Booking.com hotel account hijack payment scam
Impersonating: Booking.com
What is this scam?
Criminals compromise hotel partner accounts on Booking.com through phishing, then use the hotel's legitimate Booking.com messaging system to contact real guests demanding urgent card verification. Because messages arrive from verified Booking.com accounts, they bypass spam filters and look completely genuine.
Example scam message
Message from [Your Hotel] via Booking.com: We need to re-verify your payment details to confirm your upcoming reservation. Please update your card within 12 hours to avoid cancellation: booking-secure-pay.xyz/verify
Red flags to look out for
- The message creates urgency — threatening a fine, missed delivery, or account closure.
- Links lead to unofficial domains that don't match the real company's website.
- You weren't expecting this message and can't verify the event it references.
- It asks you to confirm payment details or personal information via a link.
- The sender's number or email address doesn't match the company's official contact.
What to do if you receive this
- Do not call any numbers or click any links in the message.
- Log in to your account directly via the official website or app to check for any real alerts.
- Forward the message to 7726 or email report@phishing.gov.uk.
- Report it to Action Fraud at actionfraud.police.uk.
Received this message?
Forward it to 7726 (free on all UK networks) to report it to your mobile provider.
You can also report it to Action Fraud
or email the NCSC at report@phishing.gov.uk.
Not sure if your message is a scam?
Check it instantly with our free AI-powered detector.
Check a message nowSource: Action Fraud