Scammers Use Generative AI in Phishing Campaigns on Travel Website ‘Booking.com’

• Travelers and hosts on the famous Booking service are being targeted by scammers.
• The crooks use generative AI tools for credibility and rely on the good nature of hospitality to trick property owners.
• They can also create fake properties in phishing campaigns to lure people who are looking for a nice vacation.

Generative AI tools enable scammers to work in many languages using proper grammar to send malware-ridden messages to hosts and even create fake properties to collect sensitive user data, said Marnie Wilking, Chief Information Security Officer at Booking.com, during the 2024 Collision technology conference in Toronto.

A worrying rise in online scams using generative AI was observed shortly after free online tools like ChatGPT were launched. Phishing attacks, in particular, increased “anywhere from 500 to 900%” over the course of the last 18 months across all industries worldwide.

These attacks are now targeting the hospitality industry, as crooks rely on AI to mimic authentic emails directed at both travelers and property owners.

Cybercriminals can use travel websites for phishing scams due to their nature of asking for credit card information, family details, or personal identification documents. Also, a hotel owner is prone to opening the attachment of a message that could be malware in order to help a supposed guest.

Wilking said Booking and other big companies started cooperating while increasingly relying on AI models to stop scammers from posting bogus stays on trusted platforms, preventing and removing the addition of properties that have suspiciously low prices compared to the market standard of the advertised area.

Also mentioned during the conference was the fact that travel sites have seen the rise of suspected state actors, reportedly from Russia and China, “trying to cause online mischief or snoop on customers.”

Phishing and credential stealing can be avoided by using two-factor authentication (2FA) with Booking accounts and any other account. Needless to say, people should not click on anything that looks suspicious and should call the property, hosts, or customer support instead.