Online security awareness: Social Engineering
As a Booking.com partner, you potentially have access to a huge amount of customer data: from names and addresses, to credit card details and phone numbers.
This means your extranet accounts can be a tempting target for cyber criminals and fraudsters, who will try many different things to gain access to the data held within your account.
One way they could try to gain access is by using a technique called ‘Social Engineering’.
What is Social Engineering?
Social Engineering is a technique used by criminals who try to trick or deceive you in order to gain access to sensitive information or data that you ordinarily would not disclose.
In the context of Booking.com, it can be used to try and gain access to your extranet account and steal sensitive guest data, such as personally identifiable information or payment card details for instance.
What do Social Engineering criminals want?
In most cases, criminals will use social engineering to try and gain access to your extranet account, as that’s where the sensitive data they want is found, such as:
- Guest’s personal information (names, phone numbers, address, etc.)
- Guest’s payment details (credit card numbers)
- Your own information (contact details, financial information, etc.)
Anything that’s shown within extranet could be targeted if fraudsters socially engineer their way into an account.
How to identify Social Engineering
It can be difficult to recognise when Social Engineering takes place, which is what makes this technique so effective for criminals. Therefore, it’s important to keep some key principles in mind to avoid falling victim to social engineering:
Fraudsters make strange or unexpected requests
- Criminals use this technique to try and get you to do something you would not normally do. If somebody asks you to do something for them over the phone or via email, always ask why is this being requested and who is making the request.
- Fraudsters will often present themselves as other, trusted people. If “Booking.com” or a “general manager” at your hotel calls and makes requests that seem strange, check the number they are calling from and try to verify their identity.
Fraudsters use false urgency
- In order to get you to carry out their requests, criminals will often try to make their requests seem urgent. They may say things like “You’ll be locked out of your account” or “Your account will be terminated” if you don’t do what they say.
Fraudsters make errors
Criminals will not usually know exactly how our products or procedures work, so they will often make odd requests and then try to explain that it is due to “extenuating circumstances” or that the “process has changed”.
How to protect yourself against Social Engineering
If you receive strange phone calls or messages (SMS, WhatsApp or emails) from a fraudster trying to socially engineer you, they’ll often pretend to work for Booking.com or even claim to be an employee at your property. If you’re unsure, always let us know by visiting https://report.booking.com before doing anything.
If anybody, whether they claim to work for Booking.com or even at your property, is asking for your username and/or password, do not comply with the request. Booking.com will never ask you for your username and password, and you should never share your Two Factor Authentication (2FA) pin code with anybody.
If you receive messages or phone calls asking you to make changes within your extranet account (i.e. changing contact details, adding user accounts, creating new promotions etc), always verify the request is coming from a legitimate source.
If it supposedly came from Booking.com, call us to verify with either your Account Manager or with Customer Service.
If the caller claims to be an employee of your property, call that person and verify the request.
If you contact us by phone, you’ll be asked for verification. This process ensures all the data in your extranet is kept as secure as possible.
Only partners who manage the property’s extranet should request changes or information.
We’ll ask for your name and your role/position at the property - This is to ensure we are giving the correct access to the relevant person, and in case we need to follow up on the call.
I think I’ve been socially engineered. What do I do now?
Follow these steps to secure your account:
Reset your Booking.com extranet account password here.
Check all the information within your extranet account to see if anything was changed (availability, promotions, contact details and new user accounts, etc.).
Report it! As you have information which is considered personal (and therefore sensitive), we ask that you contact Booking.com immediately to let us know that your account may have been compromised. You can do this by clicking here.
Don’t forget to include any and all information that might be useful, such as who the caller or sender identified themselves as and what was discussed.
Legal & Security
- Why do I need to complete a Know Your Partner (KYP) form?
- How can I make Pulse even more secure to use?
- Online security awareness: Social Engineering
- Online Security Awareness: Phishing
- Report a security issue
- How to prevent unauthorized use of your account
- What is 2-factor authentication (2FA)?
- Requirements and regulations around surveillance devices
- Digital event security standards
- Japanese Private Lodging Business Act
- Local laws and regulations
- How can I remove a property or end my partnership with Booking.com?
- My property is under new ownership. What should I do?
- Booking.com Animal Welfare Standards for Accommodation Partners
- Booking.com Animal Welfare Standards for Experiences Partners
- Where can I find my General Delivery Terms (GDT)?
- Which settings do I need to check to comply with European Union consumer law?
- Mandatory host type (professional/private) assessment
- How does parity work?
- Our values and guidelines
- Offer transparency and clarity through simpler policies
- Our Supplier Code of Conduct