Euroconsumers’ Belgian member Testachats/Testaankoop is asking victims of fraud on the booking.com to share their experiences. This will help build a full picture of the extent of consumers’ financial losses on the popular holiday site and help push for better practice.
For several years now, Testachats/Testaankoop and our other members in Portugal, Italy and Spain have received reports from people who were made victims of fraud on the Booking.com platform. Consumers have reported that their accounts or the accounts of the accommodation were hacked, or that they came across false adverts and fake hotels.
Cybercriminals who hack into the platform can access lots of customers’ personal data which is then exploited in different phishing attempts, losing consumers significant amounts of money.
Someone who’s made a regular booking on the site receives a follow up message via WhatsApp or sometimes directly on the Booking.com platform.
The message is from an individual pretending to be a booking manager, claiming that due to an error, the booking must be paid for again in full or it will be cancelled.
This is then followed up by another email that appears to have been sent by booking.com, which reinforces the first phishing attempt.
Both the messages are very convincing as all the important data like the name of the hotel, the dates of the reservation, the customer’s phone number and the booking.com email address are correct.
This level of detail make this fraud very hard to spot. The fact that some messages originate within the Booking.com site or use the domain name, plus the anxiety created by the deadline to make a payment make it even more likely that someone will make the payment.
This type of scam is happening all over Europe, and consumers are now fighting back. A recent complaint has been made about booking.com to the relevant authorities due to a recent attempted scam. Here’s what happened:
In Italy, after using booking.com to secure accommodation for a family holiday in Naples, the customer received a WhatsApp message from someone posing as the ‘check in manager’ of the property claiming that their payment had been declined.
They then pressurised the victim into clicking on a verification link that requested their card details within 24 hours or face the booking being cancelled.
On the same day, they received an email and a corresponding message in the booking.com platform’s internal mailbox system. Both of these messages were labelled to have arrived “via booking.com” and, significantly, bore the domain name @property.booking.com.
Because the company is registered in the Netherlands, complaints about data protection problems can be made directly to the Dutch Data Protection Authority (AP) Complaints can be brought on the basis that as data controller under the GDPR, booking.com has primary responsibility for ensuring the security, integrity, and lawful processing of personal data and that they have failed in this duty.
The consumer affected has now lodged a formal complaint with the Dutch Data Protection Authority stating that in its capacity as data controller, booking.com failed in its duty to ensure the secure, integral, and lawful processing of personal data.
He wants booking.com to face reprimand, be required to implement measures to stop this happening again, and to exercise his right to be compensated for the distress and time spent trying to remedy the situation.
The Dutch authorities have already taken action on booking.com’s data protection activity. In 2020, following a late notification of a data breach, the Dutch AP fined the platform 475,000 euros.
And, by not warning its users of the leak of their personal data or the risks of scams that result from it, Euroconsumers and Testachats/Testaankoop believe that booking.com is in breach of its data security obligations, as defined by the GDPR.
This lack of proper protection for consumers’ data relates directly to frauds and scams:
In our view, the scale and repetition of these incidents reveal systemic flaws in the processing of data by booking.com.
These are not isolated scams, but rather a structural problem affecting the safety of millions of people. Booking.com must better protect its users, it is a European obligation for such large platforms.
Julie Frère, spokesperson for Testachats/Testaankoop
In collaboration with Euroconsumers, Testachats/Testaankoop decided to launch a call for testimonies to help us better understand the extent of fraud related to booking.com fraud. The experiences of the victims will allow us to evidence and strengthen future actions to achieve better protection for users.
Consumers can share their experiences here:
______________________
The stories coming out of booking.com shows that scams and fraud are everywhere and can happen to anyone.
Euroconsumers 2024 survey found 92% of respondents had experienced a scam within the last two years, and 72% of people wanted the EU to prioritise fighting online financial fraud.
In the meantime, our members in Italy and Spain continue to fight on every front against fraudsters who are set on stealing consumers’ data, money and time.
The Italian communications regulator, Agcom, has ordered telcos to use an anti-spoofing filter to stop the growing numbers of fake calls reaching consumers’ phones.
Spoofing is where a fraudulent caller poses as a bank or credit card company to try to convince people to share their card and banking details.
The messages are often pre-recorded but with advances in generative AI, the voices are becoming all too convincing.
Euroconsumers member in Italy, Altroconsumo’s advocacy on behalf of consumers contributed to Agcom’s policy change and they were pleased to see the proposal to proactively block calls in the final resolution.
Telephone operators now have six months to put filters in place and give consumers some peace of mind when calls come in.
In Spain, our member OCU has been pushing for a broad set of amendments to consumer protection laws related to unsolicited or ‘cold’ calls.
They welcomed a significant change in the proposal to deem contracts that consumers entered into via an unsolicited call are null and void, as this type of approach is in breach of the regulations.
OCU were also pleased to see that new requirements will be introduced that will make it much harder for companies or potential fraudsters to hide their identity and number when they call consumers.
The new measures will prevent consumers receiving messages and calls that use false caller IDs which do not belong to the company or organization that is calling.
However, OCU is urging the regulator to put these measures into force as soon as possible to make sure consumers are protected without delay.
Rewatch Euroconsumers Start Talking webinar on what could be coming next here: The future of scams: AI enters the ring with Brent Carey, Netsafe NZ, Hannah Shimko, Online Dating Association and Jorij Abraham, Global Anti Scam Alliance
Share:
Pressure selling, drip pricing, service bundling – when will Ryanair’s blatant disregard for passenger rights and consumer law end?
Euroconsumers, UK Home Office and Global Anti Scams Alliance co-host the biggest ever Global Anti Scam Summit next week in London and keep the focus firmly on victim impact.
Read More
Euroconsumers co-hosted the 2024 Global Anti Scams Summit and calls for better aftercare for consumer victims of online scams
