Contents

Booking Accommodation? NASK Advises How Not to Fall Victim to Scams

The travel season increasingly marks the beginning of… a phishing attack. Cybercriminals are impersonating popular booking platforms, such as Booking.com, taking over accommodation accounts, and sending fraudulent messages about surcharges, booking freezes, or the need to “confirm payment.” Their goal is to trick users into divulging credit card details and login credentials. Cybersecurity experts at NASK and CERT Polska are issuing strong warnings that the scale of “Booking-related” scams is on the rise. Here’s what you need to know to stay safe.

Cybersecurity Experts Warn of Surging “Booking” Scams

NASK, a leading cybersecurity research and development institution, in its latest communication, directly warns against a dynamically growing campaign. Cybercriminals are leveraging the popularity of Booking.com to extort money and personal data from travelers. They target both individuals making reservations and property owners, relying on the trust placed in a well-known brand and the time pressure travelers often face just before their trip. The holiday season, much like other busy online periods, has become a prime target for cybercriminals, who constantly adapt their tactics, from deceptive social media ads to sophisticated phishing campaigns. According to experts from NASK and CERT Polska, the scam typically follows a similar pattern: victims receive a message alleging an issue with their reservation – a block, a required surcharge, additional payment verification, or a threat of cancellation. The message includes a link leading to a website that strikingly resembles the official Booking.com service but operates under a different domain or contains subtle typos in its address. It is on these fake sites that users are prompted to enter their login details or credit card information.

Common “Booking” Scam Scenarios

Cybercriminals employ various methods to trick their victims. Understanding these common scenarios is crucial for effective protection.

Scenario 1: Classic Phishing via Email or SMS

The first frequently observed scenario is classic phishing: an email or SMS warning that a reservation will be canceled if the user doesn’t immediately confirm payment or update their details. The link provided leads to a counterfeit website that is visually almost indistinguishable from the genuine Booking.com. However, the web address is altered, and the form is designed to harvest logins and card details, which then fall into the hands of criminals.

Scenario 2: Compromised Accommodation Accounts

This scheme is more sophisticated as it involves cybercriminals first gaining unauthorized access to a host’s or accommodation property’s account within the reservation system. Once logged into a legitimate account, they contact guests directly through the platform, requesting additional payments, a change in payment method, or a “re-authorization of the card,” often via an external payment gateway. Victims feel they are communicating with the actual hotel because they see their reservation history and genuine stay details, making the scam highly convincing.

Scenario 3: Deceptive Offers on Real Platforms

The third variant involves fraudulent or highly misleading offers posted on actual reservation platforms. In these cases, criminals exploit attractive pricing and loopholes in terms and conditions, hoping users will transfer a deposit via bank transfer, cryptocurrency, or to a private account outside the official system. Once the money reaches the scammer, all contact ceases, leaving the traveler without accommodation upon arrival.

Data Breach and the New Wave of Phishing

The problem of “Booking-related” scams intensified following a recent security incident where cybercriminals gained access to data belonging to some users and service partners. Information from Booking.com and analyses by independent security firms indicate that the attack was primarily carried out through hotel partners and intermediaries. The stolen information included email addresses, phone numbers, and booking details. While the platform assures that credit card data and financial information remained encrypted and were not compromised, the mere possession of genuine reservation details allows scammers to craft incredibly credible messages. Victims receive emails or in-app messages containing correct stay dates, hotel names, or guest numbers. This accuracy further lowers their vigilance and makes it challenging to distinguish between a scam and legitimate system correspondence.

Why These Scams Work

“Booking-related” scams leverage several well-known psychological mechanisms: time pressure, fear of losing a reservation, pre-travel uncertainty, and the automated behaviors of users accustomed to quick mobile transactions. Messages like “confirm payment immediately,” “your reservation will be canceled,” or “you’ll lose your discount shortly” are designed to prompt users to click a link and provide data without thoroughly checking the address or sender. “Vacations are a harvest season not only for farmers but also for cybercriminals. Booking accommodation should be the start of a successful rest, not lead to stress and financial loss. Unfortunately, during the holiday season, scammers exploit haste and emotions to persuade users to provide their data or make a transfer. Therefore, it’s worth remembering a basic rule: pause for a moment and thoroughly check which website and entity you are dealing with. A few minutes of caution can protect us from losing money, but also from more serious consequences, such as data theft.”
— Iwona Prószyńska, Head of the Strategic Cybersecurity Communication Team at NASK Additionally, many users access Booking.com and other reservation platforms on the go – on public transport, at the airport, or between meetings – which encourages hasty decisions. When faced with a legitimate-looking login screen or payment window, it’s easy to overlook subtle differences in the website address or minor linguistic errors that would normally raise suspicions. Always be vigilant, not just against phishing but also against other threats like mobile malware that can compromise your device and data.

How to Protect Yourself

Experts from NASK and CERT Polska emphasize that effective defense against “Booking-related” scams begins with a simple principle: stay calm, be vigilant, and exercise limited trust in links received in messages.

Verify Directly: If a message indicates a problem with your reservation or payment, always log into the service independently by typing the official address directly into your browser or using the official app, rather than clicking on a provided link.
Official Payment Channels Only: Never make payments for a reservation outside the platform’s official system. A request to transfer money to a private account, in cryptocurrencies, or via an unusually generic payment gateway should immediately raise a red flag.
Contact Directly: In case of any doubt, it’s best to contact the hotel or property directly using the phone number or email address provided on their official website and in your original reservation confirmation. Do not use contact details provided in suspicious messages.

Frequently Asked Questions (FAQ)

Why are Booking.com scams becoming more common?

These scams are on the rise due to several factors, including recent data breaches that provide criminals with credible booking information, the psychological tactics of time pressure and fear of losing a reservation, and users’ habits of making quick decisions, especially on mobile devices.

How can I verify if a message about my booking is legitimate?

Instead of clicking any links in the message, open your web browser, type the official Booking.com (or other booking platform) address yourself, and log into your account. Check your reservation status directly through the platform’s official interface. You can also contact the accommodation provider directly using contact details found on their official website or in your original, verified booking confirmation.

What should I do if I suspect I’ve been targeted by a Booking.com scam?

If you suspect a scam, do not click on any links, provide any personal information, or make any payments. Immediately report the suspicious activity to Booking.com’s official support channel and to your bank or credit card company if you have unknowingly shared financial details. It’s also advisable to change your passwords for booking platforms and email accounts if you’ve entered them on a fake site.

Is it safe to use Booking.com for my reservations?

Booking.com, like most major platforms, employs robust security measures. The safety concerns arise primarily from phishing attempts that impersonate the platform, rather than inherent vulnerabilities in the platform itself. By exercising vigilance and adhering to safe online practices, particularly by verifying communications and making payments only through official channels, you can safely use Booking.com and other online booking services.

Source: NASK, Cyberrescue. Opening photo: Gemini

About Post Author

Renu Verma

Renu Verma is a Technology News Writer who wants to help people stay informed about latest Tech-News. Renu spends most of his waking hours in front of one screen or another and has been known to start twitching when cut off from the Internet for too long.

See author's posts

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.