More than 100 hotels in Japan have fallen victim to email scams that try to steal customers’ credit card information using the popular reservation site Booking.com, a Kyodo News tally has found.
Some of the hotels said their customers lost money after the fraudsters stole their card details. The Japan Tourism Agency has instructed Booking.com Japan KK, the Japanese unit of the global portal, to conduct a full investigation.
Booking.com Japan declined to comment on the financial damage.
The phishing scams come as similar cases are reported worldwide, and Japan sees a return to booming tourism levels after Covid-19 border restrictions were lifted.
With the help of the anonymous cybersecurity specialist Piyokango, the Kyodo News count found that as of March 26, a total of 118 accommodation businesses in at least 21 prefectures had been affected since June last year.
The fraudsters send emails to Japanese hotels to access their Booking.com management system. The email contains a link, which infects a computer once clicked.
The hackers then steal the business’s Booking.com credentials to send fraudulent payment requests to customers with reservations, telling guests their stay will be cancelled without advance payment.
Customers are then directed to input their card details into a fake website.
In one case in August last year, a hotel became ensnared by the fraudsters when an employee clicked on a link of what the sender claimed was a list of a customer’s daughter’s food allergies.
An executive at the hotel said the imposters “exploited our desire to do our best to fulfill customers’ wishes”.
Similar scams were first confirmed in Europe in 2022, with incidents later spreading to hotels in the United States, Asia and Oceania.
Booking.com said last December that it does not ask customers to provide card details via chat or email.