We book a property online through Booking and, within a short time, we receive a message on WhatsApp that the booking was not successful and we have to click on the link received in the message to enter the card details and resolve the problem. The message appears extremely credible because it is not generic, but specifically mentions the name and surname of the person who booked, the contact details and other booking details. The fraudulent interaction that is part of the legitimate relationship between the customer and the accommodation facility risks claiming numerous victims precisely because of its apparent credibility. In this in-depth analysis we analyze how the new booking scam on Booking works, looking a little more closely at the mechanism that activates the IT trap, and then analyzing the security measures with which to defend yourself.
How to spot the Booking reservation scam and how it works
The mechanism observed is as simple as it is sophisticated: scammers manage to obtain authentic booking details – name, telephone contact, information on the booked hotel, etc. – and then use this information to construct a personalized message that will be credible and act as bait. In many cases, the communication arrives via informal channels such as WhatsApp or via email, and contains a request for immediate action, such as entering card details or making a bank transfer. This dynamic exploits our tendency to consider reliable a message that is part of a real action just performed.
IT experts, such as Paolo Dal Checco, exclude that the problem arises from a direct compromise of the booking platform used by users, i.e. Booking. The most accredited hypothesis instead concerns illicit access to the email accounts of accommodation facilities. This is where phishing comes into play, a technique in which an attacker pretends to be a trustworthy person to obtain credentials or sensitive information. Once access is gained, criminals can automatically monitor incoming and outgoing communications, intercepting each new booking, in near real time.
This type of control is often achieved by configuring filters or automatic forwarding within the compromised email inbox (that of the accommodation facility). In practice, messages are copied or redirected without the owner realizing it. From that moment, the scammer has a privileged window on the interactions between hotel and customer.
Another key concept is email spoofing, which is the falsification of the sender’s address to make a message appear to come from a trusted source. Even if there are protection systems such as DMARC (Domain-based Message Authentication, Reporting & Conformance), a standard that verifies the authenticity of emails, these are not foolproof: under some conditions, unauthenticated messages can still be delivered.
How to defend yourself if you are intercepted
To defend ourselves from the intercepted Booking reservation scam, we must stop for a moment and analyze the message received on WhatsApp or via e-mail from what appears to be the accommodation facility to which the reservation was sent and from which the message appears to come. This is especially true when the communication received, although appearing authentic, contains messages that invite you to take actions driven by a sense of urgency. This huge wake-up call should never be ignored. Never.
It is essential to always verify the real sender. It is not enough that the name displayed in the email is that of the facility: we must check the complete address and make sure it ends with the official domain of the platform (e.g. [email protected]). And in the case of WhatsApp messages, check that the mobile number corresponds to that of the facility and does not come from a foreign prefix (unless the facility is actually located in the foreign country corresponding to the prefix).
If you have even the slightest doubt that a message may have a sinister origin, do not click on any links, do not provide payment information and do not make payments. Instead, contact the property by telephone and report the incident to ensure that your booking is confirmed and to inform the property managers of the probable IT security problem they are experiencing.
