Eurovision phishing scam targets fans heading to Liverpool
But those lucky enough to get tickets are now facing another technological headache: targeted phishing attacks.
Those with hotel bookings in Liverpool have been targeted via cybercriminals on WhatsApp, posing as hotel staff trying to obtain personal or payment details. The threat of a cancelled booking is implied if the victims fail to co-operate.
While it’s not unheard of for hotels to contact visitors via WhatsApp, the high-pressure approach and threat of cancellation is a hallmark of a typical social-engineering scam.
“When contacted outside of official platforms, scammers can take advantage of not being policed,” Jake Moore, global security advisor at cybersecurity firm ESET, tells The Standard. “Fraudsters often take communication outside of the usual channels to circumnavigate any warnings that may be in place to spot potential fraudulent activity.
“As WhatsApp is not policed by Booking.com or even Meta, criminals are able to cleverly manipulate people in what could look like an official form of communication,” he continued. “It is, therefore, advisable to keep all communication to known and trusted channels and never to part with any money outside of the official methods.”
It’s not clear how contact details for those being targeted have leaked, but Booking.com claims that this is not down to a data breach on its end, and instead a phishing attack on some of the hotels it works with.
“Unfortunately some of our accommodation partners were recently targeted by phishing emails, which in some cases led to their accounts with us being affected,” a spokesperson for the site told The Standard.
“While this was not a security breach of Booking.com’s system or platform, these accounts were quickly locked to help reduce any further risk and we have been actively supporting our partners, as well as any potentially impacted customers.”
The site says that its customer support team is available 24/7, and reminds users that “as a rule, no legitimate transaction will ever require a customer to provide their credit card details by phone, text message, or email.”
Whoever is at fault, the impact is deeply unpleasant for those targeted, whether they end up out of pocket or not.
Indeed, the BBC spoke to one victim of the scam who was so soured by the experience that he decided not to make the trip to Liverpool in the end — despite being a Eurovision fan for 30 years.
“I felt really stupid because I’ve never been close to being scammed,” Marc Deruelle, who had a fraudulent £800 transfer cancelled, told the site. “It just took the enjoyment out of it and I don’t want to go any more because they’ll know all my details and know I’m away from home, so I cancelled it.”