HiRUM Software Solutions

Scammers targeting Booking.com

Posted by Carly Crossley - 19/02/2015

An email scam which attempts to capture commissions paid to Booking.com has been circulating around Europe, with a number of hotels falling victim.

Booking.comThe very elaborate scheme involves an email being sent to the hotel, advising that their monthly fees are due to the paid. The look and feel of the email is similar to existing correspondence sent to hotel customers by Booking.com, however the sender’s email address is altered slightly (invoice@booking-ltd.com). The link within the email directs recipients to a fake Booking.com-branded page to supposedly make a payment to Booking.com, with the funds of course being delivered to the scammers instead.

Booking.com has released a statement advising that the “incidences appear to be limited”, however Tnooz has learned that the phishing scam has been operating for at least 10 days and a large number of hoteliers could have been impacted.

HiRUM Software Solutions would like to remind hoteliers and our clients to always be cautious when opening emails and following any links within.

Here are some basic tip-offs you can look for to determine whether you’re looking at an email with dishonest intentions:


It doesn’t address you personally

Legitimate emails from trusted sources will often address you by name, so you can expect them to say “Dear John” or “Dear John Smith”. If you receive an email with a vague salutation such as “Dear customer” or no greeting whatsoever, particularly if the company has previously addressed you by your name, it’s very likely a phishing scam.That’s not to say that you should automatically trust any email specifically addressed to you, but you can be sure that if you get an email from a company you do business with like a major bank, retailer, or technology company, they will address you by name in any email.


The ‘from’ address is not familiar, or has a slightly different domain

The Booking.com scam email is addressed from invoice@booking-ltd.com, however we all know their website is Booking.com (no ‘ltd’). You can bet that any official correspondence will be sent from an official email address ending in “@booking.com”. If the domain at the end of the email address is different to the company’s official website, even just slightly, you should consider if it’s a scam email.


The link is unusual

If you’re not certain about an email, hover your mouse over any links you see in the body of the message (but whatever you do, don’t click it!). Then look at the lower left corner of your browser or email client. You should see the exact address of the link you’re hovering over will go to. If it doesn’t go directly to the address it’s supposed to, you should reconsider whether to click on it.The exception here is that some companies use third-party email services to send their messages, or include an extra tracking code to see who has clicked the links in their email. So while the link address may seem unfamiliar, it does not necessarily mean the email is a scam. But you should absolutely consider this to be a red flag and approach with caution.


There’s an attachment

If a scammer can’t lure you to click on a phony link, they may try to trick you into downloading a file packed with malware or a virus. This could be presented as an invoice for payment, playing on the sudden emotional reaction once you’ve realised you may have an unpaid item for a service you use. Without hesitation, you may find yourself downloading the attachment just to confirm whether the company has made a mistake.Rule of thumb: NEVER download an attachment you’re not expecting, no matter who it’s from.


If still in doubt, contact the company directly to verify the email

Do not click on any links within the email. Do not open any attachments. Ignore any contact details provided within the email. Open your internet browser and go directly to the company’s official and trusted website. From there, find their phone number and call to clarify whether the message was in fact received from them. Alternatively, if they have an official email address compose a new email message to them (do not reply to the questionable email) and ask them to confirm whether the email is legitimate. This is always the surest and safest way to tell if an email you’ve received is a scam.


By Carly Crossley

Carly is the Social Media Coordinator at HiRUM Software Solutions.
View all posts by

Comments are closed.