Popular Post plus7 Posted December 30, 2021 Popular Post Share Posted December 30, 2021 Hi, I was trying to book a hotel for a quarantine stay. Contacted one from the list of approved, they said write an inquiry to hotel's email. I sent the inquiry, they replied with the pricing. I agreed. They sent bank account number (private) for the payment. After I made the payment they unexpectedly asked for 25,000 as "security deposit". This was suspicious and I called the hotel again. Hotel said they had a security breach and I actually made the payment to hackers. All the communication and the payment request was done from company's email address. The hotel refused to provide the room and refuse to return money. At the same day I reported the case to police, but would like to get money back from the hotel. Technical information (SMTP headers) from the emails is identical in legal and in hacked emails. I hope there is a small case court in Thailand to resolve this easily. Banks don't help, send me to police. What do you think, is there a way to get money back ? 2 1 2 Link to comment Share on other sites More sharing options...
plus7 Posted December 30, 2021 Author Share Posted December 30, 2021 Hi, Addition: I did a websearch on hotel name and found post on tripadvisor (mytrip) reporting exactly the same situation on 19 November 2021. So, I'm not only one.... Link to comment Share on other sites More sharing options...
Kwasaki Posted December 30, 2021 Share Posted December 30, 2021 So how much did you pay.? Link to comment Share on other sites More sharing options...
plus7 Posted December 30, 2021 Author Share Posted December 30, 2021 Kwasaki, Thank you for your attention, I lost 18,000 and the guy from tripadvisor 20,000. 2 Link to comment Share on other sites More sharing options...
Popular Post gearbox Posted December 30, 2021 Popular Post Share Posted December 30, 2021 8 minutes ago, plus7 said: Kwasaki, Thank you for your attention, I lost 18,000 and the guy from tripadvisor 20,000. In theory they are liable, but in practice I doubt a small case court can deal with this. Digital crime is highly specialised topic and most likely there has to be experts called as witnesses to explain in plain language what SMTP headers are. Btw these can be forged too. IMO your best bet is to find more victims and act together, your case would look much more probable. File a police report first and mention the tripadvisor post as well. The police in many countries have digital crime units now, they are obliged to act on cases like this. Also in some countries there is now a mandatory breach disclosure and notification, the hotel may breach the law if they are aware their infrastructure is hacked and they fail to notify the police and the potential victims. 2 1 Link to comment Share on other sites More sharing options...
plus7 Posted December 30, 2021 Author Share Posted December 30, 2021 gearbox, Thank you for your valuable advice. Yes, headers can be forged, but DKIM signature (which is present and valid), can't be forged. I will try to find more victims, maybe this topic will help to find someone. 1 Link to comment Share on other sites More sharing options...
Chris.B Posted December 30, 2021 Share Posted December 30, 2021 You phoned the hotel and they told you to make your inquiry to the hotel's email address? The hotel's email address was hacked? 1 Link to comment Share on other sites More sharing options...
gearbox Posted December 30, 2021 Share Posted December 30, 2021 2 minutes ago, plus7 said: gearbox, Thank you for your valuable advice. Yes, headers can be forged, but DKIM signature (which is present and valid), can't be forged. I will try to find more victims, maybe this topic will help to find someone. Reading more carefully your post it seems that they were fairly stupid to admit in an email that they have been hacked. Unless that email is from the hackers too ???? You can extract an admission of hacking by calling them by phone and record the call...just try to make them admit clearly that they have been hacked. A court can understand this better than the technicalities of the SMTP exchanges and DKIM signatures. In some countries recording a phone call when you are a participant is legal and can be used in a court as an evidence. Have no idea what the Thai law says about this. 2 Link to comment Share on other sites More sharing options...
Popular Post tgw Posted December 30, 2021 Popular Post Share Posted December 30, 2021 (edited) 3 minutes ago, Chris.B said: You phoned the hotel and they told you to make your inquiry to the hotel's email address? The hotel's email address was hacked? yes, that part of the story stands out. points to an inside job. I would report the case to the cybercriminality division of the police, along with the report from November. Either an inside job or criminal negligence. Also, the account should be easily traceable. I'd bet on inside job. Edited December 30, 2021 by tgw 1 1 1 Link to comment Share on other sites More sharing options...
ThailandRyan Posted December 30, 2021 Share Posted December 30, 2021 Did you pay with a Bank Card, or Credit card. Many will refund the money once you lodge a fraudulent use claim. 1 Link to comment Share on other sites More sharing options...
Popular Post OneMoreFarang Posted December 30, 2021 Popular Post Share Posted December 30, 2021 4 hours ago, plus7 said: They sent bank account number (private) for the payment. Private? Like pay to Somchai Crook? When I pay for a hotel there are two options: Credit card or transfer to the hotel account with a name that matches the name of the hotel. 6 1 Link to comment Share on other sites More sharing options...
Popular Post OneMoreFarang Posted December 30, 2021 Popular Post Share Posted December 30, 2021 Maybe this will help you: Any business in Thailand is required to keep logs of the internet traffic for (as far as I remember) 6 month. If they don't keep the logs or if there are no logs there can be a very high penalty. So maybe ask them for the logs. And when they reply there are no logs ... 1 2 Link to comment Share on other sites More sharing options...
tgw Posted December 30, 2021 Share Posted December 30, 2021 2 minutes ago, OneMoreFarang said: Private? Like pay to Somchai Crook? When I pay for a hotel there are two options: Credit card or transfer to the hotel account with a name that matches the name of the hotel. yeah, well, some people are gullible (many) and this is Thailand. the crook is criminally guilty, while the injured parties are minimally guilty of negligence. 1 1 Link to comment Share on other sites More sharing options...
plus7 Posted December 30, 2021 Author Share Posted December 30, 2021 Hi everyone, Thank you for your recommendations. Yes, they sent me the email saying: Please pay to this account: 1234556 Somchai Crook I checked the email, it came from the valid source. So I was sure this is ok. All emails contained quotations from previous emails. The payment was done from a mobile phone application. This transaction isn't reversible. A lesson for me to use a credit card next time. I wonder that the big and "leading" hotel managing company don't take responsibility for relatively small amount. They virtually saying, we can't help you because you sent money somewhere else. The woman whose email it was, cried: "I did't send you anything!!!". The superviser woman, who introduced herself only with the nickname said "Please make the payment one more time, this time, for sure, to the right account and we will give you better room. This is all we can do for you." And this is a big (not international) hotel managing company, their ratings on Agoda or elsewhere are generally good. I did the booking with another hotel, of course, and they took only pre-payment. Like if quarantine stay rule will be canceled, no problem. Link to comment Share on other sites More sharing options...
ChrisP24 Posted December 30, 2021 Share Posted December 30, 2021 18k baht certainly hurts, but in the grand scheme of things I personally wouldn't try to pursue a court case from outside of the country. The time, effort, aggravation and very real risk of money paid to a lawyer being just a waste make it in my mind just not worth it. 18k sounds like it is for a longer stay, maybe the best course of action is to make what lemonade you can out of the situation by speaking with the general manager directly and getting the hotel to get you one of their best rooms at the most discounted rate you can talk them into. They do have some responsibility and will hopefully at least acknowledge it that way. If the GM won't do that you could try going higher up within the management company. Link to comment Share on other sites More sharing options...
Popular Post mvdf Posted December 30, 2021 Popular Post Share Posted December 30, 2021 (edited) 10 hours ago, plus7 said: gearbox, Thank you for your valuable advice. Yes, headers can be forged, but DKIM signature (which is present and valid), can't be forged. I will try to find more victims, maybe this topic will help to find someone. If you were instructed to inquire via email and having followed that instruction, you received a response with instructions to pay to a certain account, the hotel should be held liable for damages as a result of negligence on their part. They know they were hacked and yet advised you to use email nevertheless. They should have disabled their email system or, if it was under the hacker's control, they should have removed or amended the email address on their website. Ruthless of them to simply dismiss responsibility. The appropriate way to right this wrong is for them to write off this loss for reputational reasons and offer you a room complimentarily. Edited December 31, 2021 by mvdf 3 Link to comment Share on other sites More sharing options...
Popular Post Chosenfew Posted December 31, 2021 Popular Post Share Posted December 31, 2021 Seems like an inside job, maybe some hotel f**kery going on… 6 Link to comment Share on other sites More sharing options...
Popular Post snowgard Posted December 31, 2021 Popular Post Share Posted December 31, 2021 2 hours ago, Chosenfew said: Seems like an inside job, maybe some hotel f**kery going on… Yes, I thought the same. In real a easy job for the police. 1. They have the bank account owner, who received the money. 2. They can find out the ip of the person who sent the email. 3. They can find out over which ip the mail account is checked for new mails. 3 1 Link to comment Share on other sites More sharing options...
The Theory Posted December 31, 2021 Share Posted December 31, 2021 18 hours ago, plus7 said: Hotel said they had a security breach ???? oh sure Perhaps employees in the back room using email addresses. 1 1 Link to comment Share on other sites More sharing options...
SteveAZ Posted December 31, 2021 Share Posted December 31, 2021 Use a booking service. Agoda, Expedia etc… you’re not getting your money back. You might get the Hotel to agree to discount. 1 Link to comment Share on other sites More sharing options...
khunPer Posted December 31, 2021 Share Posted December 31, 2021 Have you contacted the bank to where you forwarded the deposit..? Link to comment Share on other sites More sharing options...
berrec Posted December 31, 2021 Share Posted December 31, 2021 Maybe some useful information on legal requirements for originations in Thailand to report data security breaches. DATA BREACH REPORTING UNDER THE THAILAND PDPA Extract: If the data breach IS likely to result in a risk to the rights and freedoms of data subjects, then the controller must report the breach to the PDPC within 72 hours of becoming aware of it. Not saying it will help you with any legal aspects, but possibly you can rattle the hotel's chain and request reimbursement, or you're going to report them for PDPA violation of non-compliance to report a security breach issue. When PDPA is enforced but not complied with What penalties will there be? Failure to comply with the PDPA will be penalized for non-compliance. There are 3 types of Personal Data Protection Act (PDPA) as follows: Civil penalty Civil penalties are required to indemnify the owner of the personal data that was damaged by the infringement. and may be required to pay additional compensation for additional punitive damages up to 2 times the actual damages. Must pay compensation to the owner of the personal data in the amount of 100,000 baht, the court may order a penalty for punitive damages 2 times the actual damages equal to having to pay all the fines in the amount of 3 hundred thousand baht Criminal penalties Criminal penalties include both imprisonment and a fine, with a maximum imprisonment of not more than 1 year or a fine of not more than 1 million baht, or both. The maximum penalty is imposed on non-compliance with the PDPA in respect of the use of data. or disclose information or send data transfers to foreign countries Types of sensitive personal data (Sensitive Personal Data). In the case if the offender is a company (juristic person), they may wonder who will be jailed. because the company cannot go to jail In this section, it may fall to the executives, directors or people responsible for the operations of that company who will be punished by imprisonment instead. Administrative penalty Fines range from 1 million baht to a maximum of 5 million baht, of which a maximum fine of 5 million baht will be a case of non-compliance with the PDPA in the use of information. or disclose information or transferring data to other countries of the category of sensitive personal data (Sensitive Personal Data). This administrative penalty is separate from compensation for damages arising from civil penalties and criminal penalties. For what it's worth? 2 Link to comment Share on other sites More sharing options...
plus7 Posted December 31, 2021 Author Share Posted December 31, 2021 2 hours ago, khunPer said: Have you contacted the bank to where you forwarded the deposit..? khunPer, Both banks absolutely don't care as soon as I made the payment myself. However the promise to help with the translation in police :) 1 Link to comment Share on other sites More sharing options...
CH1961 Posted December 31, 2021 Share Posted December 31, 2021 17 hours ago, plus7 said: I wonder that the big and "leading" hotel managing company don't take responsibility for relatively small amount. Because you did not sent the money to their (big and leading hotel managing company) account. Simply as that. 1 Link to comment Share on other sites More sharing options...
robblok Posted December 31, 2021 Share Posted December 31, 2021 17 hours ago, plus7 said: Hi everyone, Thank you for your recommendations. Yes, they sent me the email saying: Please pay to this account: 1234556 Somchai Crook I checked the email, it came from the valid source. So I was sure this is ok. All emails contained quotations from previous emails. The payment was done from a mobile phone application. This transaction isn't reversible. A lesson for me to use a credit card next time. I wonder that the big and "leading" hotel managing company don't take responsibility for relatively small amount. They virtually saying, we can't help you because you sent money somewhere else. The woman whose email it was, cried: "I did't send you anything!!!". The superviser woman, who introduced herself only with the nickname said "Please make the payment one more time, this time, for sure, to the right account and we will give you better room. This is all we can do for you." And this is a big (not international) hotel managing company, their ratings on Agoda or elsewhere are generally good. I did the booking with another hotel, of course, and they took only pre-payment. Like if quarantine stay rule will be canceled, no problem. What i dont get is that you first have the hotel admitting a security breach and then they come back on their word ? That is bit strange in the story. You said they admitted a security breach and then the woman said she did not send anything (of course she did not were the hackers). But that must have been clear to the hotel too why else first admit it. Strange story. Link to comment Share on other sites More sharing options...
Bruno123 Posted December 31, 2021 Share Posted December 31, 2021 23 hours ago, plus7 said: Hi, I was trying to book a hotel for a quarantine stay. Contacted one from the list of approved, they said write an inquiry to hotel's email. I sent the inquiry, they replied with the pricing. I agreed. They sent bank account number (private) for the payment. After I made the payment they unexpectedly asked for 25,000 as "security deposit". This was suspicious and I called the hotel again. Hotel said they had a security breach and I actually made the payment to hackers. All the communication and the payment request was done from company's email address. The hotel refused to provide the room and refuse to return money. At the same day I reported the case to police, but would like to get money back from the hotel. Technical information (SMTP headers) from the emails is identical in legal and in hacked emails. I hope there is a small case court in Thailand to resolve this easily. Banks don't help, send me to police. What do you think, is there a way to get money back ? https://www.ocpb.go.th/ewtadmin/ewt/ocpb_en/ https://web.facebook.com/ocpb.official/?_rdc=1&_rdr Closes in twenty minutes. 1 Link to comment Share on other sites More sharing options...
plus7 Posted December 31, 2021 Author Share Posted December 31, 2021 7 hours ago, robblok said: Strange story. Robblock, the story become strange to me too when the email asked for "security deposit" of 25,000. I called the hotel, and they said "don't send anything to them, they are hackers!". Later, I called to the phone number in the signature just for curiosity, and the woman said "I didn't send you anything!!!". She was a legitimate worker if the hotel and it was her email that was hacked (allegedly). Link to comment Share on other sites More sharing options...
blackcab Posted December 31, 2021 Share Posted December 31, 2021 Contact the Technical Crime Suppression Division: https://tcsd.go.th/contact-us/ 1 Link to comment Share on other sites More sharing options...
Liverpool Lou Posted January 2, 2022 Share Posted January 2, 2022 On 12/30/2021 at 8:12 PM, gearbox said: In theory they are liable, Why? The hotel didn't take the money, he sent it to a personal bank account, not a hotel's business account. Why would anyone do that without checking that massive red flag with the hotel first? Link to comment Share on other sites More sharing options...
Liverpool Lou Posted January 2, 2022 Share Posted January 2, 2022 (edited) On 12/30/2021 at 10:01 PM, plus7 said: I wonder that the big and "leading" hotel managing company don't take responsibility for relatively small amount. They virtually saying, we can't help you because you sent money somewhere else. Why should they take responsibility if they didn't send you the dodgy personal bank name and number? They are right, unfortunately, you sent the money to a third party individual, not a "big and leading hotel" account. Why would you do that without checking the veracity of the request with the hotel? Have you reported to the police that an individual whose name and bank details you know defrauded you? Edited January 2, 2022 by Liverpool Lou 2 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now