Online security awareness: Social Engineering

As a Booking.com partner, you potentially have access to a huge amount of customer data – from names and addresses, to credit card details and phone numbers.

This makes your Extranet account a tempting target for cyber criminals and scam artists, who will try many different things to gain access to the data held in your account.

One way they could try to gain access is a technique called Social Engineering.

What is Social Engineering?

Social Engineering is a technique used by criminals who try to deceive you in order to gain access to sensitive info or data that you wouldn't typically disclose.

In the context of Booking.com, it can be used to try and gain access to your Extranet account to steal sensitive guest data, like personally identifiable information or credit card details.

What do Social Engineering criminals want?

In most cases, criminals will use social engineering to try and gain access to your Extranet account, since that’s where the sensitive data they want is, such as:

  • Guests' personal info (names, phone numbers, address, etc.)
  • Guests' payment details (credit card numbers)
  • Your own info (contact details, financial information, etc.)

Anything that’s shown on the Extranet could be targeted if criminals socially engineer their way into an account.

How to identify Social Engineering

It can be difficult to recognize Social Engineering, which makes this technique so effective for criminals. That's why it’s important to keep some key principles in mind to avoid falling victim to social engineering:

Scam artists make strange or unexpected requests

  • Criminals use this technique to try and make you do something you normally wouldn't. If somebody asks you to do something for them over the phone or by email, always ask why this is being requested and who is making the request.
  • They'll often present themselves as other, trusted people. If “Booking.com” or a “general manager” at your hotel calls and makes a request that seems strange, check the number they're calling from to verify their identity.

Scam artists use false urgency

  • To pressure you to carry out their requests, criminals will often make their requests seem urgent. They might say things like, “You’ll be locked out of your account,” or “Your account will be terminated” if you don’t do what they say.

Scam artists make errors

  • Criminals won't usually know exactly how our products or procedures work, so they'll often make odd requests, then try to explain that it's due to “extenuating circumstances” or that the “process has changed.”

How to protect yourself against Social Engineering

  • If you receive strange phone calls or messages (texts, WhatsApp or emails) from a scam artist trying to socially engineer you, they’ll often pretend to work for Booking.com or claim to be an employee at your property. When in doubt, always send a message to report@booking.com before doing anything else.
  • If anybody, whether they claim to work for Booking.com or even at your property, asks for your username and/or password, do not comply with the request. Booking.com will never ask you for your username and password – you should never share your Two Factor Authentication (2FA) PIN with anybody.
  • If you receive messages or phone calls asking you to make changes on your Extranet account (e.g. changing contact details, adding user accounts, creating new promotions, etc.), always verify the request is coming from a legitimate source.
    • If it supposedly came from Booking.com, call to verify with your Account Manager or Customer Service.
    • If the caller claims to be an employee of your property, call that person and verify the request.

I think I’ve been socially engineered. What do I do now?

Follow these steps to secure your account:

  1. Reset your Booking.com Extranet account password here.
  2. Check all the info on your Extranet account to see if anything was changed (e.g. availability, promotions, contact details, new user accounts, etc.).
  3. Report it! Since you possess info that's considered personal (and therefore sensitive), we need you to contact Booking.com immediately to let us know that your account might have been compromised. You can do this by emailing report@booking.com.
  4. Don’t forget to include any and all info that could be useful, like who the caller or sender identified themselves as and what exactly was discussed.