Phishing campaign impersonating Booking.com targeting UK hospitality

A “rapidly evolving” phishing campaign that impersonates popular travel platform Booking.com is targeting hospitality organisations in the UK, Microsoft has warned.

Microsoft Threat Intelligence said cybercriminals had used a tactic – nicknamed “ClickFix” – to trick businesses into downloading and launching credential-stealing malware since December.

The attackers send convincing Booking.com-themed emails referencing guest reviews and account verification notices, enticing recipients to click through to a fake page that eventually enables cybercriminals to steal payment and personal data.

The theft can potentially lead to fraudulent transactions and reputational harm to the hotels and travel services.

Microsoft said the campaign was now posing a “tangible threat” to UK-based hospitality and travel organisations.

It urged businesses and consumers to contact the service provider directly if they received a suspicious email or message using contact forms listed on the official website.

Microsoft also urged firms to be wary of urgent calls to action or threats and to be cautious of email notifications that asked the recipient to click, call or open an attachment immediately.

Other tips to avoid falling victim include hovering over links to see the full URL and to search for typos, including within the body of the email, indicating that the sender is not a legitimate, professional source.

Sarah Armstrong-Smith, chief security adviser at Microsoft UK, said: “Phishing attacks are becoming more sophisticated, using advanced social engineering techniques like ClickFix to manipulate human behaviour and bypass traditional security measures.

“The recent campaign impersonating Booking.com is a clear example of how cybercriminals exploit trust and urgency to deceive individuals to gain access to sensitive information.

“Cybercriminals are constantly adapting their tactics, but by staying alert, questioning unexpected messages and behaviour, and enabling extra security measures, consumers can protect themselves against these evolving threats.”

Booking.com said: “Unfortunately phishing attacks by criminal organisations pose a significant threat to many industries. While we can confirm that Booking.com’s systems have not been breached, we are aware that unfortunately some of our accommodation partners and customers have been impacted by phishing attacks sent by professional criminals, with the criminal intent of taking over their local computer systems with malware.

“The actual numbers of accommodations affected by this scam are a small fraction of those on our platform and we continue to make significant investments to limit the impact on our customers and partners.

“We are also committed to proactively helping our accommodation partners and customers to stay protected.

“Should a customer have any concern about a payment message, we ask them to carefully check the payment policy details on their booking confirmation to be sure that the message is legitimate.

“Customers are also encouraged to report any suspicious messages to our 24/7 customer service team or by clicking on ‘report an issue’ which is included in the chat function.

“It is important to note that we would never ask a customer to share payment information via email, chat messages, text messages or phone.”

Earlier this week, Which? warned that a lack of effective checks was leaving Booking.com “wide open” to fraudsters, and called for the platform to do more to prevent fraud on its site ahead of the Online Safety Act illegal harms codes coming into effect later this month.

Booking.com was the most visited travel and tourism website worldwide in January, according to Statista.

But the Which? investigation found that an easily-hacked messaging system, failure to remove “scam” listings, and a lack of identity checks on property owners was leaving holidaymakers unnecessarily exposed on the site.

The consumer group was able to list a holiday home on Booking.com in less than 15 minutes and – unlike on Vrbo or Airbnb – Booking.com did not ask to see a driving licence or passport.

Which? said the lack of proper identity checks had led to a “deluge of dodgy listings” on the platform.

When Which? searched Booking.com reviews for the word “scam” in summer last year, if found hundreds of reviews complaining that they had paid for accommodation that did not exist.

The illegal harms codes of practice under the Online Safety Act will come into effect on March 17, requiring platforms to do more to prevent user-generated fraud on their sites by running risk assessments and having effective complaints procedures in place.

In addition, large platforms – those with seven million monthly active users in the UK – at medium or high risk of fraud will be required to have a dedicated channel to report any scams which slip through the net.