Fake Hotel Payment Verification Scams
Messages demanding card 're-verification' to 'secure' a booking, capturing full card details.
Last reviewed: 1 June 2026
What this scam is
Fake hotel payment verification scams are a specific and targeted form of hospitality fraud in which a guest with an upcoming hotel reservation receives a message stating that a mandatory 'payment verification' or 'card pre-authorisation' step is required to secure the room. The message typically includes authentic-looking booking details and creates urgency by threatening cancellation if the step is not completed within a short window.
Unlike broader hotel phishing, which may harvest details for general fraud, this scam is precisely aimed at capturing the full card data needed to commit card-not-present fraud: card number, expiry date, CVV, and sometimes a one-time code from the guest's banking app. The framing — that verification is a routine required step — makes the request seem procedurally legitimate rather than suspicious.
The scam is notable for the specificity of what it demands. CVV codes and one-time banking codes are never required by a hotel or booking platform to hold a reservation. Any message requesting these through a link should be treated as fraudulent regardless of the surrounding context.
How it works
The scam typically originates from one of two sources: a compromised hotel account on a booking platform, or fraudsters who have obtained booking data through a data breach or dark-web purchase. Armed with the guest's name, reservation reference, hotel name, and check-in date, the fraudster composes a message that appears to come from the hotel or the booking platform.
The message describes a routine-sounding administrative issue: a card pre-authorisation that failed to process, a system update requiring card re-entry, or a property-specific security policy requiring verification before check-in. The tone is professional and the language mirrors legitimate communications from hotel and travel brands.
The embedded link leads to a fake webpage styled in the hotel's or platform's branding. The page asks the guest to enter their full card number, expiry, CVV, and in some cases a one-time code generated by their banking app — framed as needed to 'confirm authorisation'. Once submitted, the details are captured and used within minutes or hours to make fraudulent purchases or cash advances before the guest realises what has happened.
Why this scam works
This scam succeeds because it inserts itself into a legitimate communication relationship that the guest expects to exist. Guests know their hotel may contact them before a stay, and they expect the booking platform to handle payment matters. A message that aligns with this expectation faces far less scepticism than an unsolicited contact.
The request for a 'pre-authorisation' sounds credible because hotels do legitimately pre-authorise cards on arrival. Framing the same step as something that can be done remotely in advance makes the process seem merely more efficient. Guests who want everything sorted before travel may be particularly receptive to completing an apparent pre-check-in step.
The urgency framing — 'complete within 4 hours or the reservation will be released' — short-circuits deliberate thinking. The guest's focus shifts to completing the task before the deadline, not to evaluating whether the task is legitimate.
A typical pattern
A guest with a hotel stay in three days receives an email that appears to come from the hotel, includes the correct reservation reference and room type, and states that a new property policy requires card pre-authorisation to be completed online before check-in. The email includes a link to a page with the hotel's branding. The guest enters their card details and the one-time code their bank sends. Within two hours, their card is used for online purchases they did not make.
Common red flags
- Any message asking you to enter your full card number, expiry, and CVV via a link
- Request for a one-time code from your banking app to 'authorise' a hotel booking
- Urgency framing — the booking will be cancelled unless you act within a short window
- Link that does not go to the official hotel domain or booking platform domain
- Message arrives out of the blue, not in response to any action you took
- Sender email address or account handle that differs slightly from the genuine one
- The booking platform app or website shows no outstanding action when checked independently
- Hotel can confirm no payment action is required when called directly
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
Action required: verify your card (number, expiry, CVV) to secure reservation [reference] or it will be released.
Important pre-arrival notice: our system requires card pre-authorisation before check-in. Please complete at [fake link] within 4 hours.
We were unable to process the hold on your card for [hotel] booking [reference]. Please re-enter your payment details at [fake link] to avoid cancellation.
Security verification required: confirm your payment card for reservation [reference]. This takes under 2 minutes: [fake link]
Common variations
- Pre-arrival 'security policy' emails requiring card re-entry with CVV
- Booking-platform chat messages from compromised hotel accounts requesting card verification
- SMS messages with urgent cancellation threats and a link to a 'verification' page
- Post-booking 'payment confirmation' emails that capture full card details on a fake form
- 'Card declined' notices sent to guests whose cards were fine, to prompt re-entry
How to verify before you act
If you receive any message asking you to enter card details via a link to secure or verify a hotel booking, do not use the link. Instead, log into the booking platform's official app or website directly and check whether any action is required in your account. If none is shown, the message is fraudulent.
Alternatively, call the hotel directly using a phone number found on the hotel's own website. Ask the front desk whether any payment verification is required before your arrival and whether they sent you a message.
Remember: legitimate hotels and platforms never ask for your CVV or your banking app's one-time codes through email or SMS links. This combination of requests — card number, expiry, CVV, and a banking code — represents the full data set needed for card fraud, not a routine hotel verification step.
Payment methods used
- Card details harvested including CVV and banking codes
Who is usually targeted
- Guests with upcoming hotel stays
- Travellers who pre-check-in steps are normal to
What to do immediately
- Do not complete any card entry via the link in the message
- Log into the booking platform app or website independently to verify whether any action is required
- Call the hotel directly — using a number from its official website — to confirm the message is fraudulent
- If you have already entered your card details, call your bank's fraud line immediately to block the card
- Report the message to the booking platform's fraud or security team
- Screenshot the message and the URL in the link for evidence before the site is taken down
- File a report with your national fraud reporting authority
How to prevent it
- Never enter your CVV or a banking one-time code on a page reached via a link in an email, SMS, or chat message
- Remember hotels only pre-authorise cards in person at check-in, never remotely via an emailed link beforehand
- Log into the booking platform's app or website directly to check whether any action is genuinely required on your account
- Call the hotel using a number from its own official website if you want to confirm whether verification is really needed
- Treat urgency framing — 'complete within 4 hours or lose your room' — as a signal to slow down and verify independently, not comply faster
- Check that any link goes to the actual hotel or booking-platform domain, not a look-alike
- Be alert around the days just before check-in, when these messages are most commonly timed to arrive
- Report suspicious messages to the booking platform even if you didn't click the link, so compromised accounts can be found
Evidence to preserve
- The original message with sender details or account handle
- The URL in the link (copied without clicking)
- Your genuine booking confirmation for comparison
- Screenshots of the fake verification page if you saw it
- Bank statements showing any resulting fraudulent transactions
- Records of your contact with the hotel and platform to report the incident
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
Do hotels ever need my CVV by message?
Legitimate hotels and platforms don't ask for your CVV or banking one-time codes via email or SMS links. Any such request is a scam — verify directly through the official app or phone number.
What is a card pre-authorisation and is it ever legitimate?
Hotels do pre-authorise cards to cover incidentals, but this is done at check-in using the card you present in person. They do not pre-authorise cards remotely via email links before your arrival, and they never need your CVV in writing.
Why does the message know my booking reference?
Booking references can be obtained through compromised hotel accounts on booking platforms, data breaches, or dark-web data sales. Knowing your reference does not make the message legitimate.
What if I entered my card details but no money has been taken yet?
Contact your bank immediately to block the card. Fraudsters may not use the details at once, and proactive blocking can prevent loss even if no transaction has occurred yet.
How can I tell if the booking platform app shows a genuine alert or a fake one?
Open the platform app by typing its address directly or using a trusted app installation — never follow a link in a message. If no alert appears in your account when you log in independently, the message was fraudulent.
Should I report this even if I didn't lose any money?
Yes. Reporting helps platforms identify compromised hotel accounts, helps fraud authorities track patterns, and may protect other guests. Report to the booking platform and your national fraud authority even if you did not click the link.