Phishing campaign impersonating Booking.com targeting UK hospitality

13 March 2025, 16:48

A woman using a laptop as she holds a bank card
Booking.com phishing scam. Picture: PA

Microsoft said the campaign was now posing a ‘tangible threat’ to UK-based hospitality and travel organisations.

A “rapidly evolving” phishing campaign that impersonates popular travel platform Booking.com is targeting hospitality organisations in the UK, Microsoft has warned.

Microsoft Threat Intelligence said cybercriminals had used a tactic – nicknamed “ClickFix” – to trick businesses into downloading and launching credential-stealing malware since December.

The attackers send convincing Booking.com-themed emails referencing guest reviews and account verification notices, enticing recipients to click through to a fake page that eventually enables cybercriminals to steal payment and personal data.

The theft can potentially lead to fraudulent transactions and reputational harm to the hotels and travel services.

Microsoft said the campaign was now posing a “tangible threat” to UK-based hospitality and travel organisations.

Phishing attacks are becoming more sophisticated

Sarah Armstrong-Smith, Microsoft UK

It urged businesses and consumers to contact the service provider directly if they received a suspicious email or message using contact forms listed on the official website.

Microsoft also urged firms to be wary of urgent calls to action or threats and to be cautious of email notifications that asked the recipient to click, call or open an attachment immediately.

Other tips to avoid falling victim include hovering over links to see the full URL and to search for typos, including within the body of the email, indicating that the sender is not a legitimate, professional source.

Sarah Armstrong-Smith, chief security adviser at Microsoft UK, said: “Phishing attacks are becoming more sophisticated, using advanced social engineering techniques like ClickFix to manipulate human behaviour and bypass traditional security measures.

“The recent campaign impersonating Booking.com is a clear example of how cybercriminals exploit trust and urgency to deceive individuals to gain access to sensitive information.

“Cybercriminals are constantly adapting their tactics, but by staying alert, questioning unexpected messages and behaviour, and enabling extra security measures, consumers can protect themselves against these evolving threats.”

Booking.com said: “Unfortunately phishing attacks by criminal organisations pose a significant threat to many industries. While we can confirm that Booking.com’s systems have not been breached, we are aware that unfortunately some of our accommodation partners and customers have been impacted by phishing attacks sent by professional criminals, with the criminal intent of taking over their local computer systems with malware.

“The actual numbers of accommodations affected by this scam are a small fraction of those on our platform and we continue to make significant investments to limit the impact on our customers and partners.

“We are also committed to proactively helping our accommodation partners and customers to stay protected.

“Should a customer have any concern about a payment message, we ask them to carefully check the payment policy details on their booking confirmation to be sure that the message is legitimate.

“Customers are also encouraged to report any suspicious messages to our 24/7 customer service team or by clicking on ‘report an issue’ which is included in the chat function.

“It is important to note that we would never ask a customer to share payment information via email, chat messages, text messages or phone.”

Earlier this week, Which? warned that a lack of effective checks was leaving Booking.com “wide open” to fraudsters, and called for the platform to do more to prevent fraud on its site ahead of the Online Safety Act illegal harms codes coming into effect later this month.

Booking.com was the most visited travel and tourism website worldwide in January, according to Statista.

But the Which? investigation found that an easily-hacked messaging system, failure to remove “scam” listings, and a lack of identity checks on property owners was leaving holidaymakers unnecessarily exposed on the site.

The consumer group was able to list a holiday home on Booking.com in less than 15 minutes and – unlike on Vrbo or Airbnb – Booking.com did not ask to see a driving licence or passport.

Which? said the lack of proper identity checks had led to a “deluge of dodgy listings” on the platform.

When Which? searched Booking.com reviews for the word “scam” in summer last year, if found hundreds of reviews complaining that they had paid for accommodation that did not exist.

The illegal harms codes of practice under the Online Safety Act will come into effect on March 17, requiring platforms to do more to prevent user-generated fraud on their sites by running risk assessments and having effective complaints procedures in place.

In addition, large platforms – those with seven million monthly active users in the UK – at medium or high risk of fraud will be required to have a dedicated channel to report any scams which slip through the net.

By Press Association

More Technology News

See more More Technology News

People ride an upward escalator next to the Dior store at the Icon Siam shopping mall on June 12, 2024 in Bangkok, Thailand.

Luxury fashion giant Dior latest high-profile retailer to be hit by cyber attack as customer data accessed

A plane spotter with binoculars from behind watching a British Airways plane landing

‘Flying taxis’ could appear in UK skies as early as 2028, minister says

Apple App Store

Take on Apple and Google to boost UK economy, think tank says

A survey of more than 1,000 employers found that around one in eight thought AI would give them a competitive edge and would lead to fewer staff.

One in three employers believe AI will boost productivity, research finds

Hands on a laptop showing an AI search

One in three employers believe AI will boost productivity, research finds

Music creators and politicians take part in a protest calling on the Government to ditch plans to allow AI tech firms to steal their work without payment or permission opposite the Houses of Parliament in London.

Creatives face a 'kind-of apocalyptic moment’ over AI concerns, minister says

Ngamba Island Chimpanzee Sanctuary on Lake Victoria, Uganda

Chimps use medicinal plants to treat each other's wounds and practice 'self-care' as scientists hail fascinating discovery

Close up of a person's hands on the laptop keyboard

Ofcom investigating pornography site over alleged Online Safety Act breaches

The Monzo app on a smartphone

Monzo customers can cancel bank transfers if they quickly spot an error

Co-op sign

Co-op to re-stock empty shelves as it recovers from major hack

The study said that it was often too easy for adult strangers to pick out girls online and send them unsolicited messages.

Social media platforms are failing to protect women and girls from harm, new research reveals

Peter Kyle leaves 10 Downing Street, London

Government-built AI tool used to cut admin work for human staff

In its last reported annual headcount in June 2024, Microsoft employed 228,000 full-time workers

Microsoft axes 6,000 jobs despite strong profits in recent quarters

Airbnb logo

Airbnb unveils revamp as it expands ‘beyond stays’ to challenge hotel sector

A car key on top of a Certificate of Motor Insurance and Policy Schedule

Drivers losing thousands to ghost broker scams – the red flags to watch out for

Marks and Spencer cyber attack

M&S customers urged to ‘stay vigilant’ for fraud after data breach confirmed