NEW YORK (MainStreet) — More bad news for travelers: leading hotel site Booking.com has acknowledged that some 10,000 of its customers have been targeted by scammers - and at least some of the victims forked over money.
Booking.com is a ferociously busy site. It claims that every day it sells some 700,000 room nights in 200 countries. For some customers, that booking went wrong in a big way.
The scam works this way. Sometime after booking a hotel on Booking.com, Joe Traveler is contacted via email - sometimes the email appears to be from Booking.com, sometimes from the hotel - and told that to continue to hold the reservation the hotel needs cash.
Booking.com reservations are with no money down. The email turns that policy around.
One traveler, cited in a BBC write up, who had booked several rooms for herself and colleagues to attend a London trade fair, was told in what appeared to be a Booking.com email that - because the week was so busy - to hold the rooms she had to pony up £3,000 (about $4,750). She also got an email from the hotel, a Hilton, saying much the same. She called Booking.com, was told to ignore the emails and did not lose a dime.
Not so lucky is one Canadian traveler - also headed to London - who was told she needed to prepay about $1,500, which she did. That money later was refunded by Booking.com.
In many cases the scamsters offered a valuable perk - such as a complimentary airport transfer - in return for a fast payment.
In an email to Mainstreet, Andre Manning, head of global PR for Booking.com, acknowledged that the attack occurred and indicated it happened this past summer.
“We of course have taken our time to work with all parties involved, most importantly our customers to make sure the impact on them is as minimal as possible," Manning said. "We have taken the financial burden of this, though we have not and will not disclose(d) the total amount of refunding to our customers. We also said this was no data breach and that phishing is an industry wide phenomenon that we now have been confronted with like other e-commerce companies in the past. We have immediately stepped up our security measures and will continue to do counter these criminal activities and to make sure booking accommodations via Booking.com is safe.”
Lawyer Steven Weisman, who is a professor at Bentley University in Massachusetts and who blogs at scamicide, pinpointed perhaps the most unsettling aspect of this scam. “Maybe nobody knows how this happened,” he said.
Booking.com has not disclosed the how-to and, remember, the scammers had minute, very accurate details about thousands of hotel bookings. They appear to have known the guest name, dates, the name of the holiday, possibly even the exact room rate. That’s why their “phishes” - precisely targeted scam emails - were so successful.
At least one hotel company - Hilton - has denied that it was hacked.
Booking.com insisted it was not breached. “Booking.com may well be accurate,” said Weisman.
Cybersecurity expert Joseph Steinberg, chairman of authentication company Green Armor Solutions in New Jersey, said the culprit for weakened security protection remains ambiguous.
“Someone has a vulnerability," he said. "Could it have leaked from a partner? A hotel? We just don’t know that much right now.”
Steinberg also said he was aware of hacker chatter that Booking.com has obvious vulnerabilities, but, he insisted, he had not verified those claims.
The takeaway: assume any site can be hacked, said Weisman.
Where does this leave travelers? The obvious answer, said Weisman, is “trust no one.” He explained that the cure here is to receive any email skeptically. When an email comes in - purportedly about a hotel room you in fact have booked - do not click on links in the email. Instead, go directly to the website you booked the room, click into “account,” and see if in fact you owe money. Or pick up the phone and call in - but call the help desk number on the website, not one in an email (which might dial in directly to a criminal who of course will assure you that, indeed, you need to pay up or lose the room).
But know this: criminals love proven scams. This one worked. It will work again. Maybe not at Booking.com. But at another hotel website.
--Written by Robert McGarvey for MainStreet