Hotel Phishing Scams via Email
How scammers send fake hotel booking confirmation and payment-update emails to harvest card details from travellers who believe they are managing a real reservation.
Part of: Hotel Phishing
Last reviewed: 8 June 2026
Hotel phishing emails are timed to coincide with genuine travel bookings. An email arrives appearing to be from a hotel, a major booking platform, or a travel agency, asking the recipient to confirm payment details, re-enter card information for a pending reservation, or pay a balance before arrival. The email looks convincingly authentic because scammers replicate brand assets and reference booking details obtained from data breaches or through compromised hotel booking systems.
Travellers who are actively planning or about to depart are particularly vulnerable, because receiving a booking-related email feels expected and appropriate. Victims enter payment details on a convincing replica page, often discovering the fraud only when their real card is subsequently misused.
How this scam works on email
The email may reference a real booking confirmation number — if obtained through a breached booking platform — or use generic language that feels applicable to any recent booking. A link leads to a payment page that replicates a genuine hotel or OTA portal. Card details entered are captured immediately.
A variant uses compromised hotel accounts on platforms like Booking.com to send genuine-seeming messages directly through the platform's messaging system, lending the message substantial apparent legitimacy. The link provided still leads to an external phishing page.
Common red flags
- Email asks you to re-enter payment details for a confirmed booking
- Link leads to a domain that differs from the hotel's or platform's official website
- Request arrives shortly before a check-in date, creating urgency to act before travel
- Email references a booking but the amount requested differs from the original reservation total
- Payment page does not display the full hotel URL or has an unusual SSL certificate
How to protect yourself
- Manage all booking payments and updates only through the official OTA app or by typing the hotel website URL directly
- Never click payment links in booking-related emails — log into your account to verify any required action
- Contact the hotel directly on their publicly listed phone number if you receive an unexpected payment request
- Use a credit card for hotel bookings to retain chargeback rights
- Check your booking platform app directly to see if any message or payment request is visible there
How to report it
- Report the phishing email to the hotel or booking platform it impersonates
- Report to the FTC at reportfraud.ftc.gov (US) or Action Fraud (UK)
- If card details were entered, contact your bank immediately
Frequently asked questions
Is it normal for a hotel to email asking for payment details after a booking is confirmed?
Rarely, and only in specific circumstances such as a pre-authorisation. If you receive such a request, call the hotel on the number you can independently verify to confirm it is genuine before providing any details.