Many trading and booking platforms warn their customers that communication between buyers and sellers takes place outside of intended channels such as chat functions. But what if fraudsters use Booking.com's internal chat function and supposedly demand a deposit in the name of the booked hotel?

The provider mentioned is one of the world's largest brokers of hotel rooms and now has such a high market share that critics speak of a dominant market position. Booking.com has previously had the reputation of being a secure platform for booking accommodation. This definitely has its price, because the providers have to pay considerable commissions. When it comes to security, the Amsterdam-based company seems to have a lot of catching up to do, as fraudsters are apparently managing to hijack hotel accounts. The goal is that customers' credit card data can be intercepted and used fraudulently.

In a case presented to Aviation.Direct, a holidaymaker from Austria booked a hotel room for his winter holiday in the Maldives via Booking.com. It is an upscale hotel in the five-star category. The agent's booking confirmation states that the accommodation reserves the right to pre-authorize the credit card.

Fraudsters use the official chat function

In concrete terms, this means that the hotel can “charge” the payment method in advance. The agreed amount in local currency will then be temporarily blocked. Hotels in the upper category in particular test whether the credit card on file is valid and has sufficient funds. Unless you receive push notifications from the bank, this process happens in the background. If everything fits, then there will be no further contact from the hotel and the amount will then - as agreed upon when booking - either be debited in advance at a specific time. If you have agreed to “pay at the accommodation”, you only pay when you check in or check out, depending on the hotel.

For a variety of reasons, it can happen that both payments and mere pre-authorizations (“blocks”) are rejected. The simplest causes: card blocked, credit limit too small or simply a short technical problem. Sometimes things go smoothly on the second try and no one knows exactly why it didn't work the first time.

It is also not exactly unusual for better hotels to require a deposit in advance. The houses have their own experiences, as demanding payments from no-show guests can be very complicated across borders. But it is precisely on this “it is so common” that the scam is based, with which Booking.com customers are supposed to be deprived of their money.

The perfidious thing is that the fraudsters use Booking.com's official messaging and chat system and pose as employees of the hotel where you actually booked a room. You have to pre-authorize your credit card, otherwise the reservation will have to be canceled. You should update the data via a link.

Booking.com employee does not recognize fraud and advises payment

If this were an external site, alarm bells would probably ring for pretty much any observant traveler. The fraudsters also know this and that is why it is seriously a real link to the Booking.com payment system, through which payments can be made to the hotel or the details of the credit card on file can be updated. It can happen that you change banks or that the card simply expires before the trip and you have to deposit the “successor”. Since the message appears to come from the hotel via Booking.com's official messaging and chat system and the link also does not leave the booking platform, everything seems to be fine.

The experienced Austrian was still suspicious and contacted Booking.com customer service by phone. The agent looked into the chat and assured the customer in broken German that everything was correct and that he should pay the hotel's claim. Everything is real, everything comes from the hotel via Booking.com.

So if the platform itself confirms that everything is correct, then it must be so? Unfortunately not, because shortly after entering the card details, the traveler received several push messages in which Card Complete, as the issuer, informed Mastercard that transactions had been rejected. Apparently the fraudsters also noticed this, because they request that another credit card be entered via the Booking.com chat system and threaten to cancel the booking. The Booking.com customer then countered that the hotel should please call him…. Contact was lost immediately.

Card complete security system prevented financial loss

It dawned on the man that something was wrong and he first contacted the Card Complete emergency hotline. At first he thought that there was a technical problem as the reason for the rejection of the supposed pre-authorization, but the bank employee then informed him that the security system had been activated because an attempt was made to debit around 6.000 euros in Nigeria and, moreover, several times from the card within a few moments Google Pay accounts have been deposited. The customer doesn't have an Android smartphone, but an iPhone. In any case, Card Complete's systems correctly recognized the attempted fraud and immediately blocked the Mastercard to protect the cardholder. The fraudsters, who are believed to be operating from Nigeria, were unable to steal a cent. This is probably the reason why an attempt was made to request a second credit card under threat of canceling the reservation.

An immediate call from the traveler to the five-star hotel in the Maldives, which belongs to a well-known, international chain, revealed that no one from the hotel could have communicated with the customer via Booking.com because the reception did not have access to the account but only the reservation department and it is not staffed at all on weekends. The accommodation provider subsequently confirmed via email directly to the traveler that the messages and payment requests had not been sent by the hotel. They apologize, but apparently things get even worse, because the accommodation in the Maldives writes that they have received complaints from many customers about such messages including payment requests. All of them last weekend. We don't yet know how this was even possible.

Two days later: Booking.com call center considers the fraud attempt to be “real” and you should pay

So the Austrian called Booking.com again. Only when it was pointed out that the bank had recognized an attempted fraud from Nigeria did the lady admit that something could be wrong. Booking.com's security department will contact you immediately. In any case, you shouldn't click on anything or enter anything. When she pointed out that her colleague had said that everything was real, she didn't elaborate. The traveler is still waiting for the promised callback from the specialist department.

Two days later, no one had contacted the agency portal, so the traveler got on the phone himself and received incredible information from the call center agent. Although it was now clear and obvious that there was an attempted fraud via the Booking.com chat and payment attempt, this employee insisted that everything was real and everything was correct. He even advised him to pay by credit card. This phone call probably finally destroyed the trust.

Card Complete warns – Booking.com ignores media and customer inquiries

It is noteworthy that a Swiss media reported on an attempted fraud as early as July 2023, which almost coincides with the Austrian's experiences. Booking.com's media office did not respond much to the portal's research and in particular did not want to provide any further information on the frequency of fraud attempts and security measures. In view of the fact that Booking.com must have found out about the security problems at the very latest through the Swiss portal's research, it seems extremely questionable why something like this could not only happen again in September 2023, but why two of the company's employees would confirm the authenticity and make payment guess.

For example, the Booking.com press office was confronted with this question using the screenshots provided by the traveler. Despite repeated reminders, the hotel room agent did not respond to the questions at all. Apparently, people don't like to talk about obvious security vulnerabilities that can be exploited by fraudsters to the detriment of customers and hotels. Incidentally, the affected customer is still waiting for the promised callback from Booking.com's security department and has not received any further feedback from the company.

The credit card issuer Card Complete has now issued a warning to customers. This explicitly warns of the fraud that is attempted via official communication channels from Booking.com. The company calls on customers not to approve such transactions and to end any phone calls and/or chats immediately. If you have already fallen for it, you should contact the Card Complete hotline as soon as possible.