After booking a stay at Amara Singapore on Booking.com, a guest received a phishing email via the platform's messaging centre, signed off by someone claiming to be a hotel staff.
Under the guise of completing his registration, the guest was redirected to a webpage that solicited his credit card information, and was subsequently charged an extra S$9,000.
He is not the only one affected.
Amara Singapore told Mothership that they have been notified of fraudulent messages that were sent via two booking platforms.
Mothership also received a tip off from another guest who encountered a similar fraudulent email from Booking.com's messaging centre after she booked a stay at Oasia Hotel Downtown.
Followed a weblink in an email from 'Roza'
S, the guest who booked a stay at Amara Singapore, told Mothership that he had booked a staycation to celebrate his 35th birthday.
He had also made the full payment of S$3,000 for the reservation in advance, via Booking.com.
On Sep. 9, S received an email via the booking platform's messaging centre.
It was signed off by one "Roza Zukauskiene", claiming to be an Amara Singapore staff.
Roza identified herself as the senior property manager of Amara Singapore.
Roza's email also instructed S to click a link to "complete his registration", prior to his stay at the hotel.
Directed to webpage that looked "legitimate"
When S clicked the link, he was directed to a website bearing Amara Singapore's name and logo.
As such, he admitted that it looked "legitimate".
The page required S to provide his personal details, fill up his credit card information, and make a security deposit.
S said that he contacted Booking.com to enquire about the message and the platform told him that it was a genuine message that came from the hotel.
S understood that he had to provide his credit card details as an assurance in case there were incidental charges incurred during his stay.
He complied with the instructions on the page.
Credit card charged additional S$9,000
The next day, S received an SMS notification informing him that S$9,000 had been charged to his credit card.
This was in addition to the S$3,000 that S had already paid for the stay at Amara Singapore.
The S$9,000 charge was made on Sep. 9, the same day he accessed the link in Roza's email.
Bounced between Booking.com and Amara Singapore
Suspicions raised, S immediately contacted Booking.com to report the phishing email.
However, the platform directed him to Amara Singapore, reiterating that the message originated from the hotel.
When he approached Amara Singapore, S was told that his reservation was "secure" and his personal information remained "confidential".
More perplexingly, the hotel advised him to reach out to Booking.com regarding the phishing email.
It was also from Amara Singapore's reply that S found out he wasn't the only customer affected by the phishing scam.
The hotel said that some of its guests had received suspicious emails claiming to be from "online travel agencies" and requesting payment details.
S: "Scammers are getting more creative"
S suspects that some data breach led to the incident.
He is also in talks with the hotel regarding compensation for the unauthorised charge.
S said that he had heard of phishing scams before, but theorised that scammers could be adjusting their tactics to con would-be travellers.
"In the past we heard of scams on banks, or government websites. Now that the travel borders are open, the scammers are getting more creative by targeting travel bookings," he said.
He also said that the whole experience was "sickening" and hoped to raise awareness by sharing his story.
Fraudulent messages sent via Booking.com to guests from another hotel
Amara Singapore is not the only Singapore hotel affected by the spate of phishing scams.
A reader tipped us off to a similar case that was unfolding at Oasia Hotel Downtown.
Mothership understands that guests of the hotel have received fraudulent messages sent via Booking.com's messaging centre.
Based on messages seen by Mothership, the hotel has been warning guests not to click on suspicious links in messages sent via the platform.
Oasia Hotel Downtown told its guests that Booking.com's chat box has been "compromised". It also said that it was working closely with the Booking.com team to resolve the matter.
"Our system was not compromised": Amara Singapore
Both Amara Singapore and Booking.com denied that their systems were compromised.
A spokesperson from Amara Singapore told Mothership that it received reports from members of the public about suspicious links sent via the messaging centres of two online booking platforms.
It did not specify which platforms were affected.
"Once alerted, we immediately informed the booking platforms on these fraudulent emails sent and have confirmed that our system was not compromised," the spokesperson added.
The spokesperson further noted that all guests with bookings made via the two booking platforms were alerted to the case of the phishing emails and advised not to click on any suspicious links.
"Security breach not on our platform": Booking.com
Meanwhile, a spokesperson from Booking.com also told Mothership that the security breach did not occur on the platform.
The spokesperson said that the accounts of some of its accommodation partners were affected, but stressed that "at no point there was a vulnerability in the Booking.com system that allowed a fraudulent third party to obtain information".
The spokesperson added that the platform has teams who regularly review its security measures to protect the accounts of customers and accomodation partners.
So what exactly happened?
Mothership understands that a hacker can book a fraudulent hotel reservation on Booking.com, use the reservation to communicate with the hotel, and from there, impersonate the hotel and contact guests.
We have reached out to Amara Singapore to find out if this was what happened.
Both S and Amara Singapore have lodged a police report on the matter.
Top image from Amara Singapore on Google / screenshot courtesy of S.