Booking.com Scams: What to Watch for in Phishing Messages

Booking.com scams have grown more sophisticated, with criminals targeting holidaymakers through fake messages and compromised hotel accounts.

Between June 2023 and September 2024, victims lost over £370,000 to these schemes. Travellers need to recognise the warning signs to avoid falling for these tactics.

Scammers often send messages that look like they come from real hotels or Booking.com, asking for payment details or claiming there is a booking issue that needs urgent attention.

They hack genuine hotel accounts, making their messages appear trustworthy to unsuspecting customers.

Understanding how these scams work and knowing the red flags can help travellers avoid financial loss.

Spotting suspicious payment requests and identifying fake confirmation pages is crucial for anyone using online travel platforms.

Understanding Booking.com Scams

Scammers target Booking.com users with fake messages asking for payment details. Cybercriminals take advantage of the platform’s popularity to steal money and personal information.

These schemes have increased, with criminals using advanced tactics to deceive travellers.

How Scams Target Booking.com Users

Fraudsters focus on Booking.com users because the platform is popular and handles valuable financial data.

The site processes over a billion bookings every year, making it attractive to cybercriminals.

Scammers often target customers who have just made bookings. They exploit travellers’ anxiety about their reservations.

Many people worry about their holiday plans, so they respond quickly to urgent messages.

Primary targeting methods include:

Monitoring recent booking activity
Accessing compromised hotel accounts
Sending mass phishing campaigns
Creating fake booking confirmations

Travellers are emotionally invested in their trips, so they may be less cautious when receiving messages about booking problems.

Fraudsters also target users during busy booking seasons when activity is high on the platform.

Common Scam Methods and Tactics

Phishing Messages are the most common attack. Scammers send fake emails or texts claiming there is a payment problem with a booking.

These messages often say payment details need verification or the booking will be cancelled.

Account Takeovers happen when criminals access hotel accounts. Between June 2023 and September 2024, Action Fraud received 532 reports of this fraud, resulting in £370,000 in losses.

Scammers then message customers directly through the app’s chat function.

Fake Listings trick users into paying for properties that do not exist or are unavailable. These listings often show luxury accommodations at very low prices.

Payment Diversion scams tell customers to pay outside the official platform. Criminals claim there is an urgent payment issue and direct victims to unofficial payment channels.

Booking.com’s Stance and Security Measures

Booking.com states it never asks customers to share payment information via email, chat, text, or phone calls.

Any message requesting this information is a scam.

The company has seen a 500 to 900% increase in travel scams over the past 18 months. This rise matches the growing use of AI tools like ChatGPT by cybercriminals since November 2022.

Official communication channels include:

Direct messages through the verified app
Emails from official Booking.com domains
Phone calls customers make to verified numbers

The platform encourages users to report suspicious activity right away.

Customers should always log into their accounts through the official website to check any booking claims.

Booking.com also lists trusted email addresses on their website for verification.

Typical Phishing Messages and Techniques

Cybercriminals use several tactics to trick Booking.com users into sharing sensitive information.

They create fake payment requests, hack hotel accounts to send convincing messages, and use poor language that can reveal their true identity.

Urgent Payment Requests

The most common scam involves fake payment verification messages.

Scammers send emails or texts claiming there is a problem with payment details or card information.

These messages create false urgency by stating that bookings will be cancelled within hours unless immediate action is taken.

The scammer asks users to click a link and enter credit card details to “verify” or “pre-authorise” their stay.

Warning signs include:

Demands for immediate payment verification
Threats of booking cancellation
Requests to click external links
Claims about payment failures

Between June 2023 and September 2024, this scam cost 532 victims £370,000 according to Action Fraud.

Account Takeover and In-App Messaging

Cybercriminals hack hotel accounts on Booking.com and send messages that appear to come from real accommodation providers.

These fraudulent messages show up in the official Booking.com app, making them seem trustworthy.

Users receive unexpected messages asking for extra payments or card details.

Scammers exploit the trust users place in direct hotel communication.

Since the messages come from what looks like the actual hotel account, many people do not question their authenticity.

This method is especially dangerous because it avoids normal email filters and appears within the trusted Booking.com environment.

Language and Grammar Clues

Fraudulent messages often contain language errors that reveal their origins.

Poor grammar, spelling mistakes, and awkward phrasing are common signs of scams.

Legitimate Booking.com communications use professional language and correct English.

Scam messages often include:

Spelling errors in common words
Awkward sentence structure
Inconsistent formatting
Unusual punctuation patterns

The tone of these messages also differs from genuine ones.

Scammers use urgent or threatening language to pressure quick responses, or excessive politeness that feels unnatural.

Demand for Personal or Financial Information

Legitimate Booking.com transactions never require customers to share payment details through email, text, or phone calls.

Any message requesting this information is a scam.

Fraudsters may ask for:

Credit card numbers and security codes
Banking information
Personal identification details
Login credentials

Some scammers create fake Booking.com web pages to steal information.

These pages may include malicious downloads disguised as cookie consent buttons, which can give hackers access to devices.

Remember: Booking.com will never request sensitive payment information through unofficial channels.

All real payments happen through the official website or mobile app only.

Fake Booking.com Web Pages and External Links

Cybercriminals create convincing copies of Booking.com pages to steal personal and financial information.

These fake websites trick users into downloading malicious files or entering payment details on bogus pages.

How to Identify Fraudulent Websites

Fake Booking.com sites often have small differences in their URLs, such as “bookng.com” or “booking-com.net” instead of “booking.com”.

Visual clues can help spot fakes. Fraudulent sites may show poor image quality, odd fonts, or outdated design elements.

Look for security indicators. Real Booking.com pages use HTTPS, shown by a padlock in the browser’s address bar.

Fake sites may lack this or display warnings about unsecured connections.

Check how the website works. Official Booking.com pages load quickly and work smoothly.

Fraudulent sites may load slowly, have broken links, or miss important pages.

Malicious Downloads and File Traps

Scammers use fake Booking.com pages to spread harmful software that can take control of victims’ devices.

These files often look like booking confirmations, vouchers, or travel documents.

Common traps include executable files (.exe), compressed files (.zip), and documents with hidden macros.

Fraudulent sites may claim these downloads are needed to complete a booking or access special offers.

Never download files from unofficial Booking.com messages or suspicious websites.

Legitimate booking confirmations are always available directly through your Booking.com account dashboard.

Warning signs of malicious download attempts:

Urgent messages saying downloads are needed immediately
Files with strange names or extensions
Pop-up windows forcing downloads
Requests to turn off antivirus software before downloading

Recognising Dupe Payment Pages

Fake payment pages are one of the most dangerous parts of Booking.com scams.

These pages are made to steal credit card details, banking information, and other sensitive data.

Real Booking.com payment pages always stay within the official domain during the entire transaction.

Any external link that takes you away from the official site during payment is a red flag.

Fake payment pages may ask for more information than usual, such as extra security codes or full banking credentials.

Legitimate bookings only require basic card details.

Fake payment pages often skip security steps and show generic success messages without booking details.

Real transactions include verification steps and clear confirmation messages.

Always check you are on the official Booking.com domain before entering payment information.

Close any external payment pages that appear during the booking process.

Spotting Suspicious Communications

Fraudsters use advanced tactics to make their messages look real while asking for sensitive information through unofficial channels.

Authentic Booking.com messages follow strict policies and never ask for payment details via phone, email, or text.

Verifying Authentic Booking.com Messages

Genuine Booking.com messages come through official channels and include booking reference numbers that match your reservation.

These messages direct users to log into their accounts through the official website or app, not through embedded links.

Customers should always verify suspicious messages by calling the hotel directly using the phone number on the official Booking.com platform.

This step confirms whether the message is real or a scam.

Warning signs of fake messages include:

Generic greetings without personalised booking details
Urgent language demanding immediate action
Requests to click links or download attachments
Poor spelling or grammar

If unsure, go directly to Booking.com’s website by typing the URL instead of clicking links in messages.

Official Payment Policies and Channels

Booking.com never asks customers to share credit card details through email, chat, text, or phone calls.

Any message requesting payment information through these channels is a scam.

Legitimate payment updates only happen through the official Booking.com platform after users log into their accounts.

The company processes all real payment changes through secure, encrypted connections on their website or app.

Fraudsters often send fake payment alerts claiming cards have been declined or need verification.

These scam messages usually create urgency by threatening booking cancellations unless you act immediately.

Legitimate payment communications never:

Request full credit card numbers via email or text
Ask for CVV codes through unofficial channels
Demand immediate phone verification of payment details
Use third-party payment platforms or unfamiliar websites

Signs of Social Engineering Attempts

Social engineering tactics use psychological triggers to manipulate victims into sharing sensitive information or taking harmful actions. Fraudsters often impersonate hotel staff or Booking.com representatives to build trust before making fraudulent requests.

These criminals gain access to hotel accounts on Booking.com and send messages that appear to come from legitimate properties. They use existing booking details to make their communications seem authentic while requesting additional payments or personal information.

Common social engineering techniques include:

Creating false emergencies requiring immediate payment
Claiming system errors need customer verification
Offering fake upgrades or discounts for quick responses
Using official logos and formatting to appear legitimate

Fraudsters contact victims through channels like WhatsApp, SMS, and email to increase perceived legitimacy. They reference specific booking details from compromised hotel accounts to make their requests seem genuine.

Customers should remain sceptical of unsolicited communications requesting personal information, no matter how official they appear.

Preventative Measures to Stay Safe

Setting up proper security measures and verifying booking details reduces the risk of Booking.com scams. These steps help protect personal information and ensure legitimate transactions.

Enabling Two-Factor Authentication

Two-factor authentication adds an extra layer of security to Booking.com accounts. Users should enable this feature in their account settings to prevent unauthorised access.

This security method requires both a password and a second verification step. The second step usually involves a code sent to a mobile phone or email address.

Even if scammers obtain login credentials, they cannot access the account without the second verification code.

Steps to enable two-factor authentication:

Log into the Booking.com account
Navigate to account security settings
Select two-factor authentication option
Follow the setup instructions provided

Users should use strong, unique passwords for their accounts. Combining two-factor authentication with robust passwords creates a stronger defence against hackers who target hotel or accommodation accounts.

Checking Accommodation Details and Reviews

Verifying accommodation details helps identify fraudulent listings or suspicious communications. Users should examine property information carefully before making payments.

Key details to verify include:

Property photos – Multiple recent images from different angles
Contact information – Legitimate phone numbers and addresses
Guest reviews – Recent feedback from verified bookings
Response rates – How quickly hosts reply to messages

Genuine accommodations have consistent review patterns and detailed property descriptions. Users should contact properties directly using official contact details if they receive suspicious payment requests.

Checking the accommodation’s official website can help verify legitimacy. Many established hotels and rental properties maintain their own websites with matching information to their Booking.com listings.

What to Do If You Fall Victim to a Booking.com Scam

Act quickly if you discover you’ve been targeted by cybercriminals using fake Booking.com messages. Contact your bank immediately, report the incident to authorities, and inform Booking.com about the fraudulent activity.

Immediate Steps for Victims

Contact the bank or card provider straight away. Call the emergency number on the back of your card or use the bank’s fraud hotline. Banks can block the card within minutes to prevent further unauthorised charges.

Many banks can reverse fraudulent transactions if reported quickly. The sooner you notify them, the better your chances of recovering lost money.

Change all passwords immediately. If you entered login details on a fake website, update passwords for your Booking.com account and any other accounts using the same password. Enable two-factor authentication on all travel and financial accounts.

Check bank statements carefully. Look for any suspicious transactions, even small amounts. Scammers sometimes make small test purchases before attempting larger fraud.

Document everything. Take screenshots of fake messages, emails, or websites. Save confirmation emails and note the exact time and date of the incident. This evidence will help with reports and potential refund claims.

Reporting Scams to Relevant Authorities

File a report with Action Fraud. This is the UK’s national fraud reporting centre. Report online at actionfraud.police.uk or call 0300 123 2040.

Between June 2023 and September 2024, Action Fraud received 532 reports of Booking.com scams, totalling £370,000 in losses.

Forward suspicious emails and texts. Send fake emails to the National Cyber Security Centre at report@phishing.gov.uk. Forward suspicious text messages to 7726 (SPAM).

This helps authorities track scam patterns and protect other users.

Report to local police if necessary. For large financial losses or if you feel threatened, file a police report. This creates an official record that may be needed for insurance claims or legal proceedings.

Contacting Booking.com Support

Report the incident through official channels. Contact Booking.com customer service directly through their website or app. Avoid using contact details from suspicious messages.

The genuine support team can flag the scammer’s methods and may help with the booking if it was legitimate.

Ask about booking protection. Booking.com can confirm whether any payment requests were genuine and help secure your account.

Request account security review. Ask Booking.com to check for unauthorised access to your account. They can enable extra security measures and monitor for future suspicious activity.

Conclusion

Booking.com phishing scams continue to evolve, targeting travellers and property owners with increasingly sophisticated tactics. Scammers exploit trust by impersonating legitimate hotel accounts and sending convincing messages that request payment details or personal information.

Property owners face risks when managing their listings online. These fraudulent messages can damage guest relationships and compromise business operations.

Never provide credit card details through email, phone calls, or messaging apps — legitimate Booking.com transactions will never require this information through these channels.

For property owners seeking expert guidance on protecting their investments and managing online risks, JF Property Partners offers comprehensive support and industry knowledge.

Contact our experienced team at info@jfpropertypartners.com or +44 7457 427143 to discuss your property management needs. Visit our website to learn how our services can help safeguard your property business against fraud and other online threats.

Frequently Asked Questions

Scammers use fake payment verification messages and compromised hotel accounts to steal personal information from travellers. Understanding these tactics helps users recognise legitimate communications from fraudulent ones.

How to check if booking.com listing is legit?

Verify accommodation listings by checking for detailed property descriptions and multiple guest reviews. Legitimate properties display clear contact information and have consistent pricing across different booking platforms.

Extremely low prices compared to similar accommodations may indicate fraudulent listings. Travellers can also search for the property’s official website independently to confirm it exists and matches the Booking.com listing details.

How do Booking.com phishing scams usually work?

Scammers send fake messages claiming there’s a problem with payment details or card information that requires immediate verification. These messages often state that bookings will be cancelled unless users provide personal information quickly.

Criminals sometimes access hotel accounts on the platform and send messages directly through the Booking.com app. They also create fake Booking.com web pages that trick users into downloading malicious files.

What are the warning signs of a fake Booking.com message?

Fake messages typically request immediate payment verification or threaten booking cancellation within a short timeframe. These communications often use urgent language to pressure users into acting quickly.

Suspicious messages may ask users to click on links to verify payment information or download attachments. Poor spelling, grammar mistakes, or unusual sender addresses also indicate potential scam messages.

How can I check if a Booking.com email or link is real?

Check the sender’s email address carefully, as scammers often use addresses that look similar to official Booking.com domains but contain subtle differences. Legitimate emails will come from official Booking.com email addresses ending in @booking.com.

Hover over links without clicking to reveal the actual web address, which should direct to booking.com domains. Log into your Booking.com account directly through the official website to check for any genuine messages or booking issues.

What should I do if I get a suspicious message about my reservation?

Never click on links or provide payment information through suspicious messages. Log into your Booking.com account directly through the official website or app to check for legitimate notifications.

Contact the accommodation directly using contact details from your original booking confirmation to verify if any payment issues exist. Report suspicious messages to Booking.com and relevant fraud authorities.

What official channels will Booking.com use to request personal information, if necessary?

Booking.com will never ask you to share payment information through email, chat messages, text messages, or phone calls.

You should only enter payment details on secure pages on the official Booking.com website during the booking process.

The company may send booking confirmations and general travel information by email.

However, these messages will not ask for sensitive financial details.

If you receive any message asking for payment verification or personal information outside the official booking process, it is likely a scam.