Bank details swindled from Booking.com customer in realistic refund scam
- Replies 0
Tina Nixon's holiday went from bad to worse after she requested a refund from travel website Booking.com.
Within 15 minutes of making the request via email, Ms Nixon was called by an apologetic man, promising her money would be returned.
In a whirlwind of rushed instructions, she handed over the details of her travel bank account containing thousands of dollars.
Ms Nixon and her husband realised it was a scam before any large amount of money was lost, but she remains suspicious about how the operation gained access to her phone number.
The pair had travelled to Western Australia from New Zealand for a holiday in October and used Booking.com to book two nights at a large holiday house in a popular tourist spot, Jurien Bay.
Disappointed with the "unsavoury" experience and unable to contact the owner, Ms Nixon emailed Booking.com's customer service inbox requesting a refund.
Not long after sending the email, Ms Nixon received a call on the messaging app WhatsApp.
"Booking.com said someone would contact me, so I wasn't surprised when I got contacted, but it was quite fast," she said.
A professional-sounding male voice was on the other end of the call, apologising to Ms Nixon for her sub-par accommodation.
"I thought, 'He sounds pretty decent,'" Ms Nixon said.
On the man's request, Ms Nixon filled out a form that asked for her credit card details, including the CVC security code.
The man then requested she use a third-party platform to provide personal information, claiming her identity had to be verified for "anti-money laundering reasons".
"That doesn't surprise me because that happens a lot in New Zealand," she explained.
"In this age, you get so used to different platforms that you just don't think twice."
Fortunately, Ms Nixon's husband raised doubts about the man's credibility and the couple discovered through her banking app that the account she had provided the details for had already been "pinged" multiple times by the identity verification app.
Ms Nixon immediately froze her card and moved most of her money to another account.
When she temporarily unfroze the card the next day, she was charged $11 by Uber Eats in Kenya.
"I could've lost thousands very quickly," she said.
"They talk really, really fast, and I think this is where they get a lot of older people," she said.
"They're constantly reassuring you that everything's right, and you're thinking you're going to get your $500 back as a refund."
Additionally, Ms Nixon said the phone call appeared to originate from England, where the company has an office.
A spokesperson for Booking.com said it would never ask customers to provide credit card details through text, messaging apps or email, and that it would only request payments via its own platform.
"Should a customer have any concern about a payment message, we ask them to carefully check the payment policy details on their booking confirmation to be sure that any message is legitimate," they said.
However, Ms Nixon remains suspicious that there could have been a data breach on the travel website.
"I haven't quite finished working out how they knew exactly how to contact me," she said.
"I want to know, is my information out there as a result of a previous hack?"
Booking.com did not answer questions about whether there had been any breaches in its security and how it would respond.
The regulatory body for data leaks from Booking.com is the Dutch data protection authority.
The authority said Booking.com had reported several data breaches in the past.
Nearly 25,000 phishing scams have been reported to Scamwatch in 2025 to date, with the most common demographic of people reporting scams aged 65 years and over.
A National Anti-Scam Centre spokesperson urged people to never provide personal, credit card or online account details after receiving a call claiming to be from their bank or any other organisation.
"Ask for their name and contact number and make an independent check with the organisation in question before calling back," they advised.
Written by Brianna Melville, ABC News.
Within 15 minutes of making the request via email, Ms Nixon was called by an apologetic man, promising her money would be returned.
In a whirlwind of rushed instructions, she handed over the details of her travel bank account containing thousands of dollars.
Ms Nixon and her husband realised it was a scam before any large amount of money was lost, but she remains suspicious about how the operation gained access to her phone number.
The pair had travelled to Western Australia from New Zealand for a holiday in October and used Booking.com to book two nights at a large holiday house in a popular tourist spot, Jurien Bay.
Tina and David Nixon realised they were being subjected to a phishing scam before they lost money. (Supplied: Tina Nixon)
Accommodation was 'unsavoury'
On arrival, she said it was clear the house had not been cleaned after the previous visitors, some amenities were faulty, and the promised hot tub was nowhere in sight.Disappointed with the "unsavoury" experience and unable to contact the owner, Ms Nixon emailed Booking.com's customer service inbox requesting a refund.
Not long after sending the email, Ms Nixon received a call on the messaging app WhatsApp.
"Booking.com said someone would contact me, so I wasn't surprised when I got contacted, but it was quite fast," she said.
A professional-sounding male voice was on the other end of the call, apologising to Ms Nixon for her sub-par accommodation.
"I thought, 'He sounds pretty decent,'" Ms Nixon said.
A scammer contacted Ms Nixon by WhatsApp and asked for personal information. (Supplied: Tina Nixon)
On the man's request, Ms Nixon filled out a form that asked for her credit card details, including the CVC security code.
The man then requested she use a third-party platform to provide personal information, claiming her identity had to be verified for "anti-money laundering reasons".
"That doesn't surprise me because that happens a lot in New Zealand," she explained.
"In this age, you get so used to different platforms that you just don't think twice."
Fortunately, Ms Nixon's husband raised doubts about the man's credibility and the couple discovered through her banking app that the account she had provided the details for had already been "pinged" multiple times by the identity verification app.
Ms Nixon immediately froze her card and moved most of her money to another account.
When she temporarily unfroze the card the next day, she was charged $11 by Uber Eats in Kenya.
"I could've lost thousands very quickly," she said.
Tactics for trust
The former journalist said she should have known better than to be tricked by the scammer, but there were several tactics at play."They talk really, really fast, and I think this is where they get a lot of older people," she said.
"They're constantly reassuring you that everything's right, and you're thinking you're going to get your $500 back as a refund."
Additionally, Ms Nixon said the phone call appeared to originate from England, where the company has an office.
Jurien Bay is a popular coastal destination in Western Australia. (ABC News: Chris Lewis)
Don't share details
Ms Nixon has since continued liaising with Booking.com via the customer service email and was fully refunded for her stay.A spokesperson for Booking.com said it would never ask customers to provide credit card details through text, messaging apps or email, and that it would only request payments via its own platform.
Part of the encounter with the scammer. (Supplied: Tina Nixon)
"Should a customer have any concern about a payment message, we ask them to carefully check the payment policy details on their booking confirmation to be sure that any message is legitimate," they said.
However, Ms Nixon remains suspicious that there could have been a data breach on the travel website.
"I haven't quite finished working out how they knew exactly how to contact me," she said.
"I want to know, is my information out there as a result of a previous hack?"
Booking.com did not answer questions about whether there had been any breaches in its security and how it would respond.
The regulatory body for data leaks from Booking.com is the Dutch data protection authority.
The authority said Booking.com had reported several data breaches in the past.
Phishing dollars climb
The National Anti-Scam Centre says "phishing," where scammers contact victims pretending to be from a legitimate business, has swindled victims of more than $17 million in Australia this year, nearly double last year's losses.Nearly 25,000 phishing scams have been reported to Scamwatch in 2025 to date, with the most common demographic of people reporting scams aged 65 years and over.
A National Anti-Scam Centre spokesperson urged people to never provide personal, credit card or online account details after receiving a call claiming to be from their bank or any other organisation.
"Ask for their name and contact number and make an independent check with the organisation in question before calling back," they advised.
Written by Brianna Melville, ABC News.
