As hotels brace for the surge of Easter holiday travellers, cybercriminals launch a sophisticated phishing campaign, posing as Booking.com, to compromise hotelier accounts. Microsoft has sounded the alarm, revealing the latest scam threatening the worldwide hospitality industry.

According to an in-depth Microsoft blog post, hackers are deploying fraudulent emails meticulously crafted to appear as official communications from Booking.com. The scam is designed to deceive hotel owners into surrendering their login credentials, which are then exploited to gain unauthorized access to sensitive financial information.

How the Scam Works: A Deceptive Trap for Hoteliers

The phishing attack begins when hotel owners receive an urgent email from Booking.com. The content varies but commonly revolves around a fabricated guest complaint, a negative review, or an urgent request requiring immediate attention.

To add credibility, the email directs recipients to open a PDF or click a link, often disguised as a portal to “resolve the issue” or “challenge a review.” Upon clicking, the victim is prompted to verify their Booking.com login credentials, sometimes even encountering a CAPTCHA screen to create an illusion of legitimacy.

Once the login credentials are entered, cybercriminals swiftly access the hotel’s Booking.com account, manipulating payment details, extracting financial records, and even redirecting customer payments to fraudulent accounts.

Growing Cyber Threat: Booking.com Scams on the Rise

This is not the first time Booking.com has been targeted. Since 2023, Microsoft has observed similar fraudulent activities aimed at accommodation providers and travellers.

In Australia, the Australian Competition and Consumer Commission (ACCC) & ScamWatch reported that unsuspecting travellers had been duped by phishing emails posing as Booking.com, leading to financial losses exceeding $337,000. However, this latest scam shifts focus onto accommodation providers, who may lack advanced cybersecurity measures to protect themselves from such attacks.

Why Small Hotels and Independent Providers Are at Risk

Booking.com serves various accommodation providers, from luxury hotels to small family-run inns and boutique guesthouses. While major hotel chains often have dedicated cybersecurity teams, smaller establishments are particularly vulnerable due to limited resources and awareness of emerging cyber threats.

Given the urgency of the upcoming holiday rush, hoteliers must remain vigilant and take proactive steps to safeguard their businesses from potential financial and reputational damage.

Microsoft’s Recommendations: How Hotels Can Protect Themselves

Microsoft urges all hotel and accommodation providers to follow these critical steps to mitigate the risk of falling victim to phishing scams:

1. Verify the Sender’s Email Address

Always check the legitimacy of an email sender by hovering over the email address. Legitimate organizations like Booking.com do not request personal or financial information via unsolicited emails.

2. Contact Booking.com Directly

If an email appears suspicious, contact Booking.com through its official website or support channels rather than clicking links within the email.

3. Beware of Urgent Requests

Cybercriminals create a false sense of urgency to pressure victims into taking immediate action. Any request that demands an urgent response should be treated with caution.

4. Inspect Links Before Clicking

Hover over any embedded links to preview the URL. If the domain appears unusual or contains subtle misspellings (e.g., “b00king.com” instead of “booking.com”), it is likely fraudulent.

5. Watch for Typos and Poor Grammar

Phishing emails often contain spelling mistakes, grammatical errors, or minor variations of legitimate domains such as “rnicrosoft[.]com” instead of “microsoft.com.”

6. Educate Staff and Implement Cybersecurity Training

Ensure all employees handling guest reservations and financial transactions are trained to recognise and report phishing attempts.

Tourism Industry’s Responsibility to Strengthen Cybersecurity

With cyber fraud evolving at an alarming rate, the tourism and hospitality industry must adopt a proactive approach to cybersecurity. Regulatory bodies, travel platforms, and hoteliers must work collaboratively to improve digital security standards, safeguarding businesses and consumers from online threats.

Booking.com has yet to release an official statement on this specific scam, but the company has consistently advised accommodation providers to activate two-factor authentication (2FA) and monitor account activities regularly.

Final Thoughts: Staying One Step Ahead of Cybercriminals

As holidaymakers gear up for Easter getaways, cybercriminals are ramping up their efforts to exploit businesses in the travel sector. Microsoft’s latest warning is a crucial reminder for hoteliers to remain alert, scrutinize incoming emails, and take decisive actions to fortify their cybersecurity measures.

Accommodation providers can ensure a safe and seamless booking experience for their businesses and guests by staying informed and implementing best security practices.

For further details on cybersecurity best practices, visit Microsoft’s official blog or Booking.com’s fraud prevention resources.

 

 

 

Written by: Sandra Jones

 

 

 

 

 

================================