I must admit that this scam is clever. It doesn’t, however, mean that a party of the scam – hotel reservation service Booking.com – shouldn’t do something to prevent it. Here is how the scam works, and if there is anything you can do to protect yourself.

Recently, multiple stories have been published that describe how the scam exploiting Booking.com works. A traveler has made an online hotel reservation in Booking.com, and is keenly waiting for the departure date. Out of the blue, a message appears on the traveler’s phone, or in Booking.com app that the traveler is using, asking instant payment of the reservation. Otherwise, the reservation would be lost.

Because everything is correct in the request – hotel, dates, price – the traveler follows the instructions and pays the reservation that she had made in Booking.com. All seems to be well and good.

Not so. The payment has been received by criminals.

How is this possible? Although the scam is not as complex as described in the classic movie The Sting, it is a pretty complex cyber sting. First, cybercriminals hack into a hotel that has partnered with Booking.com. Using phishing techniques, they harvest credentials required for signing in to the Booking.com reservation system as hotel personnel. Second, criminals login to the Booking.com system, look for reservations, and decide which travelers they target. They send urgent requests to select travelers requiring rapid payment.

Now, a traveler gets a a message or receives a notification in Booking.com application requesting payment. The request comes from a legitimate address, and it has all the correct data because it comes from the correct source – directly from the Booking.com reservation system. It is very, very difficult for a traveler to understand that the request could be false. Naturally, he pays to retain the reservation. The only thing that is incorrect in the request is that the payment is directed to a bank account of criminals.

Who is responsible? Who should prevent criminals from stealing travelers’ money? Even though the scam is executed using the Booking.com reservation system, the company doesn’t take any responsibility. In some cases, banks have been able to stop money transfers if the victim has realized his mistake quickly enough.

The problem is getting worse because in the hidden dark web of the internet, login credentials for accessing the Booking.com system is being sold for 2000 euros/USD. The price indicates it is a very lucrative and successful attack at the moment.

What can a traveler do to prevent losing her money? Years ago, I concluded that internet services like Booking.com and Airbnb are services that I won’t use anymore. The reason was that they don’t deliver what they say they do. So, I stay away from them, and book directly with a hotel, B&B, or holiday apartment in the destination. Certainly, every traveler doesn’t want to do the same, which means they should to conduct troublesome extra verifications with Booking.com before paying to be sure that their payment is directed to the correct address.