Booking a family holiday
Back in the middle of 2019 my extended family decided that to celebrate some significant birthdays we’d go to Center Parcs in Woburn in May 2019 for a long weekend. We booked some accommodation, restaurants etc.
All looked like it was going to turn out to be a great weekend – then in early 2020 Covid-19 came along and for us as well as for many others scuppered our plans.
How cancellation should work
On the news back at the start of lockdown we heard that Center Parcs had closed but it wasn’t clear whether it would re-open before May 2019 but it didn’t. For a while we wondered whether Center Parcs would cancel our booking or not – and whether they would communicate with us or not as their call centre wasn’t accepting incoming calls.
They did eventually email us in mid April 2020 about our booking to advise us that they were extending their closure period to 14th May which meant our booking had to be cancelled. The email we received is below.
This email is addressed to us by name rather than just a generic “Dear Guest”.
This was then followed around two weeks later by an email telling us how to request our refund for the original booking but didn’t cover activity, restaurant or spa bookings.
Notice that this email addresses us by “Dear Guest” rather than the name of the guest.
This second email asked us to log into our Center Parcs account and provided a embedded link. Now I don’t like embedded links because they can be misleading but in this instance the embedded link takes us to https://www.centerparcs.co.uk/my-account/sign-in.html which is the location on the Center Parcs website you would expect to be taken to… it takes you there via a email tracking URL first but hey.
This page is HTTPS protected and the certificate is valid and thus all seems well. I’d have preferred Center Parcs to have published information informing us how they will be completing the refunds in order to make it easier to verify the legitimate method… more on that later.
To obtain our cancellations we logged into the account, filled in the required detail, and waited. Now all the money has been refunded except the activities, restaurant and spa bookings.
How cancellation shouldn’t work
All that was left now was the relatively small amount of money that needed refunding for the activities, restaurant and spa bookings. Eventually the email came about this too –
Again, this email is addressed to “Dear Guest” rather than the name of the guest.
But the embedded link this time takes us to https://centerparcs.mysecurepay.co.uk it then asks for us to enter the booking reference number, surname and to select the Center Parcs village from a dropdown list before moving onto pages for the amount, credit card details, and confirmation.
But how do I know if this is actually a phishing campaign or not?
What is Phishing?
Phishing is to send a cleverly crafted email that is designed to deceive you into thinking it’s from a legitimate business you may have engaged with – it probably looks like its sent from an email address associated with that business and it probably uses that business’ logo and probably provides a link to a website that seems to be for that business and again uses the business’ logo and some other details.
In all honesty at this point in time I haven’t completed any of the information on this webpage shown above because I can’t find anyway to verify that this email really was from Center Parcs or that Center Parcs owns the website.
Typical hall-marks of a phishing email are:
It asks you to provide your sensitive information via an email or a link in an email – say like booking details for a holiday and credit card information?
It doesn’t address you by name as they sender doesn’t actually know your name – say like addressing me as “Guest”
The sender email address doesn’t match the domain for the company – well in this instance this matches
Any links provided in the email do not point back to the business’ primary internet site – say like directing to third party site for you to enter your confidential information?
Purpose of the email is to get you to provide personal information and ideally information about your bank accounts or credit or debit cards – say like details of a holiday and credit card information?
Poor grammer and spelling – not really the case in this situation
Whole email is a link pushing you to a website – not really the case in this situation
Is the Center Parcs email a Phishing Email then?
On Center Parcs website they have the following information on their “FAQs and getting in touch” page:
The most recent email did come from firstname.lastname@example.org but email isn’t a secure communication method and its possible to receive emails that didn’t genuinely come from their purported source.
So in all honesty I don’t know. I think it probably did come from Center Parcs but I’m not willing to put my details into a third party website without feeling certain.
Did you contact Center Parcs then?
In conclusion – I would expect better than this from a large UK business – at least publish on your website how refunds will be processed and what site you are using to do this…
If you are reading this thinking “How do I protect myself from more blatant phishing attacks” and want to know more please contact us for an chat. If you work for Center Parcs and could help me clear this up – again please contact me… I’ll happy update this post to reflect what you do to resolve this issue.