Focused guide

Fake Booking.com Hotel Payment-Verification Phishing

Scammers hack hotel accounts on Booking.com or send spoofed messages asking guests to re-enter payment details through a fake verification link, redirecting card payments to the fraudster.

Part of: Fake Hotel Payment Verification Scams

Last reviewed: 7 June 2026

Booking.com is one of the world's largest online travel agencies, used by hundreds of millions of travellers each year. A persistent and sophisticated fraud exploits the communication channel between Booking.com, hotels, and guests: after a genuine booking is made, scammers intercept or impersonate the follow-up communication to redirect payment.

In the most technically sophisticated variant, criminals compromise the Booking.com property accounts of smaller hotels or guesthouses. Using those legitimate accounts, they send messages to actual guests through Booking.com's official messaging system — messages that appear in the guest's real Booking.com inbox. These messages claim there is a payment verification issue and provide a link to 're-confirm' card details.

Because the message arrives inside the genuine Booking.com platform, guests have no obvious reason to distrust it. Yet the link leads outside Booking.com to a spoofed payment page, and any card details entered go directly to the attacker.

How this scam works on the Booking.com brand

Booking.com's legitimate process does not require guests to re-enter payment details after a booking is confirmed. Card details provided at the time of booking are securely stored by Booking.com. If a hotel needs a card authorisation, it is typically handled at check-in through Booking.com's Virtual Credit Card system — not by asking guests to click a link before arrival.

The compromise typically follows this sequence: a criminal gains access to a hotel's Booking.com extranet account (often through phishing the hotel's staff), then uses the messaging system to send payment-verification requests to recently booked guests. Some variants also arrive as emails sent directly to guests, using the Booking.com logo and styling but from a non-Booking.com domain.

Guests who enter their card details on the fake payment page may find their card charged immediately, or the details stored for future fraud. Because the hotel's legitimate account was used, guests may not realise what happened until they arrive at the hotel and find no payment was received by the property.

Common red flags

A message from a property asking you to click a link to re-confirm or verify payment after your booking is already confirmed
The link in the message leads to a domain that is not booking.com
Urgency: 'Your booking will be cancelled if you do not verify within 24 hours'
The message asks you to call a number and provide card details over the phone
Your Booking.com app or website inbox shows the message but the link takes you outside the Booking.com environment
The property's communication style or language changes abruptly from an earlier exchange

How to protect yourself

Never click links in Booking.com messages that ask you to re-enter payment details — Booking.com does not require this after a completed booking
If you receive such a message, contact the property directly using the phone number or contact details on Booking.com (not any number in the suspicious message) to verify
Contact Booking.com Customer Service at booking.com/service-settings.html if you suspect your booking communication has been compromised
Check that any link you are asked to click is a subdomain of booking.com before entering any details
Use Booking.com's in-app messaging system rather than replying to emails where possible — messages in the app are more verifiable

How to report it

Report the suspicious message using the 'Report' function inside the Booking.com inbox
Contact Booking.com Customer Service directly via the Help section at booking.com to report the fraud
Report to your national cybercrime authority: IC3.gov (US), Action Fraud (UK), or ACCC Scamwatch (Australia)
If card details were captured, contact your card issuer immediately to cancel the card and dispute any charges

Frequently asked questions

Can I trust a message that arrives inside my Booking.com inbox?

Generally yes, but scammers have found ways to compromise hotel accounts and send messages through the legitimate platform. Always be suspicious of any request to click an external link to re-enter payment details, regardless of where the message appears.

The hotel said my payment failed and I need to re-enter card details. Is this normal?

Booking.com's system does not typically require guests to re-enter payment details after confirmation. Contact the property directly using the number on their Booking.com profile page — not any number in the message — to verify this is a genuine request from the hotel.

What should I do if I already entered my card details on the link?

Contact your bank immediately to report the card as potentially compromised and ask for a new card to be issued. Dispute any unauthorised charges. Then report to Booking.com Customer Service.

How this scam works on the Booking.com brand

Common red flags

A message from a property asking you to click a link to re-confirm or verify payment after your booking is already confirmed

The link in the message leads to a domain that is not booking.com

Urgency: 'Your booking will be cancelled if you do not verify within 24 hours'

The message asks you to call a number and provide card details over the phone

Your Booking.com app or website inbox shows the message but the link takes you outside the Booking.com environment

The property's communication style or language changes abruptly from an earlier exchange

How to protect yourself

Never click links in Booking.com messages that ask you to re-enter payment details — Booking.com does not require this after a completed booking

If you receive such a message, contact the property directly using the phone number or contact details on Booking.com (not any number in the suspicious message) to verify

Contact Booking.com Customer Service at booking.com/service-settings.html if you suspect your booking communication has been compromised

Check that any link you are asked to click is a subdomain of booking.com before entering any details

Use Booking.com's in-app messaging system rather than replying to emails where possible — messages in the app are more verifiable

How to report it

Report the suspicious message using the 'Report' function inside the Booking.com inbox

Contact Booking.com Customer Service directly via the Help section at booking.com to report the fraud

Report to your national cybercrime authority: IC3.gov (US), Action Fraud (UK), or ACCC Scamwatch (Australia)

If card details were captured, contact your card issuer immediately to cancel the card and dispute any charges

Frequently asked questions

Can I trust a message that arrives inside my Booking.com inbox?

The hotel said my payment failed and I need to re-enter card details. Is this normal?

What should I do if I already entered my card details on the link?

Contact your bank immediately to report the card as potentially compromised and ask for a new card to be issued. Dispute any unauthorised charges. Then report to Booking.com Customer Service.