An email through official Booking.com channels or a months-long friendship with a chatbot. Forget Nigerian princes and ugly bills. 'The level of online fraudsters is higher than ever': Two cybersecurity experts walk us through the dangers of phishing in 2024.
Imagine: You are planning a trip to New York and you have booked a hotel through the popular Booking.com platform. One day, you're chatting via the app with the hotel desk about your breakfast formula, and the next you suddenly receive a request to re-enter your credit card details. And within twelve hours too, because your departure is just around the corner.
This tight deadline sets off a lot of alarm bells, but unfortunately not the right ones. After all, this is the official app, and above all, you don't want to be looking for a new hotel a week before departure. Thus, you click on the link in the last message. Only when you receive a letter from your bank do you realize that you have been framed.
A true story for the above and unfortunately for thousands of Booking customers around the world. “But you shouldn't be ashamed of it,” ethical hacker Inti De Ceukelaire tells us. “This is a really far-reaching form of phishing, which I could also fall for. The barrier to online scammers is higher than ever.
“Think of it as a kind of ‘abuse software,’ i.e. software that works as intended, but in a way that could be misleading to the user,” explains de Ceuquelier. “In this case, we see that the message comes from Booking and we also expect payment, so it is recognizable and should be secure.”
“Booking.com vehemently denies it, but it cannot be disproved that a hack occurred somewhere,” says Eddie Willems, a cybersecurity expert. “Hotels also have to log in to Booking, so there could be a breach at that level. This gives hackers access to information, such as your arrival times, and they can build on those details via official communication channels, with all the consequences that entails.”
The question then remains: How can I best protect myself from this as a user? “Whether it is a booking or another intermediary platform like 2dehands; It is important to remember that you are a customer of the platform and not the hotel or vendor. “So, if a hotel says the payment didn't go through, they should inform Booking, not you.” The urgency of such a message, like a 12 noon deadline, should always serve as a warning, Willems adds. “If it's really urgent, it's best to contact the hotel directly.”
Another phishing trend warned about this week is “quishing”: a practice in which scammers distribute QR codes with malicious URL codes hidden behind them. For example, FPS Economy warns of invoices that appear to come from official entities and urges victims to pay via QR code, which then leads to phishing sites.
“Hackers have noticed for some time that external links are often blocked by our mailboxes,” says the ethical hacker. “So they are now resorting to images in the email, which contain a QR code.”
In addition, we're also less vigilant when using our smartphones than we are on our computers, both experts point out. “It's one of my biggest pet peeves,” Willems sighs. “Even when I lecture to audiences actively engaged in cybersecurity, I notice that less than one in ten have a Norton-like security package on their smartphone. On our computers, we find this quite normal.
De Ceuquelair and Willems both stress that we should be more critical of links on smartphones. “When you view a QR code with your smartphone camera, you first see a preview of the link. But even if you accidentally go to the primary website, it's not immediately dangerous, as long as you don't share payment details, for example.
“But the best advice is that there are always alternatives to QR codes,” says Willems. “If you don't feel comfortable with a QR code in a restaurant, for example, you can always order from the menu. QR codes are almost always optional.
Artificial intelligence friendships
Just as friendship fraud has been around for a long time, there's now an AI-powered version of it. “In the past, the person with bad intentions had to sit on the other side of the screen,” De Soclair says. “They will then translate your messages via Google Translate and then respond to them – often imperfectly.”
He warns that we have now taken another step forward. “We now have to beware of friendship fraud where there is no one on the other side of the screen. People, often the most vulnerable, sit there and talk to robots programmed to take their time and slowly gain trust so the victim can donate money.
According to the ethical hacker, this will be “the new gold of phishing.” Since AI bots are not difficult to set up, compared to the past, a criminal can talk to many victims at the same time.
The technology used in this modern friendship scam is changing, but the advice is not, says De Seucelaer: “I still recommend talking to each other face to face. And yes, they could be deepfakes, but at the moment we don't see such large efforts being used against ordinary citizens.
“Coffee buff. Twitter fanatic. Tv practitioner. Social media advocate. Pop culture ninja.”