AI Hyper-Personalised Phishing Impersonating Booking.com
Criminals use AI to generate personalised Booking.com phishing emails that reference the victim's real upcoming reservation details, luring them into entering payment or login credentials on a convincing fake portal.
Part of: AI Hyper-Personalised Phishing Scams
Last reviewed: 8 June 2026
Booking.com sends a high volume of transactional emails — booking confirmations, pre-stay reminders, and payment requests from properties — creating ample opportunity for criminals who can mimic the format. What makes AI-assisted phishing particularly dangerous in the travel context is the ability to incorporate real reservation details: destination, property name, check-in date, and booking reference, all of which give the message immediate credibility.
These details can be sourced from multiple vectors: phishing emails that previously harvested Booking.com credentials, compromised Booking.com property-partner accounts (which have been a documented attack vector), or data-broker records that include travel booking history scraped from loyalty programmes or email receipts.
A victim who has a genuine upcoming stay in Barcelona and receives an email referencing that exact property, check-in date, and a plausible payment or identity verification requirement is far more likely to comply than if the email were generic.
How this scam works on the Booking.com brand
Attackers who compromise Booking.com property-partner accounts gain access to real guest reservation details, including email addresses and booking references. They use this data to send personalised phishing emails to those guests, appearing to come from Booking.com itself, citing a 'payment verification required' or 'identity confirmation needed before check-in'.
AI tools can scale this by generating unique email body text for each victim, referencing their specific property, dates, and booking number. The email links to a fake booking.com page that captures login credentials or payment card details.
Some campaigns ask the guest to re-enter card details to 'confirm' that the payment method registered at booking time is still valid, using a small pre-authorisation transaction as cover. The card details are then used for larger fraudulent transactions.
Common red flags
- A Booking.com email references your real upcoming reservation details but links to a domain that is not booking.com
- The email asks you to re-verify your payment card details through a link rather than directing you to your Booking.com account
- The message arrives via an email address that is not from booking.com — even subtle lookalikes are fraudulent
- You receive a WhatsApp or SMS message referencing your reservation details and asking you to click a link
- The payment verification page looks like booking.com but lacks the HTTPS padlock showing a valid booking.com certificate
- A pre-authorisation charge appears on your card from an unfamiliar company name after clicking the link
How to protect yourself
- Log in directly at booking.com to check any account or reservation alerts — never through email links
- Enable two-factor authentication on your Booking.com account under Account Security
- Be extra vigilant with reservation-related communications in the days before a planned stay
- If a property messages you through Booking.com requesting off-platform payment, report it to Booking.com immediately
- Use a virtual single-use card number for online travel bookings where your bank offers this feature
- Verify any pre-authorisation charge with your bank before approving
How to report it
- Report phishing impersonating Booking.com via the Help Centre at booking.com/content/cs.html
- Report compromised property accounts to Booking.com's partner support so other guests can be protected
- File a complaint with the FTC at reportfraud.ftc.gov (US) or Action Fraud at actionfraud.police.uk (UK)
- Contact your bank immediately if payment card details were entered on a fraudulent page
Frequently asked questions
How did the scammer know my Booking.com reservation details?
Most commonly, the property's Booking.com partner account was itself compromised, giving the attacker access to all guest details. This is why Booking.com itself warns guests to pay only through its platform and to be cautious of off-platform payment requests.
Does Booking.com ever send payment verification requests by email?
Booking.com sends payment reminders and booking confirmations, but genuine messages always direct you to log in to your account at booking.com — they do not ask you to re-enter card details through an email link.
What does Booking.com do when a property partner account is compromised?
Booking.com actively monitors for unusual activity in partner accounts and notifies affected guests when compromise is detected. If you receive a notification like this, update your own Booking.com password as a precaution.