Booking.com customers have been warned of a “well-designed scam” that has seen account details sold on the dark web.
Cybersecurity firm Secureworks said criminals are targeting the website’s partner hotels to steal user details.
They then send phishing emails to the customers, claiming their reservation will be cancelled if they do not provide payment information urgently.
Rafe Pilling, director of threat intelligence at Secureworks, said the tactic was seeing a “high success rate”, and Booking.com said it was aware some of its partners had been affected in recent months.
“While this breach was not on Booking.com, we understand the seriousness for those impacted, which is why our teams work diligently to support our partners in securing their systems as quickly as possible and helping any potentially impacted customers accordingly, including with recovering any lost funds,” it said.
The scam unfolds in two phases, starting with hotels themselves being targeted by scam emails.
They often claim to be from a guest who has left valuable documents during their stay, who then sends a follow-up email directing the hotel to a Google Drive link purporting to show an image of the lost item.
The link actually contains malware called Vidar Infostealer, which allows the criminals to access the Booking.com account portal that people use to make their reservations.
From there, they can target the customers.
Advertisement
Look out for ‘sense of urgency’
In one case involving a hotel in Scotland, a receptionist was duped by a scam caller who claimed to want to book a room for herself and her child with serious allergies.
They said it would be easier to email a document outlining the child’s allergies to determine whether the hotel could accommodate them, and the attachment contained the malware.
It gathered details of all the hotel’s Booking.com customers and sent them fraudulent emails saying they had 24 hours to pay.
Jude McCorry, chief executive of Scotland’s Cyber and Fraud Centre, told Sky News it was a “well-designed scam” that less tech-savvy people would find it “very difficult” to identify.
She said a “sense of urgency” in demanding money was often a tell-tale sign that something could be wrong.
Secureworks has found Booking.com credentials being sold on dark web forums for up to $2,000 (£1,576).
It said the scam was not an easy one to close down because it relies on Booking.com and its partner hotels having effective controls in place, as well as employees and customers recognising the threat.
The company has recommended that hotels make staff aware and teach them how to identify such attacks, while customers should use multifactor authentication to protect their accounts.
They should also question any emails or app messages requesting payment details, and contact Booking.com or the hotel directly if they have concerns.
Booking.com said online fraud was a “pressing issue across many sectors” and the company has made “significant investments to limit the impact of these ever-evolving tactics”.
“Due to the rigorous controls and the machine learning capabilities we employ, we are able to detect and block the overwhelming majority of suspicious activity before it impacts our partners or customers,” it added.
“We have also been sharing additional tips and updates with our partners about what they can do to protect themselves and their businesses, along with the latest information on malware and phishing so that they are as up-to-date as possible on the latest trends that we’re seeing.
“In terms of some practical steps that customers can take to remain safe online, we recommend vigilance and that people carefully check the payment policy details outlined in their booking confirmation.
“If a property or host appears to be asking for payment outside what’s listed on their confirmation, they should reach out to our customer service team for support.
“Also, it’s good to remember that no legitimate transaction will ever require a customer to provide their credit card details by phone, email, or text message (including WhatsApp).”
The UK will hand over sovereignty of the remote Chagos Islands to Mauritius after a decades-long dispute.
The deal to transfer the Indian Ocean archipelago to Mauritius includes the tropical atoll of Diego Garcia, home to a military base used by the UK and the US that plays a crucial role in the region’s stability and international security.
Under the agreement, the base will remain under UK and US jurisdiction for at least the next 99 years.
The UK government said that the treaty would “address wrongs of the past and demonstrate the commitment of both parties to support the welfare” of Chagossians – the native people of the islands.
Several leading Conservatives have called the decision “weak”, with former securities minister Tom Tugendhat saying it is a “shameful retreat undermining our security and leaving our allies exposed”.
Since 1971, only Diego Garcia has been allowed inhabitants – US military employees – after the UK expelled the Chagossians at the request of the US. Some moved to Mauritius and some have lived in the UK, in Crawley, West Sussex, since 2002.
About 89 Sri Lankan Tamil asylum seekers arrived on Diego Garcia in 2021 but the UK government has argued the refugee convention does not apply there so they remain in limbo.
Mauritius has been trying to claim the Chagos Islands back from the UK since the French handed them over in 1845.
Advertisement
A statement from the Mauritian and UK governments said Mauritius is now “free to implement a programme of resettlement” on the islands, other than Diego Garcia, and the UK will provide money and other support to Chagossians who had to leave.
The UK will also provide a “package of financial support” to Mauritius, including annual payments for the next 99 years and will provide funding for an infrastructure partnership.
Foreign Secretary David Lammy said: “This government inherited a situation where the long-term, secure operation of the Diego Garcia military base was under threat, with contested sovereignty and ongoing legal challenges.
“Today’s agreement secures this vital military base for the future.
“It will strengthen our role in safeguarding global security, shut down any possibility of the Indian Ocean being used as a dangerous illegal migration route to the UK, as well as guaranteeing our long-term relationship with Mauritius, a close Commonwealth partner.”
US President Joe Biden welcomed the move, saying: “I applaud the historic agreement.
“It is a clear demonstration that through diplomacy and partnership, countries can overcome long-standing historical challenges to reach peaceful and mutually beneficial outcomes.”
The agreement is subject to the finalisation of a treaty and supporting legal instruments, with both Mauritius and the UK committing to complete “as quickly as possible”.
Police Scotland considered recording notorious double rapist Isla Bryson as a female on the sex offenders’ register, Sky News can reveal.
Bryson, who changed gender while waiting to stand trial, was last year jailed for eight years for raping two women in West Dunbartonshire and Glasgow while known as Adam Graham.
Scottish Prison Service (SPS) guidance at the time saw Bryson initially housed in segregation at Cornton Vale women’s prison near Stirling while awaiting sentencing.
The row occurred around the same time the Scottish parliament voted to make it easier for transgender people to change their legally recognised sex.
The controversial Gender Recognition Reform (Scotland) Bill was ultimately blocked from becoming law by the UK government, with Holyrood since dropping further legal action to contest the overruling.
It stated: “When this individual comes back into contact with Police Scotland it would likely be a public protection matter in the management of sex offenders.
“In this instance they may be recorded as a female with the name Isla Bryson however the trans history would be appropriate to be retained on relevant policing systems.”
The dossier describes the areas where Bryson could be recorded as female, including the crime database and sex offenders’ register.
A police source said this would mean the rapist would likely be treated and referred to as a woman.
A Police Scotland spokesperson said: “This report from 2023 set out proposals on potential future recording practices and standards in relation to sex and gender from a data analysis perspective.
“The chief constable addressed the matter of gender self-identification at the Scottish Police Authority board in September 2024, during which Police Scotland committed to a broader review.”
Claire (not her real name), a disabled mum in her 30s, never imagined she’d ever face criminal prosecution. But earlier this year, that’s what happened – for non-payment of her TV licence.
The stress took its toll on her mental and physical health.
“I don’t think I’m a criminal,” she says. “I have two kids I take to school every day, I try and pay my bills… I had to get anxiety tablets because I couldn’t sleep.”
As the BBClooks to broker a new funding deal with the government in the next three years, critics of the current licence fee model argue it is hard to justify how non-payment is still seen as serious enough to merit criminal prosecution.
The fee is currently a flat rate of £169.50 – poorest households pay as much as the richest.
Claire, who was fined £750 for non-payment, spoke to us anonymously about her experience of dealing with the fast-track system of processing cases.
The whole process, she says, was “terrifying”. At the time the enforcement officer knocked on her door, her partner had recently been jailed for domestic violence. He had previously taken control of her finances.
“All my money was in his account and I wasn’t getting access… from what I was aware he was paying the bills but it turned out he wasn’t,” she says.
The enforcement officer said he understood, Claire says. But a week later she received a letter to say she was going to be prosecuted.
Claire was told she would need paperwork to prove her situation, but didn’t have the money to send off for it. With 21 days to respond she felt she had to plead guilty or the costs might escalate.
“All you think is, ‘If I don’t pay this are they going to put me in prison?’.”
The licence fee has always been the BBC’s bread and butter – but given 500,000 households cancelled last year, there are questions over its sustainability. Other models such as Netflix, for example, successfully exist without needing the threat of prosecution.
Can the BBC still justify it?
Mary Marvel, head of policy at access-to-justice charity Law For Life, says “innocent people are feeling forced to plead otherwise” so their fine is reduced.
Under the Conservative government, various reviews looked into the pros and cons of decriminalising non-payment – ultimately concluding to keep the system as it is for now. Previously, the BBC said switching to a civil system would cost more than £1bn and lead to major cuts.
The Times newspaper recently claimed the current Labour government intends to scrap prosecutions over concerns women are being unfairly penalised. However, Sky News understands this is not the case.
Ahead of the BBC’s next charter review, all the government has officially said is that it isn’t ruling out making changes – and there will be consultation before making any decisions.
Almost three-quarters of 2023 prosecutions were women
Currently, the vast majority of prosecutions are dealt with via a system called the single justice procedure – a fast-track for relatively straightforward cases designed to fix the backlog of court delays.
Cases are processed by a single magistrate in private, and letters from defendants often go unread by prosecutors if an individual pleads guilty.
Almost 31,000 people were prosecuted for non-payment of the TV licence last year. Just over 73% were women.
Why the disparity? In 2023, a BBC review found that more than 60% of single-adult households are female, compared with less than 40% male. The review also found behavioural differences: women are more likely to be at home; more likely to open the door; and more likely to be the point of contact for bills and domestic admin.
Magistrates Association chief executive Tom Franklin says the TV Licensing authority should review pleas and mitigations before cases come before magistrates, giving an opportunity for them to be withdrawn if not in the public interest – “particularly for the most vulnerable in society”.
The government says the decision to prosecute “sits with TV Licensing”, but it is “keeping under review” its oversight and regulation of organisations using the single justice procedure.
A TV Licensing spokesperson said the authority would contact Claire and review the prosecution.
“We have the ability to overturn a conviction when provided with evidence that it was not in the public interest,” they said.
Significant reasons could include domestic violence, and mental and physical ill-health, the spokesperson said, adding that prosecution is always a “last resort”.
For now, Claire is incrementally using universal credit to pay back a fine she arguably shouldn’t have been prosecuted for in the first place.