If you work in hospitality and find an email in your inbox from Booking.com claiming to be an angry guest, then watch out — it may well be part of a phishing scam. Microsoft has warned that a phishing campaign has been underway sending fake emails from Booking.com which lead users to download malicious software.
In a blog post about the issue, Microsoft Threat Intelligence writes that this is an ongoing campaign which has been around since December last year, and uses a social engineering technique called ClickFix. The victim receives an email which appears to come from Booking.com and which can vary widely in its content — from guest complaints to requests for information from potential guests to account verification — and which includes a link (or attaches a PDF with a link) that claims to take the user to Booking.com to deal with the issue.
When users click on the link, they see a screen which appears to be a CAPTCHA overlay over a Booking.com page, but the CAPTCHA actually instructs the user to open up Windows Run and copy and past a command which downloads malware onto their system.
Once installed, the malware can steal financial data and credentials, a technique which Microsoft identifies as in line with a previous phishing campaign by a group it calls Storm-1865.
Phishing scams are unfortunately not unusual today, however this is a fairly sophisticated version which takes advantage of hospitality workers’ worries about guest satisfaction. To protect yourself from this and other phishing attempts, Microsoft advises users to check the sender’s address on a email, to be wary of messages about urgent threats, and to hover over links to see the full URL before clicking on them. When in doubt, go directly to the service provider — in this case, by going straight to Booking.com — rather than clicking on a link.
Update 03/14/25:
Booking.com provided the following statement:
“Unfortunately, phishing attacks by criminal organizations pose a significant threat to many industries. While we can confirm that Booking.com’s systems have not been breached, we are aware that unfortunately some of our accommodation partners and customers have been impacted by phishing attacks sent by professional criminals, with the criminal intent of taking over their local computer systems with malware.
“The actual numbers of accommodations affected by this scam are a small fraction of those on our platform and we continue to make significant investments to limit the impact on our customers and partners.
“We are also committed to proactively helping our accommodation partners and customers to stay protected. We also provide ongoing cybersecurity education and resources to our partners to enhance their defenses against such threats.
“Should a customer have any concern about a payment message, we ask them to carefully check the payment policy details on their booking confirmation to be sure that the message is legitimate. Customers are also encouraged to report any suspicious messages to our 24/7 customer service team or by clicking on ‘report an issue’ which is included in the chat function.
“It is important to note that we would never ask a customer to share payment information via email, chat messages, text messages, or phone.We urge our customers and partners to remain vigilant. If you encounter any communication that seems suspicious or requests sensitive information through unofficial channels, please do not engage. Report it immediately to our customer service team through official Booking.com channels. Our Trust and Safety Resource Center offers additional guidance on recognizing and avoiding phishing attempts.”
