Fake profiles on Facebook target holiday scam victims

Which? is warning scam victims and others seeking help on social media to beware of fraudsters posing as customer service agents.

Lurking on a Facebook support group for Booking.com customers, Which? found two dodgy profiles attempting to contact customers via email to provide help with their holiday booking. Last year, Which? warned of similar fake customer service accounts posing as Zara, Asos, Vinted, Evri and others. 

Which? has also noted an increase in scam reports to our Scam Sharer tool and Scam Action and Alerts Facebook group about dodgy messages impersonating hotels, asking customers to follow links or speak to the scammer to about their booking.

Read on to learn more about these types of scams and how you can spot and report them. 

Hotel reservation hijacking scam

Which? found a series of messages on Facebook reporting suspicious emails and texts claiming to be from their hotel. 

One Facebook user said that they received an email, which knew their holiday dates and asked them to confirm their holiday booking by following a link. They then received another email from their hotel telling them that the first email was a scam.

Another user mentioned receiving a WhatsApp message about a hotel booking which had their name, booking number, hotel name and holiday dates, and another spoke of receiving a similar message via text.

Others commented, stating that they received a suspicious call about a holiday booking and that they were emailed by their hotel saying that their data had been compromised.

These all appear to be targeted and personalised phishing attempts, similar to a spear-phishing scam where the fraudster has enough information about you to design a convincing scam where they can then glean further information from you or convince you to part with your cash. 

Fake customer service agents

In a scam support group on Facebook for Booking.com customers, Which? found two scam profiles masquerading as customer service agents, attempting to get customers to contact them for help.

In one post on the group, a member shared their experience about struggling to get a refund after a cancelled reservation.

Under the post, a scammer writes: ‘We are very sorry for the inconvenience kindly send a DM or SMS via our email for quick assistance thank you.’ The message includes an email address ending in 'gmail.com'. 

The fraudulent profiles left comments on several posts in the group posing as customer service representatives. Which? found the image used on one profile had been stolen from another social media account. 

Which? reported the profiles on Facebook and they were taken down. We also reported the fraudulent Gmail account to Google.

Which? contacted Meta about these profiles and it confirmed that it removed the accounts brought to its attention for violating its policies. It also told us that it doesn't allow the creation of profiles in order to deceive Meta users.

Many of the examples we found could constitute fraudulent content under the Online Safety Act. Online platforms - such as Meta and Google - have duties to prevent their users from encountering fraudulent content and to detect and remove it when it does appear on their platforms.

Despite fraudulent content continuing to appear on online platforms, the regulator Ofcom is yet to announce any enforcement action related to fraud under the Online Safety Act. 

Given that fraud now accounts for around 45% of all crime in England and Wales, Which? believes that the regulator should be taking online crime much more seriously.

What to do about hotel booking scams

Last month, customers of Booking.com received emails warning that names, email addresses, home addresses and phone numbers could have been compromised following 'unauthorised' access to their reservations. 

At the time, Booking.com told us: 'At Booking.com, we are dedicated to the security and data protection of our guests. We recently noticed some suspicious activity involving unauthorised third parties being able to access some of our guests’ booking information.

'Upon discovering the activity, we took action to contain the issue. We have updated the PIN number for these reservations and informed our guests.'

It is unclear whether the messages Which? found are related, but it is wise to always treat emails, text messages or calls asking you to follow links or provide further information with extreme caution. 

If you receive an email, message or call that claims to be from your holiday provider, you should verify details by logging into the account you have with them or by contacting them using trusted details taken from their website.

Avoid corresponding with profiles that claim to be from customer service agents on social media.

You can find out if your email and password have been compromised in a data breach by looking them up on the Have I Been Pwned website.

Report dodgy profiles on Facebook by selecting the three dots in the right corner and pressing ‘report.’

Scam emails can be reported by forwarding them to report@phishing.gov.uk and texts can be reported by forwarding them to 7726.

If you've lost money or spotted an unauthorised transaction on your account, contact your bank immediately using the phone number on the back of your card. Scams should also be reported to Report Fraud, or by calling the police on 101 if you live in Scotland.