Ten ways to avoid scams when booking travel

martin-dm/Getty Images Young woman at Barcelona airport checking the flight schedulemartin-dm/Getty Images
(Credit: martin-dm/Getty Images)

With news of Booking.com hackers increasing attacks on customers, we ask two cyber-security and travel fraud experts for their top tips on how to protect yourself when booking a trip.

When a cyber-criminal sent Isabel Wagner an email, pretending to be the hotel she'd just booked, it's unlikely that the would-be fraudster knew who she was. Wagner, an associate professor in cyber security at Switzerland's University of Basel, has devoted her career to researching how to keep personal data private. She wasn't going to be an easy mark.

"Congratulations on your new booking!", the email read. "To ensure the successful confirmation of your booking, please take the following step by clicking the provided link. As a safeguard for your reservation, the system temporarily earmarks funds, which will be requested at check-in. Rest assured that these funds will solely be used to secure your reservation, and payment will be due upon your arrival."

The email appeared to come through the Booking.com system, which she'd used to place the reservation, and it used Booking.com's logo. Still, Wagner wasn't convinced. The email didn't address her by name. The link it tried to send her to, which wasn't a booking.com link, wasn't clickable: she would have had to copy and paste it.

And there was the small matter of the warning she'd received right after making her original Booking.com reservation. "Please note that we never send you… requests for any payment with a QR code and/or a link", the email – which actually was from her hotel – had read. "If you receive any message about these subjects please ignore the message, keep secret your private information details and contact Booking.com customer service care".

Needless to say, Wagner didn't copy and paste the link – and didn't lose her money. But not everyone has been so lucky.

As BBC News recently reported, hackers increasingly have been targeting businesses that use Booking.com, first contacting hotels with a phishing email, getting hotel staff to click a link that downloads malware onto the hotel's computers and searches for customers with Booking.com reservations. Then hackers email those customers, like Wagner, directly. Any payment a client makes, of course, goes to the hackers – not the hotel. The scam is paying "serious dividends", one threat intelligence expert told BBC News.

monkeybusinessimages/Getty Images One in three travellers have been scammed – or know someone who has (Credit: monkeybusinessimages/Getty Images)monkeybusinessimages/Getty Images
One in three travellers have been scammed – or know someone who has (Credit: monkeybusinessimages/Getty Images)

It is one of hundreds of scams that catch travellers out each year, from tourists showing up at their Airbnb only to find it doesn't exist to buying an airline ticket that vanishes before check-in. In 2022, the US's Federal Trade Commission (FTC) received more than 55,330 reports of travel fraud (including regarding timeshare properties), adding up to a $49m loss in total. A survey of 7,000 people across seven countries by computer security software company McAfee, meanwhile, found that one in three travellers have been scammed or know someone who has – and a third of these lost $1,000 or more before their holiday even began.

Whether you're booking a flight, a hotel or you're currently on the road, here are 10 tips from cyber-security and travel fraud experts on how to protect yourself.

1. If the matter seems urgent or you feel pressured, that's your first red flag.

While there are many kinds of scams, they almost all have one characteristic in common: they make the target feel as if there's something they must do as urgently as possible, at risk of losing, say, their booking. "Scammers try to play on your emotions, or they try to get you to react quickly – like, if you don't take action, then there are going to be disastrous consequences. But in reality, there aren't many scenarios like that, right? You're very unlikely to receive a message from a hotel saying that, if you don't do something in the next 30 minutes or 60 minutes, you're going to lose the booking," said Oliver Devane, a senior security researcher at McAfee Labs who investigates tourism cyber scams. "Alarm bells should be going off if you're being pressed to do something quickly."

That's especially true regarding customer-facing businesses, like hotels, Devane adds. "The service industry just doesn't work like that – it's meant to be a nice experience," he said.

2. Know that almost anything can be faked

Wagner's email had some suspicious details, like the unrelated hyperlink. But other phishing emails are far more professional – and might not have any tell-tale signs at all. "A few years ago, my bank sent a message that said, 'When we email you, we will always include your name, and that's how you know that this is genuine'," Wagner said. "That advice hasn't aged very well."

Today, anything can be faked, experts say, including not only including a target's name, but even sending the recipient to a webpage that looks identical to the legitimate business.

3. Never click on a link or download an attachment from an email purporting to be a business – and never send money because an email asks for it

The fact that these emails can be so convincing, experts say, is why you should just avoid certain actions no matter how legitimate the message looks. "If an email comes asking for money, never trust it," Wagner said.

fotoVoyager/Getty Images Many travellers have been taken in with fake rental listings or hotels that don't exist (Credit: fotoVoyager/Getty Images)fotoVoyager/Getty Images
Many travellers have been taken in with fake rental listings or hotels that don't exist (Credit: fotoVoyager/Getty Images)

4. When in doubt, contact the business or third-party platform directly (but don't use the contact details you find in the message)

If you think there is a real reason you may need to pay for a hotel or service you booked, call them directly – but use a telephone number from the company's website online, not from an email. If the message came via a third-party booking service like in the Booking.com scam, you should go to that booking service and contact their customer service directly to find out if it's legitimate.

"The Booking.com scam is pretty sophisticated, because the message that the victims receive comes from Booking.com. And they would probably think, 'Well, if it's coming from them, it is going to be legitimate'," said Devane. "But the big red flag is them trying to get you to go off of the platform."

5. Beware of clicking online ads

Thanks to the speed and granularity of online data harvesting, as soon as you start researching an upcoming holiday, you're likely to see related online advertisements pop up. But some may be fraudulent. The most convincing ones may even send you to a site that looks like a third-party booking engine you've heard of before, but is, in fact, fake.

Always double-check the legitimacy of any company that's being advertised and, when you do your online research, consider using a virtual private network (VPN), which encrypts data sent between your device and the router, and a browser that blocks ad tracking, like DuckDuckGo. If you're using security software, make sure you're using a browser that that software supports, added Devane.

6. Only use reputable third-party booking sites

It might seem counterintuitive, given that scammers have targeted a reputable, third-party booking site like Booking.com. But a number of other scams have involved third-party sites that promise to book, say, airfare, take your money… and never buy (or provide) the ticket.

So if you are going to use an aggregator or third-party booking site (rather than booking direct with a hotel or airline), experts say it's safer to use large, brand-name companies you may have heard of – while still following all the other safety tips outlined here.

And if you can't remember the exact web address of the third-party booking site and have to put it into a search engine, make sure you don't then click on the ads that come up from the search; instead, click on the organic search result itself.

7. Look for reviews

Numerous travellers have been taken in with fake apartment rental listings. And even when not using a third-party booking site, it's possible to get conned – scammers can target you with fake ads for a hotel that doesn't exist, for example. One aspect to look for is whether the property has reviews, and again, if you're targeted with an ad for a business, to make sure it actually exists on third-party review sites like TripAdvisor and Booking.com.

8. Never pay with a wire transfer

Consumer protection regulations generally mean that, if you use a credit card or a debit card, you're protected from fraudulent transactions – in other words, you usually should be able to get your money back (although at a cost of time and hassle). But that often doesn't extend to wire transfers, or to payments with other methods, like cryptocurrency or gift cards. (Even if you've lost money by paying with something like a wire transfer or gift card, the FTC still suggests you try to get the money back; here's what they suggest. Citizen's Advice has UK-specific recommendations).

Simonkr/Getty Images Open wi-fi networks in airports are a common way for hackers to capture personal data (Credit: Simonkr/Getty Images)Simonkr/Getty Images
Open wi-fi networks in airports are a common way for hackers to capture personal data (Credit: Simonkr/Getty Images)

9. Don't let down your guard once on the road

It's easy to relax once you've arrived at – or even are en route to – your destination. After all, what could possibly go wrong from here? Plenty, cyber security experts warn.

In particular, open wi-fi networks are a common way for hackers to capture personal data or to install malware on your device. In fact, one survey found that four in 10 people have had their personal information compromised while using public wi-fi. Using an open network at an airport, where you may be accessing sensitive information such as passport details, can be especially problematic – it's where most respondents had their information compromised – but no network is 100% safe. If you must use public wi-fi, ensure that it's a secured network with encryption technology, experts say, and consider using a VPN.

Even private wi-fi networks such as those at hotels or apartment rentals can be used for nefarious purposes, says Devane. That's why he always uses a VPN. In addition, he makes sure to log out of any accounts he logged into – like Amazon or Netflix – before leaving a property.

You should also only use your own chargers for your devices and plug directly into outlets, avoiding public charging stations or chargers provided by anyone else, like apartment hosts. Earlier this year, the FBI even put out an alert warning that charging stations were being used by hackers to introduce malware and monitoring software – dubbed "juice jacking" – onto devices.

10. Consider using a travel agent

One way to avoid all the hassle and worry around protecting yourself? Hire a real person to do your bookings for you. In fact, while travel agents might seem passe, the industry is on the rise – in no small part, it seems, because of tourists wanting extra bit of protection, particularly after all of the travel snafus of the pandemic.

Still, using a travel agent isn't for everyone. "I thought about the last time that I saw a travel agent, physically. I couldn't remember," Wagner admitted. For her – and those like her – who will keep booking travel online, there are, fortunately, other ways to protect yourself.

--- 

Join more than three million BBC Travel fans by liking us on Facebook, or follow us on Twitter and Instagram.

If you liked this story, sign up for The Essential List newsletter – a handpicked selection of features, videos and can't-miss news delivered to your inbox every Friday.