Online security awareness: Social Engineering

As a Booking.com partner, you potentially have access to a huge amount of customer data, from names and addresses, to credit card info and phone numbers.

This makes your Extranet account a prime target for cyber criminals and scammers who will use various methods to access to the data in your account.

One technique they could use to try gaining access is called Social Engineering.

What is Social Engineering?

Social Engineering is a technique used by criminals who try to deceive you in order to access sensitive info or data that you normally wouldn't disclose.

In the context of Booking.com, it can be used to try and gain access to your Extranet account to steal sensitive guest data, like personally identifiable information or credit card details.

What do Social Engineering criminals want?

In most cases, criminals will use social engineering to try and gain access to your Extranet account, since that’s where the sensitive data they want is, such as:

  • Guests' personal info (names, phone numbers, address, etc.)
  • Guests' payment details (credit card numbers)
  • Your own info (contact details, financial records, etc.)

Anything that’s shown on the Extranet could be targeted if criminals socially engineer their way into an account.

How to identify Social Engineering

It can be difficult to recognize Social Engineering, which makes this technique so effective for criminals. That's why it’s important to keep some key principles in mind to protect yourself from social engineering:

Scammers make strange or unexpected requests

  • Criminals use this technique to make you do something you normally wouldn't. If somebody asks you to do something for them over the phone or by email, always ask why it's being requested and who is making the request.
  • They'll often present themselves as other trusted people. If “Booking.com” or a “general manager” at your hotel calls and makes a request that seems strange, check the number they're calling from to verify their identity.

Scammers use false urgency

  • To pressure you, criminals will often make their requests seem urgent. They might say things like, “You’ll be locked out of your account,” or “Your account will be terminated” if you don’t do what they say.

Scammers make errors

  • Criminals usually don't know how our products or procedures work, so they'll often make odd requests, then try to explain that it's due to “extenuating circumstances” or that the “process has changed.”

How to protect yourself against Social Engineering

  • If you receive strange phone calls or messages (SMS, WhatsApp, or emails) from a scammer trying to socially engineer you, they’ll often pretend to work for Booking.com or even claim to be an employee at your property. If you’re unsure, always let us know by visiting https://report.booking.com before doing anything.
  • If anybody, whether they claim to work for Booking.com or even at your property, is asking for your username and/or password, do not comply with the request. Booking.com will never ask you for your username and password, and you should never share your Two-Factor Authentication (2FA) pin code with anybody.

  • If you receive messages or phone calls asking you to make changes within your Extranet account (i.e. changing contact details, adding user accounts, creating new promotions, etc), always verify the request is coming from a legitimate source.

  • If it supposedly came from Booking.com, call us to verify with either your Account Manager or with Customer Service.

  • If the caller claims to be an employee of your property, call that person and verify the request.

  • If you contact us by phone, you’ll be asked for verification. This process ensures all the data in your Extranet is kept as secure as possible. Only partners who manage the property’s Extranet should request changes or info.

  • Only partners who manage the property’s Extranet should request changes or info.

  • We’ll ask for your name and your role/position at the property – This is to ensure we are giving the correct access to the relevant person, and in case we need to follow up on the call.

 

I think I was socially engineered. What should I do now?

Follow these steps to secure your account:

  1. Reset your Booking.com Extranet account password here.
  2. Check all your info on the Extranet to see if anything was changed (e.g. availability, promotions, contact info, new user accounts, etc.).
  3. Report it! As you have info that is considered personal (and therefore sensitive), we ask that you contact Booking.com immediately to let us know that your account may have been compromised. You can do this by clicking here.
  4. Don’t forget to include any and all info that might be useful, such as who the caller or sender identified themselves as and what was discussed.