Just a few days after Kay Pedersen reserved a hotel room in Chiang Mai, Thailand, she received a scam email from Booking.com.
It was a “warning” that appeared to be from the online travel agency. In broken English, it cautioned that there had been “malicious activities” in her account.
And then the problems began. The next day she noticed a new reservation at another hotel. And then another one. She and her husband, Steven, reported the fraudulent activity immediately and Booking.com canceled all of their hotels, including the one in Chiang Mai.
“We immediately called Booking.com’s customer service requesting our original reservation be reinstated and these other odd ones, which we had not made, be canceled,” says Steven Pedersen. “They were able to do so, but not at our original rate. The rate would now be more than twice as much.”
There are more people like the Pedersens out there. A new wave of scams has hit travelers hard. A few weeks ago, criminals reportedly stole Booking.com passwords through its internal messaging system. Other popular targets include loyalty program accounts and other online travel agencies.
Why is this Booking.com scam spreading?
Why are online accounts from companies like Booking.com so vulnerable to scams?
“They hold very sensitive information, such as passports, driver’s licenses, dates of birth, and travel dates,” explains Caroline McCaffery, CEO of ClearOPS, an AI-powered security program management platform.
You don’t have to be a victim. There are strategies you can use now to ensure you won’t lose your hard-earned frequent flier points or see your hotel reservation get canceled. But there are also things you can avoid doing online that will keep your account safe. Ultimately, though, this isn’t your problem to solve, but I will tell you whose it is in a second.
How to avoid a Booking.com scam
Here’s how to keep your online travel account safe from all scams, including those on Booking.com.
Use two-factor authentication
Two-factor authentication (2FA) requires a special code, along with your password, to gain access to your accounts. “Hackers can’t access this if they don’t have access to your device directly,” explains Zulfikar Ramzan, chief scientist at Aura, a digital safety company. He says if you’re using 2FA, it’s better to use an authenticator app rather than text messages for receiving 2FA codes, since hackers can also steal messages from your phone number. (Here’s our ultimate guide to travel health and safety.)
Enable login notifications
That way, you’ll know if someone has accessed your account. “Actually, make sure you enable as many security settings as possible for the platforms you use,” says cybersecurity expert Amir Sachs, CEO of Blue Light IT.
Don’t repeat your password
Never use a simple password, and never, ever use the same password for multiple accounts. “The best way to prevent any online account from getting hacked is to have a strong and unique password for each site,” says Kevin Dunn, a senior vice president at NCC Group, a global cyber security consulting company. (Services like Google Password Manager, LastPass and Dashlane can help.)
Practice safe Wi-Fi
Keep an eye on your devices in public places such as airports, hotels, and restaurants to prevent theft and unauthorized access, advises Ted Miracco, CEO, Approov, a security company for mobile applications. Avoid connecting to public Wi-Fi networks, but if you have to, use a Virtual Private Network (VPN). Hackers can easily capture your personal information on a public network. “This is a growing threat and more common than most users realize,” he says.
Yes, you’re part of the problem
Obviously, travelers are part of the problem. They use insecure passwords, don’t take security precautions, and log on to dangerous wireless networks. But travelers are inherently vulnerable, say experts. And it’s not just a Booking.com scam, either.
“People who are traveling are inclined to share too much personal information,” says Bob Bacheler, managing director of Flying Angels, a medical transport service. “Oversharing personal information on social media or with unknown websites can lead to identity theft or targeted attacks.” (Related: Chased out of his hotel for complaining about a small room. Is this enough compensation?)
Another issue, which isn’t necessarily unique to travelers, is clicking on suspicious links. Many of the hacking cases I deal with as a consumer advocate started with phishing, a technique that solicits sensitive information by pretending to be a legitimate business.
“Consumers often fall prey to phishing scams related to travel bookings,” explains Albert Martinek, a customer cyber threat intelligence analyst at Horizon3.ai.
Want to avoid a hack? Never do this
Make no mistake, nothing leads to a hacked account faster than sending personal information by clicking on a malicious link. (You can avoid the problem by always accessing the website directly — never, ever follow the link.)
It’s remarkable to watch otherwise intelligent people falling for these scams every day. And by “every day,” I really mean every day. That’s about how often I get complaints about a hacking problem. And 9 times out of 10, it’s because they fell for a phishing scam.
Many hacking attempts end badly for the victim, with frequent flier miles lost forever or money withdrawn from travelers’ accounts.
But not the Pedersens’. I contacted Booking.com on behalf of the couple, and it promised to investigate. But even so, the Pedersens left for Thailand without knowing if they had to pay the higher hotel rate. (Related: Billed twice for my hotel room. Where’s my Booking.com refund?)
Booking.com said it investigated the incident and determined that Pedersen had fallen for a phishing scam directed at his Booking.com account. A representative said Booking.com had already secured his account and would refund the difference between the new rate and the old one.
Then, I got an email from Steven Pedersen.
“We arrived at the hotel yesterday, and, after much explanation showing copies of all the confirmations with their supervisor, a hotel representative finally understood the situation and reinstated our original rate,” he reports. “The process took several hours.”
Who’s responsible for hacks that lead to the Booking.com scam?
Don’t worry, you’re not responsible for this problem. The companies that didn’t protect you are at fault. And it’s up to them to fix it.
There’s a fix that would solve most of these hacking problems. It’s called Passkeys, and it’s a passwordless authentication system that uses biometric authentication like a fingerprint or face scan. (Related: Booking.com suspended my account. Can you help me get it back?)
Some travel companies have already adopted Passkeys, including Kayak and Uber. (Here’s a directory of companies that currently use Passkeys.)
Travel companies are hopelessly vulnerable, and this problem will almost certainly get worse before it gets better. Consider that online travel agencies often share personal data with three or four different parties when they fulfill a booking request. Not passwords, but certainly enough personal data that it could cause problems if the information were to fall into the wrong hands. (Related: What’s the Booking.com refund process? The company took my money!)
The travel industry’s computer systems were designed with one thing in mind: to increase profits. They move customer’s money quickly and efficiently but generally treat your data carelessly. Unless there are real consequences for playing fast and loose with your personal information, including your passwords, this problem will not go away.
It’s not your fault — but you will have to pay for it.
Elliott’s tips for avoiding a Booking.com scam
Here are a few more strategies for keeping your accounts from getting hacked.
Book directly with a reputable company
Think twice if you don’t recognize the online travel site. There are just too many fly-by-night operations that either treat your personal data carelessly or, in some cases, just steal it. And that’s especially true if the deal looks too good to be true. “Better yet, book directly with the travel company or airline,” says Bala Kumar, chief product officer at ID verification platform Jumio.
Be suspicious of urgent emails
Many hacks happen through booking partners, which can have IT systems with lax security. The pattern is similar: Someone will gain access to the email system of a booking partner and use it to send a message urgently warning you, often a day before your travel, that your booking is at risk of cancellation unless you send your credit card details again. “Obviously, the hackers are just trying to get your credit card information,” says Corey Nachreiner, chief security officer at WatchGuard Technologies, a network security company. Report the email to the company immediately.
Mind those foreign phone numbers
If you’re setting up two-factor authentication, make sure you’ll have access to it after you get home. “We’ve heard several stories from international travelers who set up 2FA through a foreign number purchased during extended trips abroad, who then lose access to the account at the end of their trip when they deactivate the number,” says Joe Cronin, CEO of International Citizens Insurance.