What you need to know about online security and social engineering
As a partner on our platform, you’re likely to have access to a large amount of data related to your guests, including their names, addresses, credit card details, and phone numbers.
This means that your Extranet account can be a tempting target for cyber criminals and scammers. These criminals often try using many different techniques to gain access to this valuable data. One way they might try to do so is by using a technique called social engineering.
In this article
What is social engineering?
Social engineering is a technique used by criminals trying to trick you in order to gain access to sensitive data that you wouldn’t normally disclose to them. They may try to use this technique to gain access to your Extranet account and steal sensitive data about guests, such as personally identifiable info (e.g. their name or address) or credit card details.
Identifying social engineering attempts
It can be difficult to recognize when a social engineering attempt is taking place, which is one reason the technique is so attractive and effective for criminals. To protect yourself from becoming a victim of social engineering, it’s important to keep these key principles in mind:
- Scammers make strange or unexpected requests – for example, they might call or email you and ask you to do something for them. If this happens, always ask why they’re making this request and who it’s for.
- Scammers pretend to be someone you trust – if someone calls you and claims they work at your property or for us, check the number they’re calling from and try to verify their identity. If in doubt, hang up and call that person back using a phone number you already have for them.
- Scammers use remote desktop sessions – once they gain your trust, scammers may try to use software to view and get control of your device, including to access sensitive info. We’ll never ask to install software or share remote session info. If someone else does, you should be skeptical and not automatically agree to their request.
- Scammers leave traces of suspicious activity – if you notice changes or activity on the Extranet or other systems that you don’t recognize, report it to us here. We’ll get back to you to follow up, and if necessary we’ll help you check for any suspicious software that might be installed on your devices.
- Scammers make things seem urgent – when they call or email you, they may warn you that you’ll be locked out of your account or that it will be terminated if you don’t do what they say. Don’t let this false urgency stop you from being skeptical about their request.
- Scammers make mistakes – they won’t normally know exactly how our products or processes work, so they may make odd requests and try to explain that these are due to “extenuating circumstances” or because “the process has changed.” Consider these as red flags and contact us directly if you’re in doubt.
How to protect yourself against social engineering
- If you receive a strange or unexpected phone call, message, or email from someone claiming to work for us or at your property, report it to us here before you do anything else.
- If someone asks you to share your username, password or two-factor authentication PIN, refuse the request – we’ll never ask you to do this info.
- If someone asks you to make changes on the Extranet—such as changing your contact details, adding user accounts, or creating new promotions–make sure the person really is who they say they are. If they claim to work for us, call your account manager or our Customer Service team to check. If they claim to work at your property, call them back at a number you already have for them.
What to do if you think you’ve been a victim of social engineering
If you think you’ve fallen victim to social engineering, follow these steps to secure your account:
- Reset your Extranet account password here.
- Check if any info on the Extranet has changed, such as your property’s availability, promotions, your contact details, and user accounts.
- Report the incident to us immediately to let us know that your account may have been compromised. Include any details that might be useful when we investigate your report, such as who the person that contacted you claimed to be and what they discussed with you.
Legal & Security
- Why you need to complete the Know Your Partner (KYP) form
- Making Pulse even more secure
- What you need to know about online security and social engineering
- Online Security Awareness: Phishing
- Preventing unauthorized use of your account
- What is 2-factor authentication (2FA)?
- Requirements and regulations for surveillance devices
- Digital event security standards
- Guidelines for room key access
- Keeping your property safe and clean
- Equipping your home property with safety devices, safety kits, and emergency plans
- Protecting your home property with security devices
- Partner Liability Insurance
- Identifying and acting on potential human trafficking of refugees from Ukraine
- Report a security issue
- Online security awareness: malware
- Local laws and regulations
- How do I remove a property or end my partnership with Booking.com?
- My property is under new ownership. What should I do?
- Booking.com Animal Welfare Standards for accommodation partners
- Booking.com Animal Welfare Standards for experience partners
- Where can I find my General Delivery Terms (GDT)?
- Complying with European Union consumer law
- Mandatory host type (professional/private) assessment
- How does parity work?
- Our values and guidelines
- Offer transparency and clarity through simpler policies
- Our Supplier Code of Conduct
- [EN-US] Meeting legal requirements for tourist accommodation in French Polynesia
- Understanding Force Majeure
- Handling emergency closures
- VAT and tax withholding legislation in Mexico
- Understanding short-term rentals
- Short-term rentals: FAQs
- Everything you need to know about DAC7