Online security awareness: Social Engineering

As a Booking.com partner, you potentially have access to a huge amount of customer data: from names and addresses, to credit card details and phone numbers.

This means your extranet accounts can be a tempting target for cyber criminals and fraudsters, who will try many different things to gain access to the data held within your account.

One way they could try to gain access is by using a technique called ‘Social Engineering’.

What is Social Engineering?

Social Engineering is a technique used by criminals who try to trick or deceive you in order to gain access to sensitive information or data that you ordinarily would not disclose.

In the context of Booking.com, it can be used to try and gain access to your extranet account and steal sensitive guest data, such as personally identifiable information or payment card details for instance.

What do Social Engineering criminals want?

In most cases, criminals will use social engineering to try and gain access to your extranet account, as that’s where the sensitive data they want is found, such as:

  • Guest’s personal information (names, phone numbers, address, etc.)
  • Guest’s payment details (credit card numbers)
  • Your own information (contact details, financial information, etc.)

Anything that’s shown within extranet could be targeted if fraudsters socially engineer their way into an account.

How to identify Social Engineering

It can be difficult to recognise when Social Engineering takes place, which is what makes this technique so effective for criminals. Therefore, it’s important to keep some key principles in mind to avoid falling victim to social engineering:

Fraudsters make strange or unexpected requests

  • Criminals use this technique to try and get you to do something you would not normally do. If somebody asks you to do something for them over the phone or via email, always ask why is this being requested and who is making the request.
  • Fraudsters will often present themselves as other, trusted people. If “Booking.com” or a “general manager” at your hotel calls and makes requests that seem strange, check the number they are calling from and try to verify their identity.

Fraudsters use false urgency

  • In order to get you to carry out their requests, criminals will often try to make their requests seem urgent. They may say things like “You’ll be locked out of your account” or “Your account will be terminated” if you don’t do what they say.

Fraudsters make errors

Criminals will not usually know exactly how our products or procedures work, so they will often make odd requests and then try to explain that it is due to “extenuating circumstances” or that the “process has changed”.

How to protect yourself against Social Engineering

  • If you receive strange phone calls or messages (SMS, WhatsApp or emails) from a fraudster trying to socially engineer you, they’ll often pretend to work for Booking.com or even claim to be an employee at your property. If you’re unsure, always send a message to report@booking.com before doing anything.
  • If anybody, whether they claim to work for Booking.com or even at your property, is asking for your username and/or password, do not comply with the request. Booking.com will never ask you for your username and password, and you should never share your Two Factor Authentication (2FA) pin code with anybody.
  • If you receive messages or phone calls asking you to make changes within your extranet account (i.e. changing contact details, adding user accounts, creating new promotions etc), always verify the request is coming from a legitimate source.
    • If it supposedly came from Booking.com, call us to verify with either your Account Manager or with Customer Service.
    • If the caller claims to be an employee of your property, call that person and verify the request.

I think I’ve been socially engineered. What do I do now?

Follow these steps to secure your account:

  1. Reset your Booking.com extranet account password here.
  2. Check all the information within your extranet account to see if anything was changed (availability, promotions, contact details and new user accounts, etc.).
  3. Report it! As you have information which is considered personal (and therefore sensitive), we ask that you contact Booking.com immediately to let us know that your account may have been compromised. You can do this by emailing report@booking.com.
  4. Don’t forget to include any and all information that might be useful, such as who the caller or sender identified themselves as and what was discussed.