HOLIDAYMAKERS are being warned about a Booking.com scam that has already cost victims £370,000.
Fraudsters are hacking hotel accounts on the platform and sending fake messages or emails that look legitimate.
This often happens when hotel staff accidentally click on a malicious link in an email, giving criminals access to the hotel’s account on the platform.
Once inside, scammers send messages to customers claiming payment details need to be verified or that a card has been declined.
They then trick holidaymakers into entering their banking details via fraudulent links.
Action Fraud has received over 500 reports of the scam between June 2023 and September 2024, with victims collectively losing £370,000 – or £700 per person.
Customers have shared their close calls with the scam on X (formerly Twitter).
One showed a message directly through their Booking.com app which read: “Dear [XXX], we need you confirmation.
“Your reservation and the details you entered are still pending. If you don’t verify and complete everything within the next six hours, your booking will be automatically cancelled – no exceptions.”
The customers is then directed to click on a rogue link in the message chain to “confirm and finalize” their trip – even though it’s already paid for.
Consumer rights expert Martyn James said: “If you get a message from a hotel or host through Booking.com or an email asking for your card details, ignore it.
“Only go through your Booking.com portal on the website to confirm payment details.
Booking.com scam warning signs
HERE are the three urgent warning signs you must keep an eye out for:
- Messages claiming your payment method needs to be verified
- Emails or messages saying your card has been declined
- Requests to enter your card details by clicking on a link in a message
“Do not send money via links and never pay with bank transfers or PayPal‘s ‘friends and family’ option.”
Booking.com said its security hasn’t been hacked, but scammers may have accessed the IT systems of some hotels listed on its site.
A spokesperson added: “Unfortunately, there is an increasing number of online scams targeting many businesses operating in the e-commerce space.
“With the rise of AI, cybercriminals are able to create increasingly sophisticated scams.”
If you get a message on Booking.com asking for payment, contact your hotel, airline, or service provider directly to make sure it’s real.
Meanwhile, another scam targeting holidaymakers uses fake Booking.com websites to trick people into downloading harmful files that give criminals control of their devices.
HP Wolf Security says scammers send emails with links to these fake sites.
When visitors click “accept” on the cookie pop-up, the malicious file is downloaded.
Hotel booking scam cost me £800
By Laura Purkess
CYBER scammers are impersonating hotels to steal holidaymakers’ cash.
Crooks swiped more than £15million from travellers through a range of rackets over the year to April, Action Fraud revealed.
Recently, grifters have been messaging customers who have reserved hotels via travel website Booking.com.
The website said its own security had not been breached, but confirmed that a number of the venues it lists have had their IT systems compromised by con artists.
This can happen if a member of the hotel’s staff mistakenly clicks on a link in an email sent by criminals, who can then log into the hotel’s account on the booking site and message customers directly.
Student Viktoria Tkach was duped into paying nearly £800 in one such scam.
The 21 year-old, of Greenwich in South East London, had booked a trip to Sharm El Sheik, Egypt, with mum Natalie, 50, in February.
A week before departure, Viktoria got a message, apparently from the hotel, saying she must pay £791 towards her stay or the reservation would be cancelled.
She said: “Because the message appeared in my Booking.com account and looked so official, I felt like I had to follow orders.”
It wasn’t until Viktoria and her mum got to the hotel that she realised she had been scammed as the receptionist told her the full £937 for their 11-night break still had to be paid.
She felt she had no choice but to fork out a second time.
Viktoria fought for five months to get her money back, but Booking.com, the hotel and her bank all refused.
It was only when Sun Money stepped in that Booking.com agreed to a refund.
A website spokesperson said: “While there has not been a security breach on Booking.com, we are aware some of our accommodation partners were targeted by phishing messages, which compromised their internal systems.
“We take safety and security very seriously and were sorry to hear about Viktoria’s experience. This is not the level of service we strive to provide.”
It has now refunded Viktoria’s money with an extra goodwill payment.
Sun Money journalist Mel Hunter was targeted by a similar scam when she booked a holiday in Faro, Portugal, this month.
“The fact the message appeared in my Booking.com account made it so convincing,” she revealed.
“Thankfully I smelled a rat, but the hotel told me other guests had lost money.”
Booking.com said it is supporting its hotel partners with training and guidance.
How to report scams
If you think you have been a victim of a scam, you should report it as soon as possible.
There is no guarantee you’ll get your money back, but banks will often compensate you if you can show you did not know the money would leave your account.
You can forward scam emails to report@phishing.gov.uk.
If you notice a website that doesn’t look quite right, you can also report it to the National Cyber Security Centre by visiting ncsc.gov.uk/section/about-this-website/report-scam-website.
You should also contact your provider and report it to Action Fraud, which will give you a crime reference number.
You can do this online by visiting actionfraud.police.uk or by calling 0300 123 2040.
If you’re in Scotland, report a scam through Advice Direct Scotland online by visiting consumeradvice.scot. You can also report scams to Police Scotland on 101.
If you need further help, contact Citizens Advice Scams Action by visiting citizensadvice.org.uk/consumer/scams/get-help-with-online-scams or calling 0808 223 1133.
Action Fraud's advice on holiday fraud
THINIKNG about booking a holiday this year? Follow our top tips to avoid falling victim to holiday fraud
DO YOUR RESEARCH: Before committing and booking your dream holiday, make sure that you do a thorough online search to ensure the company is credible.
PAY SAFELY: If you have a credit card, use it when shopping online. Most major credit card providers protect online purchases.
LOOK FOR LOGOS: Check if a travel company is an ABTA, the Travel Association, member or an ATOL holder. Look for the ABTA logo on the company’s website. If you have any doubts, you can verify their membership of ABTA online on their website. If you’re booking a flight as part of a package holiday and want to find out more information about ATOL protection, visit the ATOL website.
STAY SAFE ONLINE: Use three random words to create a strong email password that’s different from all your other passwords. If two-step verification is available, always enable it.
WATCH FOR SUSPICIOUS MESSAGES: Be cautious of unexpected emails or messages offering unrealistic holiday deals. If you receive a suspicious email, report it by forwarding it to: report@phishing.gov.uk
PROTECT PERSONAL INFORMATION: Only fill in the mandatory details on a website when making a purchase. If possible, don’t create an account for the online store when making your payment.
BOOK WITH CONFIDENCE: Be sceptical of unrealistic holiday deals. If they sound too good to be true, they probably are. Exercise caution and research before making a purchase.