Fake Booking.com Account-Security Alert and Login Phishing
Phishing emails impersonating Booking.com warn of suspicious activity or a required account review, directing travellers to a fake login page to steal credentials and stored payment data.
Part of: Account Takeover Scams
Last reviewed: 7 June 2026
Booking.com accounts hold payment card details, travel history, and personal identification — a combination that makes them valuable to attackers. Phishing campaigns targeting Booking.com users claim that unusual activity has been detected, that the account requires re-verification, or that a recent booking cannot be confirmed until the user logs in to verify their details.
The fake alert is calibrated to create anxiety: an upcoming trip may be in jeopardy if the issue is not resolved quickly. This time-pressure is particularly effective for travellers who have imminent bookings and cannot afford to lose their reservation.
Booking.com's real account-security notifications appear within the Booking.com app and by email from @booking.com. They do not ask users to re-enter payment details through external links.
How this scam works on the Booking.com brand
The phishing email typically references a specific future booking (if the attacker has obtained this from a prior breach or from compromised hotel data) or a generic 'recent booking activity that needs verification'. The email uses Booking.com's blue-and-white branding and a 'Verify Now' or 'Secure My Account' button.
The fake sign-in page is a close replica of booking.com's login screen. After entering credentials, the victim is sometimes shown a fake 'additional verification' step requesting the payment card details 'stored against the account'. This two-step harvest collects both credentials and card data in a single session.
Other variants use the compromised credentials to log into the real Booking.com account and silently change the registered email address, locking the real owner out before making fraudulent reservations against stored payment methods.
Common red flags
- Account-security email from a sender that is not @booking.com
- A 'Verify Account' link leading to a domain other than booking.com
- The email creates urgency around an upcoming booking being cancelled if not verified
- A verification step requesting full card details after sign-in — Booking.com does not ask for this
- Checking the Booking.com app shows no corresponding security alert
How to protect yourself
- Access your Booking.com account only by typing booking.com directly into your browser or via the app
- Enable two-factor authentication on your Booking.com account in Account Settings
- If you receive a suspicious security email, check your account directly in the app — if no alert exists there, the email is fake
- Review your stored payment methods in your Booking.com account periodically for any unfamiliar cards
How to report it
- Report phishing emails to Booking.com Customer Service via the Help section at booking.com
- Report to your national cybercrime authority: IC3.gov (US) or Action Fraud (UK)
- If card details were entered on the fake page, contact your card issuer immediately
- If your account was accessed, contact Booking.com support urgently to lock the account and reverse any fraudulent bookings
Frequently asked questions
Does Booking.com send security alerts asking me to verify my payment details?
No. Booking.com security notifications direct you to sign in at booking.com — they do not ask you to re-enter your stored payment card details through an email link. Any such request is fraudulent.
My Booking.com account email was changed without my action. What do I do?
Contact Booking.com Customer Service immediately via their Help centre. They can verify ownership and restore access. Also contact your card issuer if payment details were stored in the account, as they may have been exposed.