Tourists across Europe have reported in recent weeks that they are being targeted by scams imitating Booking.com.
The bogus emails claim that recipients can receive a 20% discount at any hotel in the world. All they have to do is follow a link to “verify” their account.
Anyone who clicks the link is directed to a mock-up of the online travel agency’s website, where they are asked to hand over their personal details.
The scam has been particularly successful targeting people who travelled to Liverpool for this year’s Eurovision Song Contest.
As is often the case with such events, hotel prices skyrocket as demand increases, creating a honeypot that scammers can pounce on.
The apparent opportunity for a significant discount on hotels has led people to think that a trip is more affordable, plus it encourages them to act quickly without considering the legitimacy of the offer.
Spotting a scam
The simplicity of this scam has made it hard for people to decipher its true nature. The email reads “Congratulations! You have a code for a 20% discount at any hotel in the world”.
It adds: “To get the code, you need to verify your identity”, and prompts users to click a link.
The message is displayed as a picture, which helps it avoid email detection systems that scan for words that are often used in bogus offers, such as “congratulations” or “discount”.
Source: Trend Micro
Meanwhile, the email faithfully recreates Booking.com’s logo and design (although with some email clients, such as the one used in the screenshot above, users must agree to display certain images).
This is often a sign that there is something suspicious, because malware can be injected into images and unleashed when it’s downloaded.
Another sign that points to the true nature of this email is the content itself. As Trend Micro observes, “real discount codes usually have certain caveats attached to them and it’s quite rare to get a discount off everything from a retailer’s range, especially such a high level discount”.
It adds: “Coupled with the use of the word ‘congratulations’, and the exclamation mark, this all adds to the feeling of excitement the scammers are hoping to evoke as it is this feeling that could make people behave more impulsively and fall victim to their scam.”
Eurovision Scam Content
The timing of this scam has been particularly unfortunate for people who tried to make last-minute plans to watch the Eurovision Song Content.
According to the BBC, several fans of the musical television show have been caught out. One person said that after booking an apartment for himself, he received a phone call from his bank saying that it had spotted an £800 transfer to an account in Uganda.
“I felt really stupid because I’ve never been close to being scammed,” he said. “It just took the enjoyment out of it and I don’t want to go any more because they’ll know all my details and know I’m away from home, so I cancelled it.”
Booking.com confirmed that “some accommodation partners had been targeted by phishing emails” but said that its internal systems had not been breached.
The company added that “a number of accounts” had been compromised by cyber attacks and had been “quickly locked”.
UKHospitality, which represents more than 740 companies across England, Scotland and Wales, advises holidaymakers to deal directly with hotels, rather than third-party booking platforms, if they are concerned about scams.
How to stay safe
This incident is yet another reminder of the ways in which scams can affect us in our everyday lives.
No matter what you’re doing online, whether you’re booking holiday plans, purchasing something online or simply trying to go through your inbox, you will encounter scammers sooner or later.
This is bad enough for individuals, but the damage can be even more costly if fraudsters target you at work. Their attacks can compromise your login credentials, giving them access to sensitive corporate data, or they can trick you into making bank transfers.
To prevent this from happening, organisations must help employees understand the risks related to these scams.
You can find all the advice you need with IT Governance’s Phishing Staff Awareness Training Programme.
This online training course provides essential guidance to help you and your team understand and overcome email-based threats.
We use real-world examples to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.
The course content is updated quarterly to include recent examples of successful attacks and the latest trends that criminals use.
