Travellers using the popular hotel website Booking.com are being warned not to fall for scam emails asking them to confirm their hotel payment, after a hack of Booking.com’s email system.
In recent weeks the Observer has been contacted by a number of customers claiming that they had received scam emails from within the Booking.com system.
In each case the customer has either checked in, or was due to check in, to a hotel they had reserved using Booking.com. The email – sent from noreply@booking.com – claims their stay may have to be cancelled unless they hand over their bank card details via an embedded link.
If they fail to do so within four or 12 hours – the emails vary slightly – the reservation will be cancelled. Notifications of the email have also appeared in the company’s app on mobile phones.
Booking.com has strenuously denied its system has been hacked and has, instead, blamed the messages on breaches in the email systems of its partner hotels.
But the affected hotels are complaining that this could not have taken place at their end.
Observer reader Julia Berridge says she was forced to cancel her bank card after she followed the instructions in the email she seemingly received from the website. She was staying in a hotel in Marseille earlier this month for two nights at a cost of €349.
The email containing the fraudulent payment request – seen by the Observer – had, apparently, been sent from a standard Booking.com email address. It had a link to her reservation, and came complete with all her stay details. She says the fact that a notification of the message appeared in the app on her phone made her think it was genuine.
Although she didn’t lose any money, she did input her card details and decided her only option was to cancel her card.
Kate Wright, who works in digital commerce, was not so lucky. She had a second payment taken after responding to the same email.
When she realised she had been charged twice she took it up with Booking.com, only to be told by the call centre staff that what she was saying had happened was “simply impossible”, she says.
“I was made to feel like I was being hysterical – the call centre refused to believe that scammers had sent out an email using the Booking.com system. But, after two days, I eventually received a message from the hotel, again via Booking.com, saying that the system had been breached, that it knew about it, but was not telling their customers.
View image in fullscreenPart of the message that Julia Berridge received from Booking.com.
“I was told to contact my bank. In the end I was refunded by the bank but only after I had spent four hours on the phone, and had my card replaced digitally. To say I am unhappy is a huge understatement,” she says.
Another reader, who asked not to be named, had the same experience after booking a hotel in Cardiff. She received a similar email, she assumed, from Booking.com.
“I only avoided losing hundreds of pounds because I became suspicious at the last moment before entering my card details and contacted the hotel directly.
“The hotel did not seem surprised, and asked if I had received a scam email. The only way that these scammers could have this info is through a breach at Booking.com, or the partner hotel’s interface, since it has all the booking details as well as previous email exchanges with the hotel in question.
“This must be something that Booking.com is aware of, but is keeping quiet. Don’t they have a duty to warn customers if they have been hacked?”
On the Booking.com partner hub – an information site for operators using the website – hoteliers have been complaining about the problem.
“Booking.com claims that someone got our login credentials, but that is not possible because we have two-factor authentication and we did not get any SMS.
“So someone logged in to our account, on a new computer, but we didn’t receive the SMS code nor the email ‘Booking.com – new sign-in to your account,’” complains Hotel de Colegio.
This is the latest problem to hit the website, which fast became the go-to hotel booking site for millions of travellers. Last month it was accused of leaving many hotel operators and other partners across the globe thousands of pounds out of pocket for months on end, blaming the lack of payments on a “technical issue”.
In a statement Booking.com told us that ensuring its platform was safe and trustworthy for our partners and customers was its “top priority”.
“Some of our accommodation partners have, unfortunately, been targeted by very convincing and sophisticated phishing tactics, encouraging them to click on links, or download attachments outside of our system, that enable malware to load on their machines and, in some cases, led to unauthorised access to their Booking.com account,” it says.
“These fraudsters then attempt to impersonate the partner to request payment from customers outside of the policy in their booking confirmation.
“While neither Booking.com’s backend systems, nor infrastructure, have been breached in any way, we are acutely aware of the implications of such scams by malicious third parties to our business, our accommodation partners and to our customers, who can fall victim to professional scammers.
“If a customer has any concerns about a payment message, we encourage them to check the payment policy of the accommodation, which is easy to find on the property listing page, or contact our customer service team, which is available around the clock.
“We will also be reaching out to the customers in these cases directly to ensure they are fully supported,” it adds.