Fake Booking.com Cancellation Refund Scam
Scammers impersonate Booking.com with fake cancellation confirmation and refund notices, directing victims to phishing pages where login credentials and payment details are harvested.
Part of: Fake Cancellation & Refund Scams
Last reviewed: 8 June 2026
Booking.com's free cancellation policy on many properties means that travellers regularly receive legitimate cancellation and refund communications from the platform. Scammers exploit this familiarity by sending fake cancellation notifications that appear genuine — particularly effective when timed around the cancellation windows of real upcoming trips.
The fraudulent messages claim a recent booking has been cancelled (sometimes by the hotel, sometimes framed as an error), and that a refund is being processed. To receive the refund promptly, the victim must click a link and confirm their payment method — a step that does not exist in Booking.com's real refund workflow.
Booking.com refunds for cancelled bookings are processed automatically to the original payment method. No separate confirmation link, re-entry of card details, or payment method verification is ever required for a refund Booking.com has already initiated.
How this scam works on the Booking.com brand
The phishing email replicates Booking.com's blue colour scheme and includes a plausible-looking booking reference number, the property name, and travel dates. The subject reads: 'Your booking at [hotel name] has been cancelled — here is how to receive your refund.'
A 'Confirm Refund Details' button leads to a fake Booking.com sign-in page. After the victim logs in, a second page shows a form requesting the card number, expiry date, and CVV 'for processing the refund by direct credit'.
A parallel variant targets property owners on Booking.com's extranet: scammers send messages to hosts claiming a guest has initiated a cancellation dispute and that the host must log in via a link to 'respond before the refund is issued', harvesting host account credentials and payment details.
Common red flags
- Email arrives from a domain other than '@booking.com'
- You are asked to re-enter card details to receive a refund for a booking you made
- The cancellation references a booking you did not make, or a property name that does not match your real reservations
- No matching cancellation notice appears in your Booking.com account or the app
- The 'Confirm Refund' link URL is not booking.com when inspected
- Urgency language states the refund will be forfeited if not confirmed within hours
How to protect yourself
- Log in directly to the Booking.com app or at booking.com to check your real bookings and any genuine cancellation notices
- Booking.com refunds are processed automatically to your original card — no re-entry of card details is ever required
- Enable two-factor authentication on your Booking.com account in security settings
- If you entered credentials on a suspicious page, change your Booking.com password immediately and review saved payment methods
- Contact Booking.com customer service via the app if you have questions about a real booking or cancellation
- If card details were entered, alert your card issuer immediately
How to report it
- Report phishing emails to Booking.com at [email protected]
- File a complaint with the FTC at reportfraud.ftc.gov
- Contact your card issuer if payment details were compromised
- File with the IC3 at ic3.gov if financial loss occurred
Frequently asked questions
What does a real Booking.com cancellation email look like?
Real Booking.com cancellations arrive from '@booking.com' addresses, reference your actual booking number, and confirm the refund will be processed automatically. They do not include a link to re-enter payment details.
How long do real Booking.com refunds take?
Most Booking.com refunds are processed within 7-10 business days to the original payment method, depending on the bank. No action is required from the customer.
What if a cancellation email references a booking I did not make?
This is a sign of a phishing attempt. Do not click any links. Log in to your account at booking.com directly to confirm there is no unauthorised booking, and report to Booking.com's security team.