The Booking.com Phishing Campaign: What Hotels and Travellers Need to Know
Feb 23, 2026
Cybercriminals are constantly refining their tactics, and one recent phishing campaign shows just how strategic they’ve become. By impersonating Booking.com, attackers are targeting both hotel partners and their guests in a coordinated, multi-step scam.
This isn’t just another generic spam email. It’s a structured attack that moves from hotel systems to real customers, using legitimate booking data to make the fraud far more convincing.
Let’s break down how it works and what you can do to stay protected.
How the Attack Starts: Targeting Hotel Partners
The first stage focuses on hotels and property managers who use Booking.com’s partner platform.
Attackers send emails that appear to come from Booking.com. These messages often reference common operational issues like:
- New reservations
- Guest complaints
- Payment problems
- Account verification requests
The email includes a link that directs the recipient to what looks like the Booking.com partner login page. In reality, it’s a carefully crafted fake site designed to steal credentials.
If a staff member enters their username and password, the attackers now have direct access to the real hotel account.
What Happens After Credentials Are Stolen
Once inside a legitimate partner account, criminals can access valuable information, including:
- Guest names
- Booking details
- Contact information
- Travel dates
This is where the campaign becomes particularly dangerous.
Instead of sending random phishing emails, attackers now contact real guests with real booking information. That level of detail makes their messages far more believable.
The Second Stage: Targeting Travellers
Using stolen reservation data, scammers contact guests directly. These messages may arrive via:
- SMS
- Messaging apps such as WhatsApp
The message often claims there’s an issue with the booking or payment. For example:
“Your card was declined.”
“You need to confirm your reservation.”
“Payment must be reprocessed.”
Victims are directed to a fake webpage that closely resembles Booking.com. There, they’re prompted to enter payment details or other sensitive information.
Because the message references their actual stay, many travellers assume it’s legitimate.
Why This Campaign Is So Effective
- It uses real booking data.
- It often originates from compromised hotel accounts.
- The branding and websites closely mimic official Booking.com pages.
- Look-alike domains are used to bypass filters and trick the eye.
When fraudsters combine technical deception with genuine customer data, it lowers suspicion and increases the chance of success.
Warning Signs to Watch For
- Emails urging immediate action regarding payment or verification
- Links that don’t clearly belong to the official Booking.com domain
- Messages from free or unusual email addresses
- Unexpected contact through messaging apps about payment issues
- Requests to re-enter card details outside the official app or website
If something feels off, pause before clicking.
How Hotels Can Reduce Risk
- Enable multi-factor authentication on partner accounts
- Train staff to recognise phishing emails
- Avoid clicking links in unsolicited booking-related messages
- Access the partner portal only through bookmarked, verified URLs
- Monitor account activity for unusual logins or message history
Staff awareness is critical. One compromised login can expose hundreds of guests.
How Travellers Can Protect Themselves
- Only log into Booking.com through the official website or app
- Avoid paying through links sent in email or messaging apps
- Contact the property directly using verified contact details if unsure
- Check the web address carefully before entering payment information
- Notify your bank immediately if you suspect fraudulent activity
If you receive a message about your booking that requests urgent payment, verify it independently before taking action.