Action Fraud has warned travellers who use Booking.com to beware of fake emails asking for money or credit card details.
The UK’s national reporting centre for fraud and cybercrime said those using the online platform could be targeted with emails or messages requesting payments from hotels which have had their account taken over by fraudsters.
Between June 2023 and September 2024, Action Fraud received 532 reports from individuals, with a total of £370,000 lost.
It appears individuals were defrauded after receiving unexpected messages and emails from a Booking.com account belonging to a hotel they had a reservation with, which had been taken over by a criminal.
Using this account, the criminals send in-app messages, emails, and WhatsApp messages to customers, deceiving them into making payment and/or requesting credit card details.
The specific account takeovers are likely to be the result of a targeted phishing attack against the hotel or accommodation provider, and not Booking.com’s backend system or infrastructure.
More: Consumers urged to ‘book wisely’ on eve of Sunshine Saturday
Travel in top 10 sectors used by brand-based cybercriminals
Designer Travel boss warns about ‘smarter’ fraudsters
Adam Mercer, deputy head of Action Fraud, said: “With more than 500 reports made to Action Fraud, those who have booked a holiday on the Booking.com platform should stay alert to any unexpected emails or messages from a hotel using the Booking.com platform, as their account could have been taken over by a criminal.
“If you receive an unexpected request from a hotel’s account you booked with using Booking.com, asking for bank details or credit card details, it could be a fraudster trying to trick you into parting ways with your money. Contact Booking.com or the organisation directly if you’re unsure.
“Remember to report any suspicious emails by forwarding it to report@phishing.gov.uk, or if you receive a fraudulent text message, you can forward it to 7726.”
Booking.com and Action Fraud have offered advice to consumers, highlighting how no legitimate Booking.com transaction will ever require a customer to provide their credit card details by phone, email, or text message (including WhatsApp).
Sometimes a hotel provider will manage their own payment and may request payment information, such as credit card details, so consumers are urged to verify the authenticity of communication between themselves and the hotel’s account.
If travellers receive any urgent payment requests that require immediate attention, such as a booking cancellation, they should contact the Booking.com customer service team via the details on the official Booking.com website and/or app to confirm.
Any payment requests that do not match the information in the original booking confirmation should also be double checked and confirmed with Booking.com Customer Service before proceeding.
Any messages purporting to be from Booking.com that contain instructions to follow links and/or open/download files should be treated with caution.
If consumers have any doubts about a message, they should contact Booking.com directly. They should not use the numbers or address in the suspicious message but use the details from the official website.