Skip to content

In recent years,, a popular online travel agency, has been the target of several phishing scams. These scams have resulted in significant financial losses for, hoteliers and its customers.  In recent months, these types of scams have been on the rise again, with  

How the Attacks Work 

In a typical phishing scam, attackers will first gain access to the computer systems of a hotel or BnB. They do this by socially engineering staff into opening a file containing malware; you can see the tactic used in the example emails below.  In a recent incident reported in Edinburgh, the threat actors advised the hotel their child had particular dietary/allergy requirements.  They stated it was easier to email over the list of their requirements and sent over a file containing the malware, which was opened.  

Example of email highlighting health issues 
Example of email received asking for additional services for family 

They will then use this access to steal customer data, such as names, email addresses, and credit card numbers. 

Perception Point, who have reported on this, has identified 10 Steps the hackers take throughout this scam, which are listed below. 

  • Initial Booking: The hacker makes an online booking, opting for free cancellation to minimise risk. 
  • Confirmation Email: An automated confirmation email is sent to the hacker. 
  • Crafting the Reply: The hacker uses this email to reply with a specific request or question about the reservation. 
  • Adding the Lure: A link to a file-sharing service and a plaintext password are attached to the email. 
  • Targeting the Victim: The email is sent to the online booking service’s support or the hotel. 
  • Clicking the Bait: The support representative opens the email and downloads the archive using the provided link. 
  • Decrypting the Archive: The downloaded archive is encrypted but easily decrypted using the provided password. 
  • The Deceptive File: Upon decryption, an executable file with a misleading name and a PDF icon is extracted. 
  • Triggering the Trap: The representative double-clicks the executable, unknowingly launching the malicious code. 
  • Data Exfiltration: The endpoint becomes infected, and sensitive information is transmitted to the hacker. 

With this stolen data, attackers will send phishing emails to customers. These emails will often appear to be from itself and often contain urgent requests or enticing offers. For example, recent emails have advised customers they are required to carry out additional card confirmations or that the booking could be cancelled if they didn’t verify their payment method. 

The phishing emails will typically contain links to fake websites. When a customer clicks on one of these links, they will be taken to a website that looks similar to the actual website. However, the fake website is controlled by the attackers. 

Fake example – customers are completing these, unaware of the scam 

Once a customer enters their personal information on the fake website, the attackers will steal it. They can then use this information to make unauthorised purchases or to commit further crimes, including identity theft. 

Impact of the Attacks 

The phishing scams have significantly impacted, its customers and the associated hotels and bed and breakfast owners who use to generate business. has damaged its reputation and has had to spend money to investigate and remediate the attacks. Customers have suffered financial losses and had their personal information stolen, and hotels report that directly from these crimes. Customers have been cancelling bookings and events as they do not know if they will be reimbursed.  Hotels have also had to go through the process of purchasing new computer equipment or hiring specialist cyber security specialists to ensure their systems are free from malware. 

How to Protect Yourself 

There are several things that you can do to protect yourself from phishing scams: 

  • Be wary of any emails that you receive from, especially if they contain urgent requests or enticing offers. 
  • Do not click on any links in emails from, unless you are sure the email is legitimate. 
  • If you are unsure about the legitimacy of an email from, you can contact customer service directly. 
  • Never enter your personal information on a website that you are not sure is legitimate. 
  • Use a strong password for your account and enable two-factor authentication.  Don’t re-use this password across other website. One password – One site. 
  • Hoteliers and Bed and Breakfast owners should provide staff training, making them aware of the threat actors’ techniques. 

Conclusion phishing scams are a severe threat to, hoteliers and its customers. However, following the tips above, you can protect yourself from these scams. 

Related Links