Advertisement

A phishing scam on booking.com almost cost me £340

Thanks to the intervention of their credit card company, our reader was saved from losing money to a phishing scam that targeted booking.com
Thanks to the intervention of their credit card company, our reader was saved from losing money to a phishing scam that targeted booking.com - Koshiro K/Alamy Stock Photo

Gill Charlton has been fighting for Telegraph readers and solving their travel problems for more than 30 years, winning refunds, righting wrongs and suggesting solutions.

Here is this week’s question:

Dear Gill,

In June this year, my wife and I made a hotel reservation on North Uist, Scotland, through booking.com. We provided credit card details and the hotel said it would take payment 30 days before our arrival.

A few days ago I received a message from the hotel via booking.com, saying my reservation might be cancelled as my card had not been automatically verified and that I must click on the provided link and re-enter my card details.

When the card I’d used to confirm the reservation was refused, I tried with my Barclaycard. This seemed to go through but, a short time later, a Barclaycard agent phoned to say that booking.com had been hacked by fraudsters who had tried to take £340 from our account. Fortunately, Barclaycard had blocked the payment.

We are usually alert to these scams, but because the request contained an earlier message trail with the hotel, and was from the usual noreply@booking.com address, we assumed it was genuine.

The hotel said that this scam was widespread and that booking.com was aware of it. So why isn’t there a warning on its website?

Richard Harris

The Hebridean island of North Uist
Booking.com says that the hotel our reader booked on the Hebridean island of North Uist has fallen victim to a phishing scam - Lemanieh/iStockphoto

Dear Richard,

I approached booking.com for an explanation and it took several weeks to get any sort of response. It claims that its own messaging system hasn’t been breached but that some of its accommodation providers have been targeted by phishing emails. By clicking on the embedded links, they had compromised their own security and allowed the fraudsters unauthorised access so they could communicate with guests.

The North Uist hotel is adamant that this was not a security lapse on its part (even though 20 of its guests had been targeted), as no staff members had the booking.com login details and the owner had not received any suspicious emails.

It is not clear who was at fault; booking.com says it is investigating your case but has not contacted the hotel. While it has sent out fraud alerts to accommodation providers about this latest scam, it has not warned customers using its site as it claims this scam has impacted a “small fraction” of users.

Scam messages usually include a sense of urgency and are often poorly worded, with bad punctuation and spelling mistakes. If you receive a message you are unsure of, it is best to phone the hotel directly to discuss the matter.

If the message includes a payment link, it may be  to a fake “mirror” site. Hover your cursor over the link and the real destination can be found. Booking.com never asks customers to provide credit card details by text message or email, or to provide verification of a payment card. For more information see its “safety tips for travellers” webpage.


Your travel problems solved

Gill takes on a different case each week – so please send your problems to her for consideration at asktheexperts@telegraph.co.uk. Please give your full name and, if your dispute is with a travel company, your address, telephone number and any booking reference. Gill can’t answer every question, but she will help where she can and all emails are acknowledged.