Booking.com breach exploited to send fake hotel payment demands to UK guests using real booking details

Impersonating: Booking.com

What is this scam?

Following a breach of hotel-partner accounts on Booking.com in April 2026, fraudsters obtained guest names, email addresses, phone numbers, check-in dates, and booking reference numbers. Scammers are using this data to send convincing phishing messages impersonating hotels — via the Booking.com messenger or copycat emails — demanding urgent card re-verification or an additional payment to secure the reservation. Because the messages reference the guest's actual booking details, they are highly credible and difficult to identify as fraudulent. The NCSC and Action Fraud have both flagged the tactic; payment and full card data were not taken in the breach itself, but victims who click and pay lose real money.

Example scam message

Message via Booking.com messenger (or email): 'Dear [Your Name], this is [Hotel Name]. We are migrating to a new payment system and require you to re-verify your card to secure your booking for [check-in date] (Ref: [real booking reference]). Please complete verification within 24 hours to avoid automatic cancellation: hotel-payment-verify.xyz/confirm' [Your real booking reference makes this look legitimate — contact your hotel directly via the number on Booking.com to verify any payment request]

Red flags to look out for

  • The message creates urgency — threatening a fine, missed delivery, or account closure.
  • Links lead to unofficial domains that don't match the real company's website.
  • You weren't expecting this message and can't verify the event it references.
  • It asks you to confirm payment details or personal information via a link.
  • The sender's number or email address doesn't match the company's official contact.

What to do if you receive this

  1. Do not call any numbers or click any links in the message.
  2. Log in to your account directly via the official website or app to check for any real alerts.
  3. Forward the message to 7726 or email report@phishing.gov.uk.
  4. Report it to Action Fraud at actionfraud.police.uk.
Received this message? Forward it to 7726 (free on all UK networks) to report it to your mobile provider. You can also report it to Action Fraud or email the NCSC at report@phishing.gov.uk.

Not sure if your message is a scam?

Check it instantly with our free AI-powered detector.

Check a message now
← Back to all latest scams

Source: Action Fraud