What's happening?
Many of you may be unaware of a very sophisticated scam, initiated by fraudsters and using fake Booking.com emails to compromise your reception or admin PC's.
It starts with a seemingly "urgent" email, which appears to come from Booking.com and requires immediate attention. It might be about a guest's stay or payment, or something related to your property listing on the platform.
Clicking the link would take a staff member down a route involving various steps that install a "Remote Access Trojan", ultimately providing a hacker access to everything on the infected PC. That's all your emails, your usernames and passwords, even banking details.
What can you do?
Staff training. Make all staff who use your computers aware of this type of risk, and ensure that they:
- Never click links in emails unless these are part of a log-in process that they have initiated.
- Never download files from emails unless they were expecting them from a trusted source.
- Always log in to the online services you use from stored bookmarks in your browser, even if you get an email about something that appears legitimate asking you to log in.
Keep your IT up to date and protected. Hackers find security vulnerabilities in old operating systems. Older versions of Windows and MacOS no longer receive security patches, and the latest and most secure versions of the web browsers you use (Chrome, Edge, Firefox, Safari) won't run on them.
- Windows 11 is the only version currently supported by Microsoft.
- Windows 10, Windows 8 and Windows 7 are all vulnerable to being compromised.
- MacOS 26 Tahoe, 15 Sequoia and 14 Sonoma are the only ones supported by Apple.
- MacOS 13 Ventura, 12 Monterey and 11 Big Sur are not actively supported and receive little or no updates, making them vulnerable.
- The next major release of Caterbook features some updated security packages and, as a result, some of these older web browsers / operating systems will not work with Caterbook (less than 1% of the users in 2025.)
Ensure that your up to date operating systems are protected from threats.
- PC users should not have administrator level login privileges (this gives an attacker the ability to install programs and execute malicious code).
- Configure your PCs to automatically update to the latest versions (e.g., via Windows update).
- Install anti-virus software that includes malware protection, and schedule anti-virus scans to run at least weekly. (Windows defender is included with Windows 11.)
- Make sure all your passwords are strong and you use multi-factor authentication when logging in to services.
- Remove inactive staff user logins from Caterbook, or if you use shared accounts (which we strongly advise against), make sure you change the password when someone leaves.
"We can't afford a new PC" / "This won't happen to us" / "This is scaremongering"...
In the past 15 or so years, we have seen too many instances where hotels and pubs have fallen victim to exactly this kind of fraud for the reasons outlined above. In one case, a property was taken for over £50,000 of card fraud, and was liable to the card issuers for the loss.
In 2025, two of our properties had their Booking.com accounts compromised due to a weak email password from a 'free' web-based email service (e.g., hotmail, gmail), where anyone could access the login screen as an entry point. Booking.com guests were then sent malicious links to 'revalidate their card details' and these were captured on the scammers fake Booking.com site and used for fraud.
It might not happen to you, but history tells us that, unfortunately, it is likely to happen to someone.