Last Saturday, I received a WhatsApp message.
The interesting thing was that it contained very precise information about a booking I had with a hotel that I was going to in a few weeks.
My first reaction was, hey, I need to confirm the reservation. I want to make sure that my reservation is being kept.
At the same time, I realized that there were a couple of things that were off.
I quickly realized that this was a very well-crafted phishing message, probably caused by some data leak, either from Booking.com or from the hotel itself.
I was lucky and experienced enough to not fall for this, but I think it is valuable to share how real this thing can become and what to do when you receive something similar.
The Message
Before anything, I’m going through the content of the message. Then I’ll list the actions.
Looking at the beginning, the first red flag for me was the number, but I didn’t look at it right away.
Even though I’m in Italy, I tend to frequently have English messages from people and booking agents that write me in English.
When you read it, you see that in the beginning there’s this number coming from the UK, and there’s this image with “guest support team” written on it, as if it’s coming from a real hotel.
Then it had something like a message that you would get from the hotel saying, “Hey, [my name]. This message is related to the booking at Hotel X,” which was correct, “from that date to this other date,” and including also the Booking.com correct reference number
That caught my interest because it was very real.
The Red Flags
Then there was this slight twist where they said, “Your booking is currently in a pending state and requires confirmation to remain active,” which was unusual for a normal booking.
Then I had this deadline: 11 hours and 30 minutes, which is the main thing that every phishing message usually has: some level of urgency.
You’re getting a message from a trusted source because it has knowledge about you that, theoretically, only the original source should have. Then it puts some urgency: “You have 11 hours to confirm.”
Then it continued “please review your reservation details in an external website.”
This was an additional red flag for me.
The other thing that was strange was that it was a strange website. But that could happen because sometimes hotel booking systems might be on very strange websites, but that could have been possible.
“Once completed, the reservation will be automatically updated,” the message says.
If no action is taken, this is the urgency again, the reservation may be released.
At the end they add the hotel name again plus it is a WhatsApp business account with fake buttons that said “Cancel my reservation.”
What I Did
Once I realized that this was fake, I checked the domain whois, I checked the hotel, and I brought everything to the hotel’s attention.
Instead of acting on whatever I got from this message or replying to the number, I went to the hotel website and to my booking and asked for clarification.
They confirmed that this was not from them, so someone was impersonating the hotel.
The real problem was that the attacker had real information about the booking reference, probably because of some data leak either at Booking.com or at the hotel level.
How To Protect Yourself
These kinds of attacks are going to become even more sophisticated.
How do you protect yourself from these attacks?
First and foremost, don’t trust anything that has some level of urgency in it. Whenever they ask you for an action, confirm it and use the official communication channel.
Instead of answering a call, call it yourself.
Instead of replying to a message, send a message yourself to the hotel.
Don’t trust the calls because the caller ID can be faked in some places. Don’t trust even if they call from the right number. You need to call them yourself.
You check with them, and if that is confirmed, then you do it when you call them, not the other way around.
Never trust any message you receive whenever there’s some level of urgency.
Don’t click links. Clicking links, as I recently discovered, might expose information about you, including that the number was correct. They might also get information about your browser, your IPs, your location, depending on which browser you use.
You want to avoid interacting with any of these, and the best approach is always to report it.
Hope it helps.
Leave a comment