One of the world's largest online travel agencies, Booking.com, is being used by fraudsters to trick hotel guests into handing over their payment card details.
How do I know? The fraudsters tried the trick with me.
@gcluley I saw this today in the news, apparently the Singaporean police already said 2 weeks ago that people had been scammed for $41k (unsure if this is USD or SGD) using this method
@gcluley So reading your post, how would I know that this is really from the hotel I booked?
And is it actually legal to require a mailed copy of my ID card or passport ?
also booking on booking.com, I already told my name, address and phone number. so why ask for it again?
@gcluley I just today had a call from “Goldman Sachs” pretending that someone tried to use my Apple Card for fraudulent charges. They sounded legit… until they wanted my full card number “to reset the charges.” They got nervous when I mentioned I could reset my card number with a click and I had no transaction notifications. They hung up on me after that. Confirmed w/Apple-GS via text immediately afterwards that it was a total scam.
@gcluley This happens fairly often, unfortunately, with conferences that have hotel blocks. Fraudsters will pick up on the event dates and run ads with links to fake sites (even with logos / branding to match) where attendees enter card data to book rooms.
@gcluley it's so scary to read all of these posts on Reddit from those that have been scammed. even scarier that booking knows the scammers have created a back door and haven't fixed it.
@gcluley booking.com uses email on the backend for these messages. Each booking gets a unique email address (originally intended to prevent hotels directly contacting guests to encourage them to rebook direct). Because the messages get proxied via a booking.com email address they look completely legit, or at least only as fake as the real messages hotels send. (I worked at booking for 9 years and was there when they introduced this messaging system, happy to answer any questions!)
@gcluley The worst part is that actual hotels do the same thing. I called the hotel and they confirmed this was legitimate...
I work in this industry and I got VERY worried when receiving this message. The hotelier didn't think much about it, they want the actual CC number because Booking hides it from them
@gcluley
I stopped my Netflix membership a couple of weeks ago and a couple of days ago, got an email offering me 90 days of FREE! Netflix! If I accepted all I had to do is confirm all my payment information. Nothing Netflix about the return email address.
The phishing domain name jumped out at me if you were using a browser and always check the URL displayed when inputting anything.
Whereas apps leave you blind and tidy stuff up for cosmetic reasons - bit like Microsoft losing the file suffixes. IMHO inherent security risks by design.
Close call though. Don't try #Trivago though. Illusory prices, service charges and failure to complete when you think they have.
Add comment