top of page
Kyle Chua
Sep 21, 20233 min read

Scammers Reportedly Using Booking.com To Forward Phishing Emails to Hotel Guests

Updated: Dec 18, 2023

Booking accommodations through Booking.com? You might want to take extra caution the next time you do so.

Booking
Credit: Reuters

According to Mothership, a guest who recently booked a stay at Amara Singapore was charged an additional S$9,000 on top of the hotel payment after engaging with a fraudulent message sent using Booking.com's messaging centre.


The guest, who went by "S", told the digital news platform that he booked a staycation to celebrate his 35th birthday and made the full payment of S$3,000 for the reservation in advance via Booking.com. He then received an email from the booking platform that was signed off by one "Roza Zukauskiene", who claimed to be a Senior Property Manager of Amara Singapore.


The email told S that he needed to click a link to "complete his registration". To which he did, redirecting him to what he described as a legitimate-looking webpage that had Amara Singapore's name and logo. The page required S to key in his personal and credit card information as well as make a security deposit. S said he even contacted Booking.com to verify if the email he received wasn't fraudulent in nature and the platform said it was indeed from the hotel. Knowing he had to provide his credit card information in case of incidental charges from his stay, he complied with providing his information.

Mothership
Credit: Mothership

The day after, he received an text notification that said his credit card had been charged S$9,000. The charge, however, was made on the same day he accessed the link on the email, raising suspicisons.


S immediately contacted Booking.com to report the phishing email. But the platform directed him to Amara Singapore, maintaining the message was from the hotel. Amara Singapore, however, old him to go back to Booking.com, saying his information was kept confidential. The hotel also said that some of its guests had similarly received suspicious emails that requested payment details.


Both Booking.com and Amara Singapore denied that their systems were compromised.


"In the past we heard of scams on banks, or government websites. Now that the travel borders are open, the scammers are getting more creative by targeting travel bookings," S told Mothership.


Amara Singapore isn't the only Singapore hotel to be affected by phishing scams. Mothership reports that it received a tip from a reader about a similar case at Oasia Hotel Downtown. The fraudulent messages were also sent using Booking.com's messaging centre, similar to S's case. Oasia Hotel Downtown also informed guests that Booking.com's messaging centre had been "compromise", warning them not to click on suspicious links.

Amara Singapore
Credit: Amara Singapore

Reports about Booking.com-related phishing scams date back to early 2023. The Straits Times in March reported that at least S$8,800 had been lost in 2023 through scams involving the booking of hotel accommodations via the popular booking platform.


A Booking.com accommodation partner in a forum post said that they suspect their account was hacked since their guests have been receiving messages asking for personal and payment information via WhatsApp and Extranet. They also said they've reported the matter several times to the booking platform's staff but have yet to receive a response.


A Booking.com spokesperson told Mothership that there was no security breach on their side. The spokesperson added that the accounts of some of its accommodation partners were affected, but stressed that "at no point there was a vulnerability in the Booking.com system that allowed a fraudulent third party to obtain information".


While it's yet unclear how these bad actors go about these scams, Mothership suspects that they first book a fraudulent hotel reservation on Booking.com, use that reservation to talk to the hotel staff and from there, impersonate the hotel to target guests.

 

  • A guest who recently booked a stay at Amara Singapore was charged an additional S$9,000 on top of the hotel payment after engaging with a fraudulent message sent using Booking.com's messaging centre.

  • Both Booking.com and Amara Singapore denied that their systems were compromised.

  • In March, it was reported that at least S$8,800 had been lost in 2023 through scams involving the booking of hotel accommodations via the popular booking platform.

As technology advances and has a greater impact on our lives than ever before, being informed is the only way to keep up.  Through our product reviews and news articles, we want to be able to aid our readers in doing so. All of our reviews are carefully written, offer unique insights and critiques, and provide trustworthy recommendations. Our news stories are sourced from trustworthy sources, fact-checked by our team, and presented with the help of AI to make them easier to comprehend for our readers. If you notice any errors in our product reviews or news stories, please email us at editorial@tech360.tv.  Your input will be important in ensuring that our articles are accurate for all of our readers.

bottom of page