Basbaned-based IT professional Brett*, 54, and his wife Sally*, 47 were booking their once-in-a-lifetime Italy getaway, via the globally renowned Booking.com website.

While confirming details with one of the hotels which came through Booking.com’s built-in messaging feature, a message came from what appeared to be from the property Residence Villa Stella in Ortisei, Northern Italy.

The message included a link to an external site which requested a deposit to secure the booking, which Brett clicked on and entered his payment details.

Working in IT for 25 years, Brett became suspicious and quickly contacted the hotel, Booking.com, and their bank - but it was too late - the scammers had charged $2804.46 to their credit card.

“We trusted it because it came through the Booking.com messaging system on their site through which we’d already had legitimate communication with the hotel management,” Brett said.

“It looked normal and legitimate because it was actually the Booking.com system and comms platform. The payment gateway we ended up on also looked legitimate but we were rushing and doing a few things at once.”

Brett was victim to an increasingly common scam, where cybercriminals hack into the legitimate communication system of a hotel and send customers fraudulent messages.

He is still out of pocket and warned Aussie travellers to stay vigilant.

“We submitted 2 different attempts to get refunds from booking.com under a couple of different policies they have. One has been rejected, we’re still waiting on the other one…at the moment we’re still out roughly $2800,” Brett said.

“If you’re messaged by a provider through booking.com or any other travel aggregator don’t assume you’re actually speaking to who you think you are.”

A Booking.com spokesperson said they were looking into Brett’s case but confirmed that its systems have not been breached. But they are aware of accommodation partners being impacted by phishing attacks sent by professional criminals.

“The actual number of accommodations affected by this scam are a small fraction of those on our platform, and we continue to make significant investments to limit the impact on our customers and partners.

“We are also committed to proactively helping our accommodation partners and customers to stay protected.

“Should a customer have any concern about a payment message, we ask them to carefully check the payment policy details on their booking confirmation to be sure that the message is legitimate.

“Customers are also encouraged to report any suspicious messages to our 24/7 customer service team or by clicking on ‘report an issue’ which is included in the chat function.

“It is important to note that we would never ask a customer to share payment information via email, chat messages, text messages or phone.”

This comes amid a surge of travel scams in Australia - as cybercriminals search for new markets.

“The scammers are looking for new fertile ground,” McAfee APAC head Tyler McGee said.

“I think what we’ve seen is that they’re able to target younger prey with travel … they’ve found this new sort of green field for them, which is young people who are looking to travel.”

One in three Australians under 35 have already been scammed, according to McAfee research.

“I kind of look at the threat landscape, I would suggest that … where we’re vulnerable again is around shopping,” Mr McGee said.

“We’ve seen a number of brands that have had official websites, that then have had scammers build a fake website that looks like their website. People have purchased products from that thinking it’s the official website, and it’s in fact a scammer.”

Australians can protect themselves better by following a few ground rules, Mr McGee said.

“So first is to listen for inconsistencies. You’ve got to pay attention to … the language that’s being used and kind of how they’re presenting themselves,” he said.

“More importantly, just the offer itself, right? If it’s too good to be true, it probably is.

“Secondly, verify whatever is being told … in that email dialogue or text message they’ve sent you.”

Mr McGee also warned holidaygoers to stay aware of pressure tactics - limited time offers - and payments requested via wire transfer, crypto or gift cards.

*Brett and Sally’s surnames withheld

More Coverage

‘P****d as a fart’: How Calombaris lost $3m as he rebuilds his empire

Thomas Henry

‘Why didn’t you say sorry?’: Aussie witnesses Wimbledon blow-up

Justin Terranova, staff writers