Holidaymaker loses €1,800 in phishing scam

A holidaymaker has lost more than €1,800 (£1,567) to a phishing scam which targeted him through the booking platform he used.

Steve Alderson from Newbury, Berkshire, was looking to book a number of different places to stay in Portugal via the online travel portal, Booking.com.

One of the properties contacted him via the Booking.com website and said he would need to make a payment to confirm the reservation but not long after he received a message saying the booking had been cancelled.

In a statement Booking.com said "in the rare event" a customer loses money via a scam, the platform would help with refunds once it had received the necessary documentation.

Rooms and properties on Booking.com have different cancellation policies with some expecting payment up front and others allowing payment nearer the time of arrival.

Mr Alderson, who works in IT, said a few hours after making his booking the property messaged him saying he needed to pay and that he thought "everything looked pretty straightforward".

"Although I'm slightly embarrassed about this now, we thought, 'Right, okay, let's just get this done'," he told BBC's You and Yours programme.

He was redirected to Whatsapp, where he completed the payment.

But he said: "It wasn't long [before] we simply received a message through the Booking.com platform to say that the booking was cancelled.

"Of course, you get that somewhat sick feeling in the pit of your stomach and saying, 'Hang on, this just doesn't feel right at all'.

"This was somebody who was mentioned as a super host, they had other properties on the website."

Booking.com said in a statement that cyber security was its "top priority".

The company, based in Amsterdam, Netherlands, added that in the "the rare event that a customer is targeted by cybercriminals and suffers financial loss as a result, we advise them to first raise a dispute with their bank".

"If the dispute is unsuccessful, we will support with refunds, upon receipt of the necessary documentation," the statement reads.

"In [Mr Alderson's case], we have not yet received the required documentation and have reached out to the customer to follow up."

But Mr Alderson said he had been in touch twice and on both occasions the line had been disconnected as soon as he provided the accommodation booking reference number.

Mr Alderson added he had raised the issue with his bank and had reported it to the fraud line.

Rafe Pilling from global cybersecurity company Sophos said hotels initially fall victims of phishing attacks through emails that build trust with the employees under a relevant pretext, such as lost passports.

"Then they will deliver malware that will either steal credentials from the hotel's booking system, access the HotelsBooking.com account and essentially become the hotel," he explained.

"At that point, they can reach out to the hotel's customers."

Mr Pilling said the sudden sense of fear or urgency the emails created with regards to the booking "should be a trigger for people" and prompt them to contact Booking.com's customer service directly.

Booking.com appealed to customers to "carefully check the payment policy details on their booking confirmation to be sure any message is legitimate".

"It is important to note that we would never ask a customer to share payment information via email, chat messages, text messages or phone," it added.

You can follow BBC Berkshire on Facebook, external, X (Twitter), external, or Instagram, external.