Online security awareness: social engineering
As a partner on our platform, you’re likely to have access to a large amount of guest data, including their names, addresses, credit card details and phone numbers.
This means that your extranet account can be a tempting target for cyber criminals and fraudsters, who use a variety of techniques to try to gain access to this valuable data. Social engineering is one such technique, which is explained in this article. Two other common techniques are phishing and malware.
What’s in this article
Understanding social engineering
Social engineering is a technique used by criminals to try to trick you in order to gain access to sensitive data that you wouldn’t normally disclose to them. They may try to use this technique to gain access to your extranet account and steal sensitive data about your guests, such as personally identifiable information (e.g. their name or address) or credit card details.
Identifying social engineering attempts
It can be difficult to recognise that a social engineering attempt is taking place, and this is one reason the technique is so attractive and effective for criminals. To help you avoid becoming a victim of social engineering, it’s important to keep these key principles in mind:
- Fraudsters make strange or unexpected requests – for example, they may call or email you and ask you to do something for them. If this happens, always ask why they’re making this request and who it’s for.
- Fraudsters pretend to be someone you trust – if someone calls you and claims that they work at your property or for us, check the number they’re calling from and try to verify their identity. If in doubt, hang up and call that person back directly using a phone number you already have for them.
- Fraudsters use remote desktop sessions – once they’ve gained your trust, fraudsters may try to use software to view and get control of your device, including to access sensitive information. We’ll never ask to install software or share remote session information, so if someone else does then you should be sceptical and avoid automatically agreeing to their request.
- Fraudsters leave traces of suspicious activity – if you notice changes or activity in the extranet or other systems that you don’t recognise, report it to us here. We’ll get back to you to follow up, and if necessary we’ll help you check for any suspicious software that might be installed on your devices.
- Fraudsters make things seem urgent – when they call or email you, fraudsters may warn you that you’ll be locked out of your account or that your account will be terminated if you don’t do what they say. Don’t let this false urgency stop you from being sceptical about their request.
- Fraudsters make mistakes – they won’t normally know exactly how our products or processes work, so they may make odd requests and then try to explain that these are due to ‘extenuating circumstances’ or because ‘the process has changed’. Consider these as red flags and contact us directly if you’re in doubt.
Protecting yourself against social engineering
- If you receive a strange or unexpected phone call, message or email from someone claiming to work for us or at your property, report it to us here before you do anything else.
- If someone asks you to share your username, password or two-factor authentication PIN code, refuse the request – we’ll never ask you to do this.
- If someone asks you to make changes in the extranet – such as changing your contact details, adding user accounts or creating new promotions – check that the person is really who they say they are. If they claim to work for us, call your account manager or our Customer Service team directly to check. If they claim to work at your property, call them back on a number you already have for them.
We discourage the use of tools that grant anonymity online(example, but not limited to Incognito mode) while navigating your extranet. This will help us keep you safe.
What to do if you think you’ve been a victim of social engineering
If you think you’ve fallen victim to social engineering, follow these steps to secure your account:
- Reset your extranet account password here.
- Check to see if any information in the extranet has changed, such as your property’s availability, promotions, your contact details and user accounts.
- Report the incident to us immediately to let us know that your account may have been compromised. Please include any information that might be useful when we investigate your report, such as who the person who contacted you claimed to be and what they discussed with you.
Legal & Security
- Online security awareness: social engineering
- Online security awareness: phishing
- Preventing unauthorised use of your account
- Securing your account
- Requirements and regulations around surveillance devices
- Digital event security standards
- Guidelines for room key access
- Keeping your property clean and sanitary
- Equipping your home property with safety devices, safety kits and emergency plans
- Protecting your home property with security devices
- Partner Liability Insurance
- Identifying and acting on potential human trafficking of refugees from Ukraine
- Report a security issue
- Online security awareness: malware
- All about our messaging security settings
- Why you need to complete the Know Your Partner (KYP) form
- How can I remove a property or end my partnership with Booking.com?
- My property is under new ownership. What should I do?
- Our animal welfare standards
- Where to find your General Delivery Terms (GDT)
- Complying with European Union consumer law
- Mandatory host type (professional/private) assessment
- How does parity work?
- Offer transparency and clarity through simpler policies
- Our Supplier Code of Conduct
- Meeting legal requirements for tourist accommodation in French Polynesia
- Understanding Force Majeure
- Handling emergency closures
- Supporting partners in Ukraine during the war
- VAT and tax withholding legislation in Mexico
- Energy performance certificate requirements for properties in Spain
- Understanding short-term rentals
- Short-term rentals: FAQs
- DAC7: FAQs
- Everything you need to know about DAC7
- Non-discrimination guidelines when accepting or declining a booking request
- Laws and regulations for short-term rentals in Asia-Pacific
- Laws and regulations for short-term rentals in South America
- Laws and regulations for short-term rentals in North America
- Laws and regulations for short-term rentals in Europe, the Middle East and Africa
- Israel VAT display and additional charges
- Short-term rental licence requirements in New York City, NY
- Everything you need to know about Sharing Economy Reporting Regime (SERR)
- Everything you need to know about the Digital Services Act (DSA)
- Welcoming guests with assistance animals
- Statement on Non-discrimination, Harassment and Abuse
- Accommodation Agreement and General Delivery Terms
- Everything you need to know about the compliance centre
- When the contracting name on your accommodation agreement is wrong
- When involved parties contact us