Warning issued after £370,000 lost due to Booking.com fraud

A warning has been issued after hundreds of Booking.com customers lost a total of £370,000 in a hotel payments scam.

Action Fraud, the national reporting centre for fraud and cybercrime, said it received 532 reports between June 2023 and September 2024 where hotel accounts were taken over by fraudsters and used to request unnecessary payment from customers.

The criminals reportedly sent in-app messages, emails and WhatsApp messages to customers to trick them into paying or sharing their credit card details.

It is believed the account takeovers were the result of a “targeted phishing attack against the hotel”, rather than it being a problem with Booking.com’s infrastructure.

Adam Mercer, deputy head of Action Fraud, said: “If you receive an unexpected request from a hotel’s account you booked with using Booking.com, asking for bank details or credit card details, it could be a fraudster trying to trick you into parting ways with your money. Contact Booking.com or the organisation directly if you’re unsure.

“Remember to report any suspicious emails by forwarding it to report@phishing.gov.uk, or if you receive a fraudulent text message, you can forward it to 7726.”

Booking.com said no genuine transaction would ever require a customer to provide their credit card details by phone, email, text message or WhatsApp.

It has encouraged customers to verify any attempts by a hotel to take credit card details and contact Booking.com customer service if they receive any urgent payments requests, such as a cancellation.

Any messages purporting to be from Booking.com that contain instructions to follow links and/or open/download files should be treated with caution, the company said.

If customers have any doubts about a message, they have been advised to contact Booking.com directly.

Booking.com is one of the largest online travel agencies in the world and lists over 29 million hotels, B&Bs and homes to stay in worldwide.

In 2023, it urged partner hotels to install two-factor authentication following a rise in phishing emails.

A spokesperson for Booking.com said: "Phishing attacks pose a significant risk to all businesses operating in the e-commerce space. Thanks to the robust measures and systems we have in place and our continuous efforts to enhance them, considering our global scope and the number of transactions we facilitate via our platform, actual incidents are rare. And in an instance where we detect unauthorized access, our aim is always to quickly block it and take necessary corrective measures, including informing any affected parties in a timely and transparent manner.

"We remain fully committed to proactively helping our accommodation partners, from small independents to large hotel chains, to keep their businesses protected. This includes providing cyber security advice via communications, face-to-face workshops and a dedicated cyber-security advice hub, In addition, 2FA (two factor authentication) is mandatory for all of our accommodation partners and we have introduced a risk based 2FA, where unusual behaviour and suspicious activity is monitored and triggers additional 2FA, helping to better protect partner accounts." 

Image: Koshiro K/Shutterstock