We’re aware of an increasing number of scams targeting Booking.com this year alone, with one mentioned in The Times newspaper as recently as last Saturday.
One of our customers had the same happen to them earlier this year, and I know of another hotel with over 500 messages sent out to their guests from their booking.com extranet which unfortunately a small number of their guests fell for.
If you use Booking.com I urge you to review who has access to the extranet and ensure you’re also using MFA or 2FA as an additional layer of security on it. Are there old staff who still have access who no longer work at the hotel for instance?
And of course, it’s not just booking.com that criminals try to get access to, so if you’re using another booking engine check that too!
(The Times article can be found here https://www.thetimes.co.uk/article/my-card-details-were-stolen-in-a-booking-com-phishing-scam-what-can-i-do-fwf26txw8, and a quick Google search will show many more.)