We have been alerted by a self-catering owner about a phishing scam that you should be aware of.
What’s the scam?
The scammers hacked into the owner’s business email account and altered their filters and forwarding settings:
- They made sure that emails from certain people (potential guests) that the owner had already been corresponding with were diverted into the owner’s Trash folder rather than their Inbox. The owner, therefore, was unaware that enquiries were coming in from these people as all emails from their “diverted” correspondents ended up in the Trash folder, from where they were quickly deleted. Before being deleted, however, the hackers intercepted and answered the enquiry emails, pretending to be the legitimate owner.
- The hackers sent quotes out to guests, posing as the real owner. They copied the style and tone of the owner’s response emails when they replied to guests. However, they removed the payment links from the emails and instead asked guests to pay their money by bank transfer into a Polish bank account. Guests were asked to pay the full amount to secure the booking, rather than just the deposit, contrary to the real owner’s policy.
How did the owner discover the scam?
The owner found out about the scam purely by chance:
- A guest from one of the fake bookings that had been placed contacted the real owner with a couple of questions about the property. This guest wasn’t the person who had placed the fake booking and, therefore, her email address hadn’t been diverted by the hackers, so it reached the real owner. As soon as the owner saw it, they called the guest and, eventually, they all worked out what had happened.
- Shortly after this, the owner received two separate phone calls, with astute guests asking “do you really want us to pay money into this Polish bank account” for bookings they had absolutely no knowledge of.
The police are now involved and investigating. They have identified 60 names and email addresses that had been targeted. The owner has now contacted them all: some of them were just about to pay but had been put off by having to pay by bank transfer; some said they were just about to pay before the real owner contacted them and alerted them to what had happened; and two guests had already paid and, essentially, lost their money.
How can you protect your business?
One of the main things you can do is make sure your passwords are strong and secure. Use a different password for each login you have. If you find it difficult to remember passwords, sites like LastPass or 1Password can help you. These sites store and remember your passwords for you – and they’ll prompt you to change weak or duplicate passwords to further increase your security.
