Australians face surge in fake Booking.com scam attacks, experts warn

Australians are increasingly being targeted by sophisticated scams exploiting both consumer habits and vulnerabilities in supply chains, as revealed in new cybersecurity research and expert commentary shared for Scam Awareness Week. With the ongoing evolution of scam tactics, experts warn that individuals and organisations must adopt more proactive and analytic approaches to security to stay ahead of criminals.

The latest HP Threat Insights Report has sounded the alarm over a new wave of fake Booking.com websites designed to trick travellers into installing malware. According to Mark Graham, Senior Manager – Business Personal Systems at HP, these fraudulent websites use convincing replicas of the well-known booking platform. The main web page content appears blurred, and a deceptive cookie banner prompts users to click "Accept" in order to view the page. However, this single click sets in motion a download of malicious software.

Graham explained, "These sites use fake cookie banners to install malware with a single click. These techniques rely on user 'click fatigue' that comes from accepting or denying requests in cookie banners. These viruses install the malware into legitimate processes to gain remote control of other devices and steal data." The so-called 'XWorm' malware grants attackers full access to the device, including files, webcams, microphones, and security tools, making it challenging for victims to detect or remove the threat without advanced security solutions.

The research found that this particular campaign thrives during peak travel seasons, when individuals are most likely to let their guard down in the rush to book holiday deals. "By mimicking the look and feel of Booking.com at a time when holiday-goers are rushing to make travel plans, attackers don't need advanced techniques – just a well-timed prompt and the user's instinct to click," Graham said. HP's team identified at least three fake domains specifically created in February 2025 to exploit Australians, with more appearing as scammers perpetuate the campaign.

Consumers are urged to stay vigilant by closely inspecting website URLs for misspellings or suspicious domains, avoiding clicking on pop-ups or banners demanding immediate action, and always using trusted bookmarks or entering official addresses manually rather than relying on links from emails or search engines. "Book through official apps or reputable travel agencies, and ensure your security software is up to date," Graham advised.

Supply chains are also under threat, as highlighted by Alan Win, Founder and CEO of Middlebank Consulting Group. Win noted, "Scams targeting supply chains are becoming more sophisticated - from fake suppliers and falsified compliance data to hidden ownership links designed to evade detection." He emphasised that the traditional methods used for due diligence are insufficient against these advanced deceptions.

Win recommended the employment of Artificial Intelligence (AI) in procurement and supplier management practices. "AI can now surface red flags that manual checks often miss – including anomalies, inconsistencies, and subtle risk signals buried in fragmented data. But AI is only part of the solution. Organisations must embed ethical oversight, real-time monitoring, and proactive intelligence." Without such a holistic approach, organisations risk severe consequences ranging from financial fraud and operational disruption to lasting reputational damage.

On a broader security front, Shannon Davis, Principal AI Security Researcher at Splunk, stressed the importance of proactive threat intelligence in combating scams that are "no longer simple or easy to spot." Davis observed that the rapid evolution and adaptability of modern scams – often tailored to current events, technologies, and human behaviour – means that reactive defences are no longer enough.

"Proactive threat intelligence is key to managing this risk. By collecting and analysing data on emerging scams, organisations can detect patterns before they escalate, identify vulnerabilities in their systems, and act early to disrupt campaigns," Davis stated. He called for collaboration across security, fraud, and customer support teams, alongside ongoing education to help both staff and customers recognise and report suspicious activities.

Davis also highlighted the irreplaceable role of human analysts. "Proactive, human-driven threat hunting… provides the intuition, creativity, and context that technology alone cannot replicate." He argued that combining automated tools, AI, and human insight is essential for identifying hidden indicators of new scams and unusual patterns of behaviour before these threats fully develop.

The message from experts is clear: organisations and individuals alike must abandon purely reactive strategies and adopt layered, proactive approaches to security. As cybercriminals continue to exploit both technological and human weaknesses, vigilance, collaboration, and the intelligent use of both AI and human expertise are increasingly essential in the ongoing fight against scams.