishing tactics, led by professional cybercriminals, encouraging them to click on links or attachments, which in turn has resulted in malware being loaded onto their machines and , in some cases, to give unauthorized information. access to your Booking.com account.
“This allows these professional scammers to impersonate the property and communicate with guests via email or messages.”
What to do if YOU detect a suspicious message
Booking.com said it had made efforts to try to combat the scam since it first came to light last year.
It also gave advice on what customers should do if they spot a suspicious message.
If a customer has concerns about a payment message, we encourage them to carefully check the payment policy details outlined on the property listing page and in the booking confirmation.
Booking.com spokesperson
The spokesperson added: “While this was not a Booking.com breach, and the actual number of properties affected is a small fraction of those on our platform, we have made significant investments to limit the impact, implementing new measures to protect our customers and support our partners, as the scam has evolved.
‘If a customer ever has any concerns about a payment message, we encourage them to carefully check the payment policy details outlined on the property listing page and in the booking confirmation.
“Customers can also report messages to us through our customer service team, or by clicking ‘report a problem’, which is included in the chat function, where we also have clear guidance for customers on how to avoid suspicious activity “.
Some links in this article may be affiliate links. If you click on them, we may earn a small commission. That helps us fund This Is Money and keep it free to use. We do not write articles to promote products. We do not allow any commercial relationship to affect our editorial independence.