SINGAPORE — Heading to a hotel is meant to be fun, especially if it is for a holiday, but at least 30 victims have fallen prey to a hotel booking scam since last month.

They have lost at least S$41,000 in total, the police said.

In a media release on Oct 8, the police said that they had observed a “resurgence” of hotel-related phishing scams.

Posing as representatives of hotels where victims had made room reservations via online travel agency Booking.com, the scammers would then contact the victims to obtain their personal and banking details.

Booking.com is one of the most popular hotel-booking sites in Singapore along with the likes of Agoda and Klook.

Similar scams have been reported around the world over recent years but they have increased in number during the travel boom after the Covid-19 pandemic.

In February this year, the police here said that they had received at least five reports in the first two months of 2023 of scams related to room reservations made on Booking.com. These scams amounted to losses of at least S$8,800.

TODAY looks at what the Booking.com scam entailed and how customers can better protect themselves.

WHAT HAPPENED IN THESE SCAMS?

After making hotel room reservations on Booking.com, victims would receive emails or messages via a function on its application. 

These emails and messages were sent by scammers posing as the hotels’ representatives. Different hotels across different countries have been impersonated, the police said.

The scammers would ask the victims to confirm and verify their reservations via an online link, which required them to provide their personal details.

Upon clicking on the link, the victims would be redirected to fraudulent websites to key in their personal and banking details. These could include one-time passwords or credit card numbers.

In some cases, the fraudulent websites would also prompt the victims to make payments to confirm their reservation. 

The victims would realise that they had been scammed after contacting the hotels or Booking.com upon discovering unauthorised transactions on their bank accounts or credit cards.

HOW DID SCAMMERS MAKE IT LOOK LIKE MESSAGES CAME FROM HOTELS?

In a statement responding to TODAY’s queries, a Booking.com representative said the firm was aware that some of its accommodation partners had been recently targeted by phishing emails.

“Although the security breach was not from Booking.com, we know that the accounts of some of our accommodation partners were affected.

“It’s important to highlight that neither Booking.com’s backend systems nor infrastructure have been breached in any way.”

In February, technology news website Ars Technica that is based in the United States reported that researchers from a company called Website Planet had in 2020 reportedly found a stash of data collected from more than 100,000 people.

These individuals had used Booking.com and at least seven other online reservation sites including Agoda, Expedia and Hotels.com.

Dating back to 2013, the data leaked in that incident included full names, email addresses, national identity document numbers, phone numbers, number of hotel guests, credit card details, the total cost of hotel reservations, and the reservation details.

While the leak affected customers of several reservation services, Ars Technica said web searches showed that these data leaks “continue to disproportionately affect users of Booking.com over its competitors”.

Speaking to TODAY, Mr Kenny Yeo, director and head of the Asia-Pacific cybersecurity practice with consultancy firm Frost & Sullivan, said: “It is still not exactly known how the criminals were able to utilise the in-app messaging system to contact victims.”

However, as the communications were coming from a “trusted” source within the app, it was very likely that a customer would trust these to be legitimate, he added.

As to how exactly scammers had gained access to Booking.com’s in-app messaging or emails, experts said that this remains unclear — though they speculate that the scammers could have stolen employees’ credentials.

Mr Lim Yihao, the Japan and Asia-Pacific lead threat intelligence adviser at Mandiant under Google Cloud, said: “There are a few possibilities how these scams could potentially work. 

“For example, the criminals could have stolen employee credentials to perform logins and gained access to the booking details of customers by impersonating the employees.

“Alternatively, the support agent jobs may be outsourced to third-party companies and in turn, these companies were being compromised by criminals or it could be a website vulnerability that was not patched, which led to the compromise of the customer chat applications by cyber criminals.” 

Mr Ali Fazeli, a senior consultant at cybersecurity company Infinity Forensics, said that the scams may have resulted from an “internal factor”.

This could mean that someone working at the hotel had released the hotel’s login details.

“Without internal help, it’s quite impossible, because nobody can guess what is the username and password to the hotels’ Booking.com logins. It’s quite impossible for anyone to guess what email address that they use for registration, to use Booking.com or Agoda or anything else.”

Mr Fazeli also said that there was a high chance an “insider” or hotel staff member had released the information to the hackers or scammers.

WHAT CAN CUSTOMERS AND COMPANIES DO?

In its statement, Booking.com said that the company would never ask customers to provide their credit card details through phone text messages or email.

“If you ever receive a payment message that raises concerns, we strongly urge you to verify the accommodation’s payment policy, easily accessible on the property listing page, or reach out to our 24/7 customer service team for immediate assistance.”

Cybersecurity experts told TODAY that companies and consumers could also adopt a few tips to better guard themselves against such breaches and scams.

Associate Professor Jiow Hee Jhee of the Singapore Institute of Technology said that generally, scammers would try to mimic the consumer journey of a legitimate company’s engagement as closely as possible, and then pick on loopholes in that journey to catch their victims.

Assoc Prof Jiow, who is also a member of the Media Literacy Council and has research interest in digital communications, said he believed that being aware of such techniques would be the first step for companies to take, in order to prevent similar scams.

Mr Benjamin Tan, chief executive officer of Red Alpha Cybersecurity, said: “Companies should continuously educate their users on how to identify legitimate websites and emails from them.”

Firms should communicate to their users what they would or would not do, for example, that they would not ask customers for sensitive personal data.

They could provide a “mutual authentication method, things they will do to let their users know that it’s them”, Mr Tan added.

Companies may also proactively subscribe to threat intelligence or reputation-scoring services that inform them of the existence of clickbait and phishing websites masquerading as them — and the companies may then inform and warn their users of such, he suggested.

Agreeing, Mr Koo Juan Huat, director of cybersecurity for the Southeast Asian region at technology firm Cisco, said that companies must ensure that they have robust security protocols in place, and a “layered defence for security”. 

“This starts with working with a vendor that can provide them with an integrated, end-to-end security platform that simplifies how companies manage the security experience and makes it easy for them to prescribe and enforce security policies across different aspects of their security infrastructure.”

Ultimately, cybersecurity is a “team sport”, Mr Koo said.

“Consumers need to pay attention and be diligent about practising cyber hygiene to keep themselves safe.

“In addition, companies need to train their employees and increase their awareness about cybersecurity threats and how their roles play a part in cyber defence,” he added.

From a consumer’s point-of-view, Mr Yeo of Frost & Sullivan highlighted tell-tale signs of suspicious activities.

These include:

Unexpected messages potentially sent via messaging, WhatsApp or emailGaps in information, including not having the booking indentification number, dates and detailsMessages with a strong sense of urgency asking for immediate response“Strange looking” web links requesting consumers’ immediate action. For example, potentially suspicious links could include ones that looked “long and complicated”, or messages that ask for further action through a specific web link instead of serving notifications asking that users check information on the official online site

“When you see a combination of multiple tactics appearing at the same time, be very cautious and contact the website customer service immediately,” Mr Yeo added.

Even if precautions are taken, cybersecurity experts said that no website would be completely safe.

Mr Yeo said: “As long as there has been a previous or active cybersecurity incident with data stolen, this could happen on any hotel booking site.”