Phishing on Booking.com: fake ads and emails that empty accounts

At the height of the Christmas season and with millions of people booking trips, scams aimed at users of online booking platforms have continued to grow. A recent report highlights how travelers have lost hundreds of euros after falling into fraudulent ads and misleading messages that mimic Booking.com.

‍

_{Fake listings that look real}

Booking.com is one of the world's largest accommodation booking platforms, with more than 1 billion bookings per year. However, its popularity also attracts malicious actors who take advantage of how easy it can be to post an advertisement on the site. In tests carried out by organizations such as Which? , it was possible to list an alleged accommodation in less than 15 minutes, without the need to verify identity or official documents.

‍

These types of ads can attract customers with attractive prices or popular locations, but when they arrive at the destination, travelers discover that the accommodation does not exist or is not available, leaving them without accommodation and often having difficulty obtaining refunds.

‍

_{Phishing and fake messages with personal information}

Beyond ads, another common tactic is to send phishing messages that appear legitimate.

These emails or WhatsApp messages may include:

• Your full name and reservation details, making them look trustworthy.
• A link to “confirm” details or “protect” your reservation.
• A warning that you could lose your accommodation if you don't act quickly.

When you click, you can be directed to fake pages that steal card or identity data or even sites that download malicious software. Travelers have reported receiving these messages via email, WhatsApp or even through Booking.com's internal messaging, making fraud detection even more complicated.

‍

_{How scammers keep false bookings active}

Once a fraudulent ad manages to pass the platform's filters, it can continue to mislead users by showing positive reviews or “relevant” scores that don't reflect the real experience of other travelers. Some travelers who investigated these ads found that, when changing the filter to more recent reviews, comments appeared that described the experience as fraud or deception.

‍

This demonstrates how automatic classification or recommendation systems can be manipulated or taken advantage of, leading users to trust advertisements that are, in fact, financial risks.

‍

_{What we recommend from Apolo Cybersecurity}

Faced with this increase in scams, it is essential to adopt good practices:

• Always check the property profile and the most recent reviews.
• Do not click on links received outside the official platform.
• If you receive time-pressured messages or requests for external verification, contact official support directly before taking action.
• Use two-factor authentication and review each link carefully before entering personal or payment information.

These actions help reduce the likelihood of falling into sophisticated scams that can seem very real even to experienced travelers.

‍

_{When fraud affects your users, it also affects your reputation}

At Apolo Cybersecurity, we help digital organizations identify, mitigate and respond to threats such as phishing, impersonation and fraudulent systems, both internally and through third parties. Our experience combines advanced technology, structured processes and training so that your team and your users are prepared for the latest methods of digital deception.

‍

Strengthen your security mechanisms and protect your assets before the next attack affects your business.