SINGAPORE – Holidaymakers often snag good bargains when booking hotels or flights on online travel portals, but scammers appear to have recently sniffed out these platforms as lucrative hunting ground for victims.

In February, there were at least five reports of phishing scams made to the police linked to hotel room bookings using the popular Booking.com portal since the start of 2023, with total losses amounting to at least $8,800.

In the latest spate, at least 30 people lost about $41,000 after falling prey to a similar type of scam after using the same online reservation portal since September.

Both types of scams involved the criminals sending victims fake website links, and asking them to provide personal and banking details, such as one-time passwords and credit card numbers.

In some of the cases, victims received a prompt from the malicious websites to make payments to confirm the reservation. However, the ruse was exposed after they contacted Booking.com or the hotel directly, but by then, it would often be too late to take for victims any action.

Some victims realised they had been scammed when they discovered unauthorised transactions in bank or credit card statements.

Worryingly, the tactics employed by scammers have become more sophisticated. 

Earlier in 2023, fraudsters posed as hotel representatives and contacted victims through messaging platform WhatsApp.

Recently, conmen have adopted methods that are harder for victims to verify – sending e-mails or messages using official accounts of hotels directly through Booking.com’s in-app chat function.

A spokesman for Booking.com told The Straits Times that some of its accommodation partners had their accounts compromised after being targeted by phishing e-mails.

“While this is not a breach of Booking.com’s backend systems, we are acutely aware of the implications of such scams by malicious third parties to our business, our accommodation partners and our customers, who can fall victim to professional scammers,” he added.

So, how were the scammers able to contact customers through the portal’s chat tool? 

Mr Ian Lim, field chief security officer at the Asia-Pacific and Japan for cyber-security firm Palo Alto Networks, said the system could have been compromised in at least three ways.

One involves an account takeover, in which the computers of employees and booking agents are hacked, allowing scammers to respond from those accounts.

Another is a man-in-the-middle attack, where hackers intercept the conversation in the chat system and possibly alter the information sent to either party.