Please sign in to post.

CC info intercepted when booking hotel by email

We ran into credit card scam recently when booking reservations directly with a RS recommended hotel in France. We emailed the hotel. They replied with confirmation of availability and asked for credit card information. We replied with that info in an email. We immediately got back another email from the hotel saying to cancel our credit card because we had responded to a fake email address. Of course, we did that.
It appears that some Internet trolls have been capturing emails sent to the hotel and replied to clients from a fake email address requesting the cc information. We responded to what appeared to be a genuine request from the hotel. Only because we copied the scam email message in a later message to the hotel did they catch this problem.
What do people do to prevent such a problem? In the older days we transmitted credit card information by sager FAX, but that's more difficult now. You could telephone the hotel directly. We have used email and this is the first time we have run into any a problem.
Any suggestions? Thanks.
(There have been similar discussions on this list – now closed. Several commenters said this problem was rare or nonexistent.)

Posted by
2509 posts

I usually send my cc information details in two emails to the hotel. I'm not sure I understand how this happened if your first email was to a genuine hotel email address. But it is something to be aware of when emailing hotels to be sure it is a correct address.
Did you have to cancel your credit card?

Posted by
5687 posts

Email is NOT secure. NEVER email your credit card info to anyone! Emails can be hacked on the other end; the hotel's computer might have malware on it that just sucks up any credit card numbers the hotel is processing on that computer.

Posted by
5687 posts

Many hotels offer some sort of secure booking system on their website. If they don't (if it's a small hotel or something) but they still want a credit card to secure, I'd call them and read it to them over the phone. See if they have WhatsApp (very popular in Europe) - and if you have a smart phone or tablet, install WhatsApp, sign up for it, and call them that way for free. Otherwise, you can call them for a few cents a minute with say Skype if they have a regular landline phone or something.

Posted by
27925 posts

Three years ago I booked a room at an inexpensive (but not tiny) hotel in Santander, Spain. Upon arrival I noticed a lot of fat binders shelved near the reception desk. I don't remember why it came up, but I subsequently discovered that my printed-out confirmation was in one of those binders, with the full credit card number shown. I don't remember whether the printout included the expiration date and/or the security code.

Posted by
9109 posts

I'd call them and read it to them over the phone

How is that any more secure? A dishonest employee can simply write down the CC number on a piece of paper and sell it to a criminal group. Even big companies with their big IT departments get CC details hacked.
At the end of the day there is no way of securely sending CC data, which is why you are protected from fraudulent activity. You just have to take a leap of faith.

Posted by
5315 posts

*What do people do to prevent such a problem? *

I use a credit card that allows me to generate single-use (virtual) credit card numbers. I can use these with any online purchase, foreign or domestic. Worst case, that one virtual card number is compromised. But the underlying number of my physical card is not and it does not have to be cancelled and replaced.

Posted by
5687 posts

How is that any more secure?

Because most likely, no one is listening in on a phone conversation recording credit card numbers?

Malware infecting a computer could intercept every key stroke and just send stolen credit card numbers back to the mother ship in Russia or wherever without the hotel even realizing it. Or if the hotel uses web-based email like Gmail, hackers could get into it without even being on the same continent as the hotel - and the hotel would be none the wiser. Doesn't require a "dishonest hotel employee."

A hotel employee keying in a credit card number over the phone into the hotel's secure credit card terminal would be a whole lot more secure than sending a credit card number in an unsecured email message.

Posted by
4535 posts

I know of people that have had their email accounts hacked. I got an email from a person's legitimate email address, and when I responded, another email asking for money. I noticed the reply email was a slightly different address. So it is very possible that the hotel's email was hacked and they just waited until there was an email exchange, and then emailed you from an account with a slightly different address.

Under that scenario, the ole "send the CC number in two emails" routine would be worthless (it always was frankly).

It would still be rare for this type of hacking to occur, but obviously does happen. You would be safest to call them directly and give it over the phone, but of course a hacked email could give you a phone number to call and scam you that way.

The reality is that if your card is compromised, you lose nothing other than some inconvenience. Do whatever seems best for you and always be alert to the emails you get. I'd be faaaar more worried about clicking an email link that then infected my computer than having my CC data stolen.

Posted by
97 posts

I was hesitant to send my CC info on an email while booking the pre-day in Haarlem. I asked the hotel how to work through this issue and they said either to call them or use booking.com. I used booking.com and booked the pre-day at the same rate I was quoted. Seems to me that they should have another solution which doesn't cost them money. They knew we were with the RS tour too.

Posted by
1588 posts

I recently sent credit card information in 3 emails to get a discount for an extra night before an RS tour. Instead of using the reply function, I sent fresh emails. I think calling would be less risky, but the time of day wasn't right. I was a little worried that the hotel would have trouble figuring out the information as it wasn't labeled, but I received a prompt confirmation. Life is risky, but not all life has the same protection as credit card fraud.

Posted by
3429 posts

A dishonest employee can simply write down the CC number on a piece of paper and sell it to a criminal group.

That is a possibility whenever you use a credit card.

Posted by
88 posts

Try Booking.com. They also allow you to cancel closer to the arrival date, if you need too.

Posted by
52 posts

We have switched to Booking.com unless the hotel provides a secure website. This sending CC info by email makes no sense anymore. If the hotel can’t be bothered to provide security for prospective guests, I’m headed elsewhere.