Booking a holiday? Watch out for this hard-to-spot scam

With summer fast approaching, many of us will be planning that much-needed holiday.

Holiday planning can be stressful - but for two Booking.com users, it became a nightmare when they were left hundreds of pounds out of pocket by a sophisticated scam.

The Scam Secrets team explain how the scam works - and how to stop the criminals in their tracks.

Scam Secrets listener Brendan was planning a trip to Austria, and used the trip planning site Booking.com to organise his hotel.

He booked a room in Vienna for around €950, with payment expected on arrival at the destination. So far, so normal…

“A few weeks later, I got an email from the hotel through Booking.com,” Brendan explained to Scam Secrets.

"[It] said, we are writing to inform you that your booking number is in danger of cancellation due to the system marking it as suspicious - you need to confirm your booking by following the instructions here."

"I thought that's a bit unusual, but I'll go ahead anyway".

As the email appeared to come from his hotel, via Booking.com, he wasn’t instantly suspicious.

He clicked the link in the email, and all his details seemed correct: name, dates and booking reference number.

Brendan was asked to pay the full amount to confirm his stay, which would then be refunded.

Brendan sent the money, but was then told the payment had not gone through and to try again. It was at this point that alarm bells began to ring for him.

“I began to wonder,” he thought. “Could this be a scam?”

He checked his bank account and found that the original payment had actually gone through.

Concerned, he called the hotel. The employee who answered was straight to the point, shouting: “SCAM! SCAM! SCAM!” down the phone.

“I felt really stupid at that stage,” Brendan says. His money was gone.

Listener Steve similarly received a message that appeared to be from the Booking.com platform directly, after arranging accommodation in Portugal for around €1800.

It resembled the usual post-booking confirmation email, but it also included a request to pay a certain amount to complete the transaction.

As the message came directly from Booking.com, Steve decided to make the payment.

“I'm slightly embarrassed about this now,” he told Scam Secrets. “We thought, right, let's just get this done.”

The official-looking message requested that the interaction move over to WhatsApp, where he provided bank details and made the payment.

Soon afterwards, he received another message from Booking.com telling him his reservation had been cancelled.

“Then of course you get that somewhat sick feeling in the pit of your stomach and think, hang on, this just doesn't feel right at all," he recalls.

Steve called the company and discovered that his €1800 had not reached Booking.com or the hotel in Portugal.

The scammers had struck again.

The fraudsters used a slightly method on listener Judith.

After reserving a hotel in Edinburgh via Booking.com, she received a WhatsApp message a few days later asking her to confirm her booking.

All her correct travel information was contained in the message, even down to her checking-in times. But Judith suspected something wasn’t quite right - and decided to turn detective.

"[The message] had come from a beautician sort of place. And, and at first I thought... some hotels have a spa place and, and perhaps part of that.

"But when I looked, the number said it was from Columbia, and that's what alerted me to the fact that it might be a scam. But I very nearly fell for it.

Cyber crime expert Rafe Pilling explains this method has multiple victims: starting with the hotel.

“Ultimately they want to get access to the hotel’s Booking.com account,” he told Scam Secrets. “They do this by what we call a phishing attack.”

A typical example of how this might pan out is that scammers contact the hotel directly, and build up a rapport with the desk staff, with a cover story – for example claiming to have lost an item during a stay.

They then email information about the lost item which includes a link - but it is actually malware designed to steal login information held by the hotel, hijacking the account.

This enables the scammers to correspond with customers in a way which looks authentic: booking details are accurate and links and information look professional, making it a very difficult scam to spot.

“It puts a lot of the advice that we give people about looking for suspicious links and getting emails out the blue, completely out the window,” Rafe explained.

“You are getting it through the platform that you've made a booking through and makes you much more likely to trust it.”

And it’s not just realistic links and messaging that can trick the consumer.

Scammers can set up websites that look entirely authentic and secure, even containing the previously security-conscious padlock icon, signifying an encrypted exchange. Everything seems completely legit.

Booking.com told Scam Secrets that frauds such as the ones suffered by Brendan, Steve and Judith are industry-wide.

They informed the show that they are constantly enhancing their security measures and trying to educate their accommodation partners about the types of scam they might encounter.

The company was unable to confirm if requests for a payment off its own platform were in themselves the sign of a scam – so there could be occasions where a hotel might contact a customer and require extra information or even additional payment - showing just how hard to spot this one can be.

But the company did say customers should always check the payment instructions they’re given at the time of their booking.

In recent days, Booking.com has been in the headlines after a data breach led to customer information getting into the hands of hackers.

The company told Scam Secrets that this incident was not connected to the scams highlighted in the show, but have warned customers about the possibility of criminals using this information to extort money.

It is not yet known whether this latest data breach will lead to an uptick in scams affecting Booking.com, similar to the ones suffered by Scam Secrets listeners.

This is a particularly hard-to-spot scam, using sophisticated techniques and software. But here are a few things to be aware of:

• Check the payment policy: If you’re suddenly faced with an unexpected payment amount, for deposit reasons or to confirm a booking, check the original booking page and see what the terms of payment were. If it doesn’t mention any additional payments, raise the red flag.
  
  
• Be wary of extra costs: Any unexpected extra cost, even if it does come from a seemingly legitimate source, should be treated with extreme caution. If in doubt, immediately contact the hotel directly.
  
  
• Look at location: As Judith discovered, the source of the email asking her for payment was a Colombian beautician. It’s easy to miss those sorts of details if you’re flustered and trying to ensure that your booking is made. Just check all the information provided carefully.
  
  
• Choose the right contact method: Calling the hotel directly is the best option as the hackers may have control of the accommodation’s website and their email may also be compromised.
  
  
• Never go to a second location: Even if the original email seems legit, if it’s suddenly asking you to click through to another website or onto WhatsApp, then pull the plug.
  
  
• Suspect different communication methods: If you made the booking via a website, and then you’re suddenly contacted via WhatsApp or another messaging method, be suspicious.
  
  
• Take a breath: It’s easy to mildly panic and try to fix a sudden, unexpected problem. But don’t be hasty. Before clicking links or sending money, take a step back and assess the situation. If anything at all seems a little off, contact the hotel directly.

As scams grow more and more sophisticated, it’s vital to be highly aware and suspect anything that doesn’t seem entirely legit.

In each episode of Scam Secrets, fraud investigator Shari Vahl, criminologist Dr Elisabeth Carter and ex-criminal Alex Wood (pictured above) dissect new and evolving techniques criminals use - so you can stop them trying it on you.

If you think you might have lost money in a scam like this, our article '5 Steps To Get Your Money Back' has some simple steps on how to take control back of the situation.

You can hear the full episode on the Booking.com scam and more stories like it on Scam Secrets. Listen on BBC Sounds.