Booking.com email scam: what phishing message looks like, how to protect yourself and report emails

The weather is getting better, the days are longer and temperatures are rising - and so many of us are starting to think about our 2023 summer holiday. Whether you staycation or travel abroad, you will need somewhere to stay and one of the most popular online retailers people use to find their ideal holiday accommodation is Booking.com.

Unfortunately, it’s not only real customers who are aware of the popularity of this site, scammers are too. Cyber security software company Trend Micro have reported that imposters are taking advantage of people’s desire for a getaway, and to save money as the cost of living crisis continues by creating a fake email which promises an enticing saving. But it’s a phishing email and it’s all a lie. 

Phishing emails are common and are created by hackers to try to trick unsuspecting people in to revealing personal details, such as financial information. Don’t worry though, we’ve got all you need to know about this scam email below so you can know how to spot it, and what to do to protect yourself and your sensitive data, if you get it.

What does the email say?

The email claims to offer customers a 20% discount off their booking, according to a report by Trend Micro News, but there’s a catch - people supposedly have to verify their identity to be able to get the money off, but it isn’t legitimate. The email reads “Congratulations! You have a code for a 20% discount at any hotel in the world.” It follows: “to get the code, you need to verify your identity”, and then below this there is a blue button that states if people push it they will be able to verify their account. People, of course, should not press the button as doing so could leave their personal information exposed and vulnerable.

How can you tell that the email is a scam?

At first glance, the email looks like it could be legitimate, particularly as the signature blue Booking.com logo and blue banner has been copied across the top of the message. There are some telltale signs that the email is a fake though. The first is that the deal is allegedly very generous. Now, we’re not saying that genuine discounts can’t be as good, but saying that the discount applies to any hotel in the world makes it seem as though the possibilities are endless and that, in turn, makes you feel very lucky to have it. We all know that real discount codes usually have certain caveats attached to them and it’s quite rare to get a discount off everything from a retailer’s range, especially such a high level discount. Coupled with the use of the word “congratulations”, and the exclamation mark, this all adds to the feeling of excitement the scammers are hoping to evoke as it is this feeling that could make people behave more impulsively and fall victim to their scam.

Another clue that the offer isn’t real is the subject line of the email; “Re: verify your account”. If Booking.com really were offering their customers a discount then they would put that in the subject line of the email as it is this which would make people click on it.

If you receive any email which you suspect may be fake, one of the first things to do is to look at the email address it has come from. In this instance, the email address which the scam has come from is unknown, but in a lot of cases the email address is very obviously not a legitimate company email or a name included is often spelt wrong. There are also sometimes spelling or grammatical errors throughout the body of the email, although that is not the case with this particular example. Booking.com states that “emails from Booking.com should always come from an account ending in ‘@booking.com’, regardless of the subdomain.”

Scam emails are also frequently sent to people who do not actually have a real account on the website they are pretending to be from. So, in this instance, if you have not used Booking.com before then this is obviously an indicator that the email is a scam as there would be no reason for the legitimate company to get in touch with you or have your contact information.

What should you do if you get the email?

If you get the scam email, it is important not to click on the “verify your account” button as doing so will leave your device vulnerable to the hackers. Some scams may require a victim to actually enter their details, such as their bank details or other personal details like passwords, but in some cases even just clicking on the link will allow scammers access to private information with no requirement to specifically enter in any details.

Booking.com advises that people can check the real destination of a link by hovering their mouse over the link if you are on a laptop, or by tapping and holding the link if you’re on a mobile device, to see where the link will actually take you if you click it. If the link doesn’t take you to an address ending in ‘.booking.com’ then don’t click on it as it’s not legitimate.

The retailer has also asked people to contact them within 24 hours of receiving a suspected scam email. You will need to send all relevant details, such as a copy of the suspicious email you received or any unrecognised activity in your account. If you do have a Booking.com account, it is also a good idea to reset your password in case your account has been compromised in any way. 

How can you report the scam email?

If you get the scam email you should always report suspicious emails to the Booking.com security team and then delete it. It is also recommended that you should report the email to Action Fraud by calling 0300 123 2040 or using their online reporting form. You can also forward the suspicious email to [email protected].