Fake Hilton Honors Points Theft and Account-Verification Scam
Fraudsters impersonate Hilton to send fake Hilton Honors account-verification requests, stealing credentials and draining member points for fraudulent reward redemptions.
Part of: Fake Hotel Payment Verification Scams
Last reviewed: 7 June 2026
Hilton Honors is one of the most widely used hotel loyalty programmes globally. The substantial travel value held in mature Hilton Honors accounts — potentially representing hundreds of free nights at premium properties — makes them a target for credential-stealing campaigns similar to those affecting other major loyalty programmes.
Scammers send fake Hilton Honors notifications claiming the member's account requires verification due to unusual activity, a points bonus is available, or the account has been flagged for security review. The communications use Hilton's blue branding and appear to come from Hilton, but arrive from non-Hilton email domains.
Because Hilton Honors points can be redeemed for hotel stays booked immediately online, a successful account takeover can result in the attacker spending all available points within minutes, before the real account holder notices.
How this scam works on the Hilton brand
Genuine Hilton Honors emails come from @hilton.com or @email.hilton.com and reference your full Hilton Honors member name and member number. They never ask you to verify your credentials by clicking an external link — any required verification is conducted within the Hilton Honors app or website.
The phishing email typically claims that 'unusual sign-in activity was detected on your Hilton Honors account' and that access has been temporarily limited. A 'Verify My Identity' button links to a convincing fake Hilton sign-in page. Once the attacker has the credentials, they log into the real Hilton.com, change the account recovery email, and begin redeeming points for hotel nights.
Some campaigns specifically target Hilton Diamond and Gold tier members, whose status and high point balances make the theft more profitable. Scammers purchase Hilton Honors member email lists from data broker leaks to target active members.
Common red flags
- Email arrives from a domain that is not @hilton.com or @email.hilton.com
- Message does not include your Hilton Honors member number
- A 'Verify Identity' link leads to a domain that is not hilton.com
- Unusual urgency around account access being 'limited' or 'suspended'
- A caller claiming to be from Hilton Honors asks for your full account password to verify your identity
- Points balance or recent transactions look different when you log in directly compared to what the email claims
How to protect yourself
- Log in directly at hilton.com or via the Hilton Honors app to check your account status — never via a link in an unsolicited email
- Enable two-step verification on your Hilton Honors account in Account Settings
- Regularly check your Hilton Honors transaction history for any point redemptions you did not make
- Use a unique, strong password for your Hilton Honors account
- If you believe your account was accessed, contact Hilton Honors Customer Service at hilton.com/en/hilton-honors/customer-support/ immediately
How to report it
- Report phishing emails impersonating Hilton to Hilton Honors Customer Service at hilton.com
- Report to the FTC at reportfraud.ftc.gov or your national consumer protection authority
- If your account was compromised, contact Hilton immediately and request a points reversal for any fraudulent redemptions
- Change your password and any other accounts sharing the same credentials
Frequently asked questions
How do I know if a Hilton Honors email is genuine?
Real Hilton Honors emails come from @hilton.com or @email.hilton.com and include your member name and member number. Log in directly at Hilton.com to check your account — do not use links in unexpected emails.
My Hilton Honors points disappeared. What should I do?
Contact Hilton Honors Customer Service immediately at hilton.com. Explain that unauthorised redemptions were made. Hilton will investigate and may be able to reverse fraudulent transactions. Also change your password and check for unauthorised changes to your account email.