Scammers target leading online travel agent

By Bob Howard
Reporter, Money Box

image copyrightThinkstock

Online travel agent has admitted that it has had to compensate customers whose personal details have been stolen.

Guests booking hotel rooms have unwittingly handed over money to criminals.

By accessing reservations, the crooks have been able to obtain contact details to send customers demands for prepayment. says it is countering the fraudsters. is one of the biggest online travel agents. The Netherlands-based firm boasts on its website that every day customers book 700,000 room nights in more than 200 countries.

Bogus emails

Claire Coldwell from West Yorkshire used to book hotel rooms for her and her colleagues who were attending a trade fair in London.

She expected to pay at the end of her stay, but then she received emails and calls that said something different: "I got an email supposedly from saying that, because of the unusually high demand for those dates, the Hilton had taken the decision to ask for prepayment in full for the whole week."

That would have meant Claire paying £3,000 in advance.

Claire then got an email supposedly from the Hilton requesting the same thing: "They had everything like the reservation number, names of guests and the logos looked accurate."

Claire was suspicious, not least because the email referred to an airport transfer and her group were going to London by train.

So she phoned and was told to ignore the emails because the company never asked for payment up front.

Fraud alert

It then sent an email to Claire that confirmed this had been an attempt to steal her money by criminals: "We have been informed that scammers are targeting some customers in an attempt to gather data. If you are asked to make a payment which differs to your policy via bank transfer or other means, please do not make a payment."

But some customers have been targeted in an identical way since at least August, and have paid up.

Jane from Niagara Falls in Canada used to reserve a room for a four-day stay in London.

She too received an email purporting to be from but she had no reason to believe it was anything other than genuine: "It looked very authentic. I fell for it. We paid approximately 1,500 Canadian dollars, around £700 sterling."

She complained to and it refunded her.

Peter Kornelisse, chief security officer at, said the firm was on top of the problem: "We estimate around 10,000 people are affected. We are protecting our customers, hotels and continuously. We have a battle against organised crime. We've made technical improvements in several areas. " said that once it noticed that a guest was affected by phishing activities, it immediately notified that individual guest.

It said its dedicated security teams were also working to contact and support accommodation partners who may have been affected by this situation.

But Ramesh Siram, the general manager of the Shoreditch Inn in London, felt was slow to appreciate the scale of the problem: "We tried to contact them many times and all of the customer service agents, whoever we spoke to, were not aware of the situation. That's not really great or helpful for us. We needed to profoundly apologise to them, even though it's not our mistake."

Eventually, he said the hotel received an email from warning about the attacks and asking it to be vigilant.

The British Hospitality Association, which represents the hotel industry, confirmed to Money Box this week that it knew of eight hotels where customers had had similar problems.

And has told us customers from the UK, US, France, Italy, the UAE and Portugal had all been affected.

Those that have lost money have had it refunded.

Security issues

When told of this problem, Rik Ferguson from internet security firm Trend Micro, decided to test the system.

By registering as a fictitious hotel, he found you could access the system with a log-in and password.

He says if these log-in details were obtained, customer security would be compromised: "With a site like, the fact that they deal with millions of people's personal and financial information means they should be taking the utmost care in protecting the access to this information. If it's just a simple user name and password, that's not the utmost care." has insisted it is not the victim of a data breach but that criminals are obtaining customer details by sending messages to hotels to acquire guest details.

Peter Kornelisse said was doing its best to warn customers but the fraud threat was constantly evolving: "We do inform customers to a certain extent. We can warn today about a specific scenario that takes place and the next moment we have a different scenario. We contacted all the guests who are affected by the phishing attacks and we took the burden of our guests."

Hilton and other hotels Money Box has spoken to have strongly denied the frauds are the result of a breach of their systems or websites.

A Hilton Worldwide spokesperson said: "Our initial investigation has found this incident is not the result of a breach of Hilton systems or websites. We have asked to ensure their investigation is thorough and appropriate action is taken. Guests who have received suspicious emails should contact their booking provider immediately and not respond to these emails."

Since the fraud, has made changes so data can only be accessed from a computer linked to the hotel's server.

Its teams have also worked to "take down" dozens of phishing sites, as well as working with some banks to freeze the money mule bank accounts.

Money Box is broadcast on Saturdays at 12:00 BST on BBC Radio 4 and repeated on Sundays at 21:00 BST. You can listen again via the BBC iPlayer or by downloading Money Box podcast.

More on this story

Related Internet Links

The BBC is not responsible for the content of external sites.