The Bhutan Travel Bureau (BTB) tour company website is like that of any other tour company in Bhutan with tourism related content, images, itineraries and contact details including its email address targeted at foreign tourists.
However, an unscrupulous foreign hacker took down the same email address, and hacked it in the first week of June 2024 gaining access to the email of the tour company.
The hacker, using the email, entrapped a couple from the United Kingdom (UK) planning to visit Bhutan through BTB. The hacker stole USD 17,000 (Nu 1.425 million) or EURO 15,000 from the couple.
The owner of BTB, Chorten Namgay, said that the UK client wanted to celebrate his wife’s 50th birthday by coming to Bhutan in October 2024. The client established contact with BTB, and Chorten said that BTB sent the invoice and bank details.
After BTB lost contact with the client and the money did not come, Chorten said BTB had to then cancel the bookings with the high-end hotels, air tickets, etc.
However, around 20 August, the client wrote to BTB checking on his visa confirmation and flight details.
Chorten informed the tourist that since his money never came through, BTB had cancelled all the bookings.
The next day the tourist called and accused the tour operator of lying saying that he had sent the money in Euros. They had some heated discussion with the tour operator also not backing down.
It was then that the tour operator realized his email had been hacked, and someone had signed into the BTB email account and had been corresponding with the client.
It was found that the hacker had emailed the tourist and changed the bank details giving the bank details of a bank account in Portugal.
Chorten said that the client had initially been uncomfortable sending the money in Euros to a correspondent bank and getting it converted into dollars in the dollar account when the money reaches Bhutan.
The hacker shrewdly used this too, and had said that the Portugal bank will accept the Euros with a Euro account.
The client thinking, he was corresponding with BTB, sent the money to the Portugal account.
The client filed a complaint with the authorities in his country, but they said nothing could be done as the hacker had emptied out the Portugal account two months ago, and the hacker could not be traced.
In Bhutan, the tour operator approached the Immigration Department and Department of Tourism, but there was nothing they could do in this case.
Chorten said that he is convinced his account was hacked as the same hacker had also sent different bank details to his partner agent abroad in Romania, but they had an understanding on the bank and so this fraud could be stopped.
Initially, the client was trying to pressure the tour operator to take the blame, and that he would come without paying, but BTB offered a discounted trip and it looks likely that will be the solution.
Chorten said that his company is giving a USD 1,500 discount and will request hotels and Druk Air for more discounts and the 8 nights and 9 days trip will be a no profit one for the company.
Chorten said he is doing this as he is in the service industry, and reputation is important.
The tour operator said that he had procured the email address from GoDaddy an international online firm.
This is not the first time this happened as another tour company also lost around USD 20,000 to hackers before the pandemic in a similar fashion.
The above cases serves as a lesson for tour operators and even others when it comes to ensuring email security.
Basic measures are having strong passwords, double authentication, being wary of strange attachments and links and training employees to detect such cyber threats and fraud.