This Sophisticated Scam Can Trick You When Booking a Hotel

If you recently booked a hotel or are planning to book one using Booking.com or Airbnb, you may become the target of an ongoing international scam. Scammers target unsuspecting holiday-makers and trip-takers with a very believable phishing campaign—but there are a few ways to spot this scam before you fall for it.

What Is Telekopye?

Telekopye is an automated scamming toolkit often called the “Swiss army knife of phishing.” It’s been used to steal millions of dollars across online marketplaces worldwide. According to ESET [PDF], attackers pose as buyers or sellers to dupe victims based mainly in Europe and North America. The Telekopye toolkit automates scamming for attackers by automatically generating phishing websites, SMS, and emails. It also has an interactive chatbot with automatic language translation and DDOS protection for its phishing domains to ward off attacks by rival groups.

How the Telekopye Travel Booking Scam Works

In late 2024, Telekoye scamming groups pivoted to travel booking sites like Airbnb and Booking.com. Telekopye hackers buy credentials belonging to compromised accounts of legitimate hotels and use these to reach their targets. Instead of using the spray and pray approach, they target specific users: those who recently booked a stay but haven’t paid yet and those who recently booked.

Then, attackers reach out to targets via email, claiming an issue with their booking and threatening to cancel their reservation or put their funds on hold if no immediate action is taken. The email also includes a link that leads to a legitimate-looking phishing site. The site pre-populates some fields in the form using information from the target’s real booking, including check-in and check-out dates, price, and details about the destination, making the page seem more believable. The phishing site features a chatbot in the lower right corner, where messages are automatically translated. The chatbot guides the target through the process and further convinces them to rebook and provide their financial details.

After filling in the information on the first phishing site, victims are taken to the payment page, where their financial details are stolen.

How to Spot the Travel Booking Scam

Although the phishing site looks very similar to the legitimate page, the URL on the phishing site does not match the URL on the legitimate hotel or booking site. This is a telltale sign that the hackers have taken you outside the legitimate platform.

When they initially contact you via email, you’ll also notice that the message is from an address with a domain that doesn’t exactly match that of the platform or hotel. Be wary of grammatical errors, misspelled words, or sentences and phrases that don’t sound right. Requests to use unconventional payment methods are also a huge red flag.

Another telltale sign is the use of threatful and urgent language in their messages. Threatening to cancel your booking or put your funds on hold is meant to make you panic and create a sense of urgency, so you act quickly before thinking.

How to Protect Yourself

Protecting against the Telekopye booking scam is easy and takes just a few steps.

• Always verify the source of information. If you receive notifications about an issue with a booking, close the app or site and use another browser or the platform’s app to contact their official customer support team.
• Always check the URL, especially for sites that ask for your personally identifiable information (PII) and bank/credit card details. Other ways to check the site is safe and legit include checking the domain age and owner.
• Install anti-malware on your computer. It will alert you once attackers take you to a phishing site.
• If you’ve given them your financial information before realizing that it’s a scam, call your bank immediately. They can put a hold on your accounts so hackers won’t be able to access your funds.
• Monitor your financial statements for suspicious transactions regularly.
• Use a stronger password and enable multifactor authentication (MFA) for your online bank accounts.
• If you’ve given hackers your PII, contact TransUnion, Experian, and Equifax to freeze your credit. This will prevent hackers from taking out loans or credit cards in your name.

Verifying the sender is vital here. This scam preys on creating panic surrounding a legitimate booking so it can feel very believable. Taking just a moment to double-check the URL can keep you and your holiday safe.