Pay attention or pay the price. That’s the bottom line on an online hotel-booking scam that’s recently caught the attention of a U.S. senator who has asked the Federal Trade Commission to look into these insidious schemes.
This isn’t a new hoax, but it has recently come to the attention of Sen. Chuck Grassley (R-Iowa), who has expressed his concerns in a letter to the FTC. In it, he noted that duplicitous third-party booking sites, which dress themselves up to look like legitimate sites, get people to book.
If they get rooms — and they often don’t — consumers who arrive at the hotels may not have the amenities they requested or, worse, necessities such as a handicapped-accessible facilities.
And, most critically, their payment details may have been exposed.
The FTC could not provide me with information on what steps it might take to address the concerns Grassley outlined.
But the issue represents a huge threat to the consumer.
“In North America, about 480 hotel bookings are made online every minute,” said Maryam Cope, vice president of governmental affairs at the American Hotel & Lodging Assn., whose figures show that about 2.5 million bookings a year may be affected.
The scam involves many variations on “phishing,” designed to get you to divulge personal information. Most familiar is the email that tells you about a great deal on hotel rooms. All you have to do is click a link. (Don’t.)
Or you might search for “hotel rooms in XYZ City” and up pops a site that looks like the site of a chain you know and trust — but it isn’t that site. You’re busy so you don’t notice that something is not quite right. (Are there extra words in the URL? A legitimate site is usually ItsName.com.)
Or a hot tip could come through social media. “It’s taking advantage of trust,” said Scott Olson, vice president of product for Iovation, a device-based fraud intelligence company. (Would your friend recommend a hotel chain? Really? Think about getting more interesting friends.)
The crooks are becoming increasingly sophisticated, tech and travel experts say.
“It’s easy for someone to ‘skin’ another company’s website to create a phishing website,” said Henry Harteveldt, founder of Atmosphere Research and a travel analyst. The bad guys are “basically taking the look and feel and copying, in some cases with an alarming amount of accuracy.” But, he added, there’s “no real content, no real functionality.... All [the site is] doing is capturing your personal information.”
These phony sites are especially hard to detect on mobile devices, whether smartphone or tablet, on which the type tends to be smaller or harder to read. Thus you may not notice that there’s something fishy about the URL, which may include another name along with the legitimate hotel name.
That’s alarming because mobile represents about a quarter of travel bookings, said Umar Riaz, managing director of the hospitality and travel services practice at Accenture, a management consulting firm.
One saving grace, Riaz said: You’re more apt to use a legitimate app on mobile.
Even if you’re among the people who use a PC or desktop to book travel, you may not be accustomed to looking at sites closely. Here are some clues that the site is a scam:
Spelling, punctuation or grammatical errors.
Missing a “lock” in the left side of the address bar. “Ensure that the website you are visiting supports ‘https’ when booking hotels, shopping or entering any type of personal information,” said Ondrej Krehel, chief technical officer and founder of LIFARS, a cybersecurity intelligence firm based in New York City. You’ll know you are connected by https if you see a lock in the URL bar of your Web browser.
Unfamiliarity. You don’t recognize the site or you haven’t done business with it. About 30% of users will use a search engine asking for “hotels in San Francisco,” for instance. That can be dangerous, Riaz said, because it opens you up to a fake site. Better to go through an established hotel site such as https://www.marriott.com or use an online travel agency such as Expedia or Travelocity, or an aggregator such as Kayak or Hotels.com.
Too good to be true. Be especially wary if the fabulous offer arrives in your email. If you’re offered the Four Seasons Maui for $200 a night, hit delete. (I checked random dates in July for that property in Wailea and it starts at $639 a night, its for-real website said.)
Also be afraid if the email uses an odd salutation. (I just found an email in my spam folder that begins, “Good day to you.” Besides the fact that no one talks that way anymore, it also was purportedly from Jack Lew, who wants to send me $10 million. He probably has more important things to do in running the Treasury Department than to notify me of this inheritance.)
A button that gives you a phone number (or, on mobile, connects you) to the “hotel.” If you decide to call, ascertain whether it’s legitimate by asking lots of questions. For instance, how many rooms does the hotel have? How far is it from the airport? What shopping is nearby — ask for names of retailers. What are some restaurants not in the hotel?
If the person falters, hang up. Use a legitimate telephone number-finding website (I like WhitePages.com, which has a business category) and call that number and ask the same questions. Booking by phone is increasingly uncommon, in part because you may miss legitimate specials, so be sure to ask about Internet rates and then get the real URL.
If all of this has made you queasy, try a travel agent. We have become used to doing it ourselves, but an agent generally isn’t going to fall for a fake website. And an agent may be able to get you extra value — a room upgrade or a free breakfast. (That’s not too good to be true; that’s just good business.)
Finally, trust your intuition. Cope, of the hotel association, said that many people who were taken in by fake sites thought something was off but ignored that nagging voice in their head. But in this case, pay attention. The price of failing to do so may be much more expensive than a hotel room.
Have a travel dilemma? Write to firstname.lastname@example.org. We regret we cannot answer every inquiry.