Online security awareness: Phishing
As a partner on our platform, you probably have access to a large amount of guest data, including names, addresses, credit card details, and phone numbers.
This means your Extranet account can be a tempting target for cyber criminals and fraudsters, who use a variety of techniques to try to gain access to this valuable data. Phishing is one such technique, and it’s explained in this article. Two other common techniques are malware and social engineering.
In this article:
Understanding phishing
Phishing is a type of cyber attack carried out by someone pretending to be someone else in order to steal or earn money or data. Phishing is the most common method by which organizational breaches occur.
Phishing attempts are usually aimed at stealing:
- Guest reservation data
- Personal info of employees and guests
- Credit card info
- Money, by tricking staff or compromising systems
Phishing attacks most commonly target individuals or organizations with valuable data. Accommodation partners like you can become targets because of the type of sensitive and valuable data held on the Extranet. Fraudsters may attempt to mimic our emails in order to phish your username and password for the purposes of taking over your account. These phishing emails can lead to a webpage that looks very similar to the Booking.com Extranet login page – but if you look at the URL address bar, you’ll notice differences. The key to protecting your business is to report these emails to us as soon as you spot them.
If we detect suspicious activity in your Extranet account, we’ll immediately disable the ability for your property to include links in any messages you send your guests via our platform. This is to prevent cybercriminals from impersonating you and exploiting this messaging channel to send fraudulent payment links to guests, particularly in the event of a phishing attack on your property.
Identifying phishing attempts
You probably receive suspicious emails every day. Depending on your email client, these suspicious messages may be flagged or automatically moved to the spam folder, but some may get through. You can spot these by keeping an eye out for:
- Urgent language
Phishing emails tend to create a false sense of urgency, such as threats of your Extranet account being suspended, or an urgent email about your financial situation. Fraudsters will always adapt their techniques to make their phishing emails look as legitimate as possible.
- Errors and mistakes
Keep an eye out for spelling errors or grammatical mistakes. If you spot numerous mistakes, or a mix of different languages in the same email, it’s likely a phishing email. Typically, a phishing email will also be written entirely or partially in a language that doesn’t match your own. You can always check who the real sender is in the “From:” field of your email client, or by checking the sender located inside the arrowheads (“<,” “>”). Emails from Booking.com should always come from an account ending in “@booking.com,” regardless of the subdomain. An email address like “support@booking-103266.com” isn’t from Booking.com and is definitely malicious. Don’t interact with such emails – report them as spam instead.
What to do if you suspect a phishing attempt
If you suspect your computer or laptop has been infected with malware, try performing one or more of the following steps:
- Reset your email account password first, then reset your Booking.com account password. To do this, go to http://admin.booking.com, type in your username, then click “Having trouble signing in?”
- Scan your device with an updated malware scanner. Not all phishing attacks steal passwords – some can have malicious software embedded in a file that may be malware, spyware, ransomware, or a virus. It’s very important to scan your device if you think you’ve clicked on a malicious link or downloaded unrecognized files.
- Contact us within 24 hours of a suspected or actual phishing attack. This allows us to start securing your business and your guests as quickly as possible. Don’t forget to include all relevant details, such as a copy of the suspicious email you received, or any unrecognized activity in your account. Click here for instructions on how to safely forward a suspicious email as an attachment.
Protecting your organization from phishing attempts
To avoid potential security breaches before they happen, we recommend taking the following proactive steps to protect yourself from fraudsters impersonating Booking.com:
- Bookmark the correct Extranet link
Manually type https://admin.booking.com/ into your browser. You’ll see the secure lock icon next to the address. Bookmark this page and use this link to manage your property. Learn more about preventing unauthorized use of your account in this article.
- Double-check email addresses
Don’t automatically trust the email display name. Check the email address in the “From” header – if it looks suspicious, don’t open the email. Here are a few examples of trusted Booking.com email addresses:
@property.booking.com
@guest.booking.com
@mailer.booking.com
@partners.booking.com
- Check links
Check the real destination of a link by hovering your mouse over it—or by tapping and holding the link if you’re on a mobile device—to see where it’ll actually take you if you click it. If the link doesn’t take you to an address ending in “.booking.com,” don’t click it. - Report suspicious emails
Always report suspicious emails to the Booking.com Security team. After you do so, move the email to the trash. You can do so by clicking here prior to moving the email to your trash. - Limit the use of tools that grant online anonymity
We discourage the use of tools that grant anonymity (e.g. Incognito, private modes, etc.) online while navigating the Extranet. This will help us keep you safe.
You can now access all your legal messages and updates anytime, all in one place.
-
Legal & Security
-
- Online security awareness: social engineering
- Online security awareness: Phishing
- Preventing unauthorized use of your account
- Securing your account
- Requirements and regulations for surveillance devices
- Digital event security standards
- Guidelines for room key access
- Keeping your property clean and sanitary
- Equipping your home property with safety devices, safety kits, and emergency plans
- Protecting your home property with security devices
- Partner Liability Insurance
- Identifying and acting on potential human trafficking of refugees from Ukraine
- Report a security issue
- Online security awareness: Malware
- All about our messaging security settings
-
- Why you need to complete the Know Your Partner (KYP) form
- How do I remove a property or end my partnership with Booking.com?
- My property is under new ownership. What should I do?
- Our animal welfare standards
- Where can I find my General Delivery Terms (GDT)?
- Complying with European Union consumer law
- Mandatory host type (professional/private) assessment
- How does parity work?
- Offer transparency and clarity through simpler policies
- Our Supplier Code of Conduct
- Understanding Force Majeure
- Handling emergency closures
- VAT and tax withholding legislation in Mexico
- Understanding short-term rentals
- Short-term rentals: FAQs
- DAC7: FAQs
- Everything you need to know about DAC7
- Non-discrimination guidelines when accepting or declining a booking request
- Laws and regulations for short-term rentals in Asia-Pacific
- Laws and regulations for short-term rentals in North America
- Short-term rental license requirements in New York City
- Everything you need to know about the Digital Services Act (DSA)
- Accommodation Agreement and General Delivery Terms
- When the contracting name on your accommodation agreement is wrong