Eurovision fans who have booked rooms for May’s song contest in Liverpool are having their data put at risk by scammers targeting hotel chains.
Booking.com confirmed to BBC News that “some accommodation partners had been targeted by phishing emails” but denied it had suffered a data security breach.
Customers are advised to speak directly to their hotels if they have concerns.
The travel company said “a number of accounts” had been affected by cyber-attacks which were “quickly locked”.
It claimed some businesses had “accidentally compromised their own internal systems by clicking on links contained in these messages”.
Booking.com said it had “actively been supporting our partners, as well as any potentially impacted customers” and continued “to make security and data protection a top priority”.
Marc Deruelle booked an apartment through the travel site, for himself and three friends to stay in Liverpool “for a pretty decent price” during the competition.
In early February he was contacted on WhatsApp by someone claiming to be a receptionist asking initially if he needed parking, and then claiming there was an issue with his payment, with a similar issue appearing on his Booking.com account.
“I thought this must be OK,” he tells BBC News. “I got a text message from my bank and I had a phone call from them and they said someone was trying to scam me out of my money.”
About £800 was being transferred to Uganda, but the transaction was cancelled.
“I felt really stupid because I’ve never been close to being scammed,” he says. “It just took the enjoyment out of it and I don’t want to go any more because they’ll know all my details and know I’m away from home, so I cancelled it.”
UKHospitality, which represents more than 700 companies, says it is always best to deal directly with hotels, rather than third-party booking platforms, if customers have concerns.
“Hotels will very rarely contact you on WhatsApp,” chief executive Kate Nicholls says. “For the first time you’ve got lots of young people in particular who won’t be usually booking and travelling to these events and [scammers] are exploiting those people who are vulnerable.”
Phishing scams like this are believed to stretch wider than Eurovision and the city of Liverpool.
Booking.com confirmed that no legitimate transaction would ever require a customer to provide credit card details by phone, text message or email.