The peak tourist season not only brings tourists and bookings, but also an alarming increase in cybercrime. This summer, the Catalan Cybersecurity Agency issued an alert about a cyber scam targeting hotel guests, based on the impersonation of the Booking platform, one of the leading accommodation booking websites.
According to the official agency of the Generalitat (Catalan government), cybercriminals are illegally accessing hotel databases, extracting confidential information from guests who have already made real reservations through Booking. Using this data, attackers impersonate the owners or the platform itself to send fraudulent messages to users.
The modus operandi is always similar: customers receive a seemingly legitimate email or SMS informing them of a problem with their reservation payment. The message usually includes a link to a fake website pretending to be Booking.com and urges them to enter their bank details to "confirm" the payment and avoid losing their reservation. The urgency of the message, which often threatens immediate cancellation, causes many stressed victims to fall into the trap and hand over their details to cybercriminals.
The origin of this scam lies in the vulnerability of hotel IT systems, which are subject to attacks to steal databases containing sensitive information, including email addresses and phone numbers of guests with upcoming reservations. Hackers exploit these breaches to gain control and send messages to guests in the days leading up to their arrival, increasing pressure and a sense of urgency.
This type of fraud is not new: a similar case was detected in a Bilbao hotel in 2023, where 24 guests fell victim to the scam. The subsequent investigation determined that the hotel was aware of its security flaws but failed to act or inform the relevant authorities, resulting in a €7.000 fine from the Spanish Data Protection Agency.
To avoid falling victim to this practice, the Cybersecurity Agency recommends ignoring urgent messages requesting personal or banking information, or accessing links sent by SMS or email. If in doubt, it's always best to contact the hotel directly or access the official Booking platform via the app or website, where any payment or reservation issues will be formally reported.
In a context where online bookings are now the norm, this type of cyberattack threatens consumer confidence and requires accommodations to urgently strengthen their IT security systems to protect both their reputation and the integrity of their guests.
