A chilling new scam is sweeping across the hospitality industry, preying on travelers who’ve already secured their hotel reservations. It’s a sophisticated con, designed to steal your financial information under the guise of confirming your booking. Security experts are calling it “I Paid Twice,” and it’s rapidly gaining traction.
The scheme begins with a deceptive message – often delivered via WhatsApp or email – claiming a problem with your payment. Scammers create a sense of urgency, warning of imminent cancellation unless you “verify” your details. This isn’t a simple request; it’s a carefully crafted trap.
That message contains a link that leads to a remarkably convincing forgery. It mimics the legitimate website of popular booking platforms like Booking.com or Expedia, luring you into a false sense of security. Once there, you’re prompted to enter your credit card information, unknowingly handing it directly to criminals.
This isn’t an isolated incident. Booking.com has been a frequent target for scammers, who have previously used malware disguised as CAPTCHAs and cleverly disguised website addresses to compromise user security. The current campaign, however, represents a significant escalation in their tactics.
The attack doesn’t stop with the travelers. It begins further upstream, with a cunning social engineering attack called “ClickFix” targeting hotel managers themselves. Hackers compromise email accounts and send phishing links disguised as reCAPTCHA challenges.
Completing this “challenge” isn’t what it seems. It triggers a series of redirects, ultimately leading to the download of a Remote Access Trojan (RAT) – like PureRAT – onto the hotel’s system. This malware grants hackers complete control over the infected computer.
With access secured, criminals can steal administrative credentials, allowing them to infiltrate booking platforms and launch phishing attacks against guests. Alternatively, they can sell the stolen hotel data to other cybercriminals, expanding the reach of the scam.
Protecting yourself requires vigilance. Remember, a legitimate hotel or booking platform will rarely, if ever, contact you requesting payment verification for a confirmed reservation. That manufactured urgency is a key indicator of a scam.
If you receive a suspicious message, resist the urge to click any links or provide any personal information. Instead, contact the hotel directly – using the official phone number listed on their website, not the one provided in the message – to verify the booking details.
Your financial security depends on skepticism. Always double-check the website address before entering any sensitive information, and trust your instincts. A moment of caution could save you from becoming the next victim of this increasingly sophisticated scam.