Leaving Laptops in Hotel Rooms: A Bad Idea

Real Hotel Booking Info Used in Holiday Phish

There’s a curious tale over at The Register where a couple ready to go on holiday had a very convincing email sent their way in relation to a hotel booking.

How convincing? Well, it contained all of their genuine hotel booking information for starters – and claimed to be sent from Booking.com, which happens to be the company they booked their stay through. The information included:

* Correct reservation dates * Correct hotel name * Personal information such as name, home address * Correct invoice amount

The email didn’t stop there – it also asked for payment information (CVV number) and asked for a payment to be wired to what appears to be a bank in Poland (despite the hotel being in Spain).

While it isn’t unusual for payments to show in one location when the hotel is in another – depending on how you do it or which third-party you book through, you may find your cash wings its way to an entirely different location – it is a little unusual to see wiring money mentioned and this likely set off alarm bells.

The scammers also asked for a scanned copy of the wire transfer deposit – this is often used in 419 / wire scams, because they’ll take the scan to the place where the money it sent and pretend to be the victim or a relative before wandering off with a tidy stack of notes.

The outlook on this one right now seems to be that the hotel has been targeted in some way rather than the booking website, and likely involves social engineering. If you do have a trip planned and receive emails about payments, phone the hotel and / or booking agents directly instead of replying – as you can see, these mails are 100% accurate and will probably brush aside many “But what about…” scam flags recipients would ordinarily raise.

Another type of email scam to steer clear of, then. While we’re on the subject – you may want to pretend you’re still sitting at home when you’re actually surfboarding in the Bahamas. Going on holiday has never been so difficult – or so scam laden…

Christopher Boyd

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.