Week 28: What to look out for when you book a hotel

Languages

Service navigation

Search

Navigation

Week 28: What to look out for when you book a hotel

16.07.2024 - Holidaymakers like to spend the best and most relaxing days of the year in different ways: some want to explore foreign cities, others want to sunbathe on an idyllic beach or go on walks or bike rides in the countryside. These days many of these holiday activities can be booked online. Cybercriminals know this too: they use phishing scams to impersonate travel companies in order to obtain login details or credit card information. Scammers also create fake hotel websites. In one recent case, they even hijacked a hotel's Booking.com account.

Booking websites help travellers find available hotel rooms at any time of day. They are an important tool for hotels too, to help them fill as many of their rooms as possible. Scammers know that these sites are popular and find many different ways to trick both the people looking for rooms and the people offering them.

Fake hotels, phishing sites and price manipulation

Cybercriminals can create fake hotel profiles, holiday home adverts or even entire booking websites offering great deals. Some scammers offer rooms that are not available: when guests arrive at the hotel, they find out that their reservation is fake.

In one case reported to the NCSC, a website was offering luxury chalets in well-known Swiss holiday destinations for rent at unbeatable prices. People booked chalets and apartments on this website, only to find out they never actually existed. The website was set up by scammers to defraud holidaymakers. Fraudulent websites may also manipulate prices by adding hidden fees or increasing the price after the booking has been made.

Phishing scam uses booking confirmations

In recent weeks, the NCSC has repeatedly received reports that cybercriminals have taken over hotels' accounts on Booking.com. Not only were the attackers able to view current bookings, they were also able to access the payment processing system and guests' personal information.

Once they had access to this sensitive information, the attackers sent emails and messages to guests who had already made reservations at the hotel. These messages were designed to look like they came from the hotel; they claimed to contain important updates about guests' reservations. Guests were asked to confirm their personal information or re-enter their credit card details to supposedly finalise the reservation.

In recent cases, scammers have gone as far as calling their victims claiming to be from the booking website. In one case, a scam victim was called from a fake support number and asked to verify their account details. This required them to install a remote support application. The app gave the attackers full access to the victim's computer. It is not clear what the attackers were planning to do with the access they gained. The NCSC believes they were likely trying to gain access to the victims' e-banking accounts.

Recommendations

  • Only use trustworthy and verified booking websites. Hotel booking websites such as Booking.com, Expedia and Airbnb have security measures and customer protection programmes in place;
  • Read the reviews: Look for a large number of reviews and check both the positive and negative comments. Be suspicious of hotels that have a majority of either extremely positive or extremely negative reviews. Missing company details or information on how to make a complaint can also be a sign that a booking website is untrustworthy;
  • Make sure that the booking website's URL is correct;
  • Check that you have received an official confirmation email from the booking website and the hotel;

What to do if you have been scammed

  • Report the scam to the booking website immediately and ask them to help you;
  • Report the scam to your bank or credit card company so that they can stop or reclaim payments;
  • Report the scam to the police and make sure you give them all the information they need, including all correspondence to and from the scammers. You can find your nearest police station on the Suisse ePolice website (https://www.suisse-epolice.ch/search-station);
  • Talk about what happened to you: report the scam online on forums and other websites to warn other travellers – but choose your words carefully to avoid being sued for defamation;

Last modification 16.07.2024

Top of page

https://www.ncsc.admin.ch/content/ncsc/en/home/aktuell/im-fokus/2024/wochenrueckblick_28.html