Booking.com, a leading travel platform, has faced a surge in phishing and spear phishing attacks over the past two years.
These attacks have targeted both its partners and customers, particularly since the travel industry began to recover after the COVID-19 pandemic.
A January 2024 study by the Australian Competition and Consumer Commission (ACCC) saw a 580% surge in Booking.com scams in 2023.
With a 30-year career in security, Marnie Wilking became Booking’s Chief Security Officer (CSO) in 2023, driven by her desire to integrate security with business strategy. She aimed to bridge the gap between technical security measures and executive-level business discussions.
Wilking spoke to Infosecurity about the security challenges a marketplace like Booking.com faces, highlighting the complexities of protecting a global platform that serves millions of users and partners.
She emphasized the importance of proactive measures and continuous adaptation to evolving threats – and how AI can help security teams in this task.

Infosecurity Magazine: Given Booking’s global presence, how does your security strategy adapt to regional threats and regulatory requirements?
Marnie Wilking: As a global e-commerce company, we face threats and risks similar to those of any other e-commerce company.
Our global reach means our security strategy must align with the business strategy. So, my role as a CSO is not only to make sure that we are monitoring the threats and that we have detection and prevention techniques in place but also to look at the emerging threats to inform the decisions that the business will make in the near future.
For example, suppose Booking decides to launch a new service or start operating in a new country. In that case, my role is to oversee an analysis of the latest risks and regulatory requirements involved with this decision.
IM: What would you say are the biggest threats to Booking.com?
MW: The first specificity of Booking is that we are a marketplace, so we must deal with threats to both our accommodation partners that provide the hotel and apartment inventory and the consumers, the travelers.
Our second specificity is that on top of being an e-commerce company, we’re also a travel company.
Travel is an emotional activity. People save for a long time or try to plan a unique experience for family and friends when they book a trip, so attackers can create urgency around their victims’ travel plans, which allows them to get their information more easily.

IM: The travel industry was significantly impacted by COVID-19 but has since made a strong recovery. Has this rebound been accompanied by an increase in cyber threats?
MW: Yes, as the travel industry took off again after COVID-19, attackers realized that there was potential money to be made there, and the rate of phishing went up exponentially in the travel and hospitality industry.
The most significant uptick we have recently seen was around spear phishing – targeted phishing – to the travel and hospitality industry. By conducting those spear phishing campaigns, attackers can gather reservation information and then reach out directly to travelers to get personal information, mainly credit card information, as they can't get it on the system.
They send you efficient phishing emails, WhatsApp messages, or texts, urging the customers to click somewhere to secure their reservation or sending messages to the accommodation partners themselves, posing as customers experiencing issues.
There were some very specific types of attacks initially, but then they really broadened, and attackers started using generative AI tools, making those campaigns harder to detect.
This surge caused us to review the prevention and detection protection response measures, as we continuously do.
IM: Many of the threats Booking.com faces actually target other entities like accommodation partners and consumers via phishing and brand impersonation. How do you handle these external threats?
MW: We're blocking a lot of the things on our platform that are going to partners. However, we can't block the things that are coming at them from outside our platform.
When we noticed a surge in phishing and spear phishing, we started sharing awareness messages and more information about these threats with the partners.
We're continuously updating the information that goes out to the partners, warning them about ongoing scams and phishing campaigns, making them aware of where they click, and enticing them to use two-factor authentication (2FA). Now, we actually require 2FA for all of our partners.
We use a platform called The Partner Hub as a channel through which our communication with the partners goes. There, we've put a lot of phishing prevention and fake reservation prevention techniques in place. There are also a number of internally facing partner channels that we have that are closed. Finally, if there's something really urgent with a specific partner or a handful of partners, we will reach out to them directly.
"We use [AI] for user behavior detection, risk-based authentication, risk-based access to information, detection of risky transactions from a fraud perspective and fake property detection."
On the consumer side, we’ve also started putting out more banners, ensuring that 2FA was clearly available to them. Recently, we implemented one-time passwords (OTP) for every consumer, so logging in generates an email with a code that you then put into login.
We're trying to do the right things to protect both the consumers and the travelers. Not just by getting them information and trying to tell them to be careful of scams but also implementing the proper detection and prevention measures to make it harder for them to be tricked.
Additionally, we are using machine learning and AI models to improve our detection and prevention tools and better detect attack signals and malicious traffic. We want to understand whether the techniques we use are still effective and what new techniques the attackers are using.
IM: Do you use AI models that you've developed yourselves or off-the-shelf models? How does using those models for security look in practice?
MW: We use a combination of internal and external models, for everything from user behavior, risk-based authentication, risk-based access to information, detection of risky transactions from a fraud perspective and fake property detection.
The attackers are continuing to evolve, and so are we. Obviously, we can't block 100% of everything. I'd love to be able to say we could, but there's no real silver bullet to do that because people are still susceptible to clicking on malicious links.
However, the percentage of consumers who click on something they shouldn't and the percentage of partners who are compromised is very low in terms of our daily volume of business. We monitor those on a regular basis as well.
In 2023 alone, thanks to our AI models, we caught over 1.5 million phishing-related fake reservations and blocked 85 million fraudulent reservations on our platform.
IM: What lessons have you learned from cyber incidents you’ve been involved in?
MW: Every cyber incident is different and I learn something new every single time. I think the biggest thing I would say is to make sure that stakeholders are clear on what's happening and that there's enough education going out so that they can help themselves.
From the very beginning and throughout the partner issues that we've recently encountered, we've been engaged directly with the CISOs at those companies to help them understand what we were seeing so that they could improve their own defenses.
Information sharing is the most important thing we can do as an industry. We know that the bad guys are sharing information and so we must be able to share that information as well - and [Information Sharing and Analysis Centers] are one great way to do that. This is even more critical for smaller organizations that might not have security teams or big IT teams.
A rising tide raises up boats, as the saying goes. We want to improve the ecosystem as much as we can overall so that when somebody is having a problem, we can all pitch in and help, or we can get the information quickly.
The information security industry is special. There's a lot of camaraderie and willingness to share and help. Pitching in and sharing the information in the middle of the bad thing that's happening is the best thing that we do as an industry.
IM: Would you describe your role in the company as a technical role or a business and strategy role?
MW: I think it's a combination. CISOs, CIOs and CTOs are slightly unique in that most of us are expected to have come from a fairly heavily technical background.
Nevertheless, the role of CISO has changed significantly over the last 10 years as well as the visibility the CISO gets. CISOs now need to be business partners as well. They must understand what the risks are to the business, to the management teams, and talk with their leaders to provide them with mitigation options.
Therefore, I think CISOs must be able to demonstrate the balance between understanding the technology well enough to anticipate the risk and support the teams, but also communicate at a much higher level to the leadership teams in order to help them understand what the risks are, at a strategic level.
IM: What is the biggest challenge you face as a CSO?
MW: My biggest challenge - but it also applies to all CSOs and CISOs - is being able to articulate what are technical attacks, technical vulnerabilities into business impact. Being able to go back and forth and bridge that communication gap is a very important skill set but also a very difficult job.
At the end of the day, what the leadership team wants to know, what we should be worried about is how it impacts our partners, our customers and our ability to deliver to customers.
Being able to take technical issues and emerging threats that come up from threat actors and translate them into the business impact in order to help prioritize them is key in our jobs. CISOs are business partners, too.
IM: What would be one piece of advice for your fellow CISOs?
MW: The most significant piece of advice I have is to be curious. Be a learner, go to your stakeholders, and ask questions about what keeps them up at night.
Also, instead of going to your stakeholders and saying, "Here's your list of risks," confront what you think the risks are and what they think the risks are - and really listen to what they come back with.
Those are the times when I've learned the most about how the business actually works and that's what helps CISOs be successful.