Hotel Phishing
Messages posing as your hotel asking to 're-verify' card details, sometimes using real booking data.
Last reviewed: 1 June 2026
What this scam is
Hotel phishing is a targeted scam in which fraudsters impersonate a hotel you have already booked with, contacting you via email, SMS, or booking-platform chat to request that you 'verify' or 're-enter' your payment card details due to a supposed problem with your reservation.
What makes this scam particularly effective is that the messages often include genuine details from your booking — your name, the hotel's name, check-in dates, and a real-looking reservation reference. This creates an impression that the message must be legitimate, because how else would the sender know these details?
The answer is that booking-platform data breaches, compromised hotel management systems, and third-party data leaks have made it possible for fraudsters to obtain partial booking records for large numbers of guests. They use these real details to give their phishing messages a credibility that generic scam emails lack. Victims who would normally spot a suspicious link are thrown off guard because the context feels genuine.
How it works
After obtaining booking data — through a breached travel platform, a compromised hotel front-desk system, or leaked aggregator data — the scammer sends a message that appears to come from the hotel or the booking platform. The message describes a plausible problem: a card pre-authorisation that failed, a payment that needs to be updated, or a system that requires re-verification before check-in.
The message includes a link to a fake page styled to match the hotel's or platform's branding. This page asks you to enter your full card number, expiry date, CVV, and sometimes a one-time code from your banking app. Once submitted, the details are captured and typically used within minutes to make fraudulent purchases or withdrawals.
The messages are often timed strategically — sent a day or two before check-in when the booking feels urgent and guests are anxious about having everything in order. Some campaigns are sent in bulk to everyone in a leaked dataset regardless of check-in date, relying on a proportion of recipients having bookings current enough to find the message plausible.
Why this scam works
The inclusion of real booking details is the central reason this scam succeeds where generic phishing fails. When a message knows your name, your hotel, and your check-in dates, the normal heuristic of 'I didn't expect this message so it might be spam' no longer applies — you were expecting to hear from the hotel.
The emotional context reinforces urgency. A guest two days before a holiday does not want to risk their booking being cancelled over a payment issue. The scammer frames inaction as the risky choice, and clicking the link as the safe, responsible one.
Booking platforms' and hotels' increasing use of chat tools and messaging integrations also means guests are accustomed to receiving communications through multiple channels. A message via a booking app's chat feature feels especially plausible, and some scams occur precisely there when hotel accounts on booking platforms are compromised.
A typical pattern
A guest with a hotel booking receives a message via the booking platform's own chat system — sent from what appears to be the hotel's account — stating that a card pre-authorisation failed and the reservation will be released unless payment is updated within four hours. The message includes the correct check-in date and room type. The guest follows the link, enters their card details, and a short time later notices unauthorised transactions on their account. The hotel, when called, has no record of sending any such message.
Common red flags
- Urgent 'payment failed, re-verify now' message received out of the blue
- Link to a page whose domain is not the official hotel or booking platform domain
- Requests for full card number, CVV, or a one-time code from your banking app
- Threats to cancel your booking unless you act within a short window
- Message sent at an unusual hour or with unusual formatting for the platform
- Sender address or account handle differs slightly from the official one
- No option to resolve the supposed issue by calling the hotel directly
- The booking platform's own app shows no payment issue when you log in independently
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
Your reservation [reference] will be cancelled unless you re-verify your card within 2 hours: [fake link].
Important: your card pre-authorisation for [hotel] on [dates] has failed. Please update your payment within 4 hours to keep your room: [fake link]
Hello [guest name], this is [hotel]. We require card verification before your arrival on [date]. Please complete at [fake link] — this takes under 2 minutes.
Security alert: an issue was detected with your payment for booking [reference]. Update your details to avoid cancellation: [fake link]
Common variations
- Messages sent via the booking platform's own chat system after the hotel's account is compromised
- Email phishing using the hotel's real branding and the guest's genuine reservation details
- SMS messages citing the booking reference and threatening immediate cancellation
- Pre-check-in 'welcome' emails embedding a fake payment-update link
- Post-stay 'security review' requests falsely claiming a card dispute needs resolution
How to verify before you act
If you receive any message asking you to re-verify payment details for a hotel booking, do not click the link. Instead, open the booking platform's official app or navigate directly to its website, and check your booking from there. If the platform shows no payment issue, the message is fraudulent.
Alternatively, call the hotel directly using a number you find on the hotel's own website or a trusted map listing — not any number in the message or confirmation email. Ask the front desk whether there is a payment issue with your reservation.
Legitimate hotels and booking platforms do not ask for your CVV or banking app codes via email or SMS links. If any message requests these, treat it as a scam regardless of how convincing the surrounding details appear.
Payment methods used
- Card details harvested
Who is usually targeted
- People with upcoming hotel stays
- Booking-platform users
What to do immediately
- Do not click any link in the message — open the booking platform's official app or website separately to check your booking status
- Call the hotel directly using a number from the hotel's official website to ask whether there is a genuine payment issue
- If you have already entered card details, call your bank's fraud line immediately and ask for the card to be blocked
- Inform the booking platform about the message via its official support channel — they need to investigate if their system was used
- Screenshot the message and the URL in the link (without clicking it) as evidence
- Monitor your bank and card statements for unauthorised transactions
How to prevent it
- Never click a link in an email, SMS, or chat message asking you to 're-verify' or re-enter card details for a hotel booking
- Remember that real booking details in a message do not prove it's genuine — breached data and compromised hotel accounts can supply them
- Check your booking status by opening the booking platform's official app or website directly, not via any link sent to you
- Call the hotel using a number from its own official website (or a trusted map listing) if you want to confirm a payment issue
- Treat any request for your CVV or a banking one-time code as an automatic red flag — legitimate hotels never ask for these via a link
- Be extra cautious of urgent messages received a day or two before check-in threatening cancellation within a short window
- Report suspicious messages to the booking platform's official support so compromised hotel accounts can be investigated
- Monitor your bank and card statements after any upcoming stay for unexpected charges
Evidence to preserve
- The full original message including sender details or account handle
- The URL embedded in the link (copy it without clicking)
- Your genuine booking confirmation for comparison
- Screenshots of any fake pages you may have seen
- Bank or card statements showing any resulting transactions
- Records of your contact with the hotel and platform to report the issue
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
How can the message know my real booking details?
Scammers exploit breached booking-platform data or compromised hotel accounts. Real reservation details in a message do not prove it's genuine — always verify through the official app or phone number.
What if the message came through the booking platform's own chat?
Hotel accounts on booking platforms can be compromised. A message arriving via the platform's chat is not automatically legitimate. Log into your account independently and check whether any payment issue is shown there.
Can I tell if a link is fake before clicking it?
On a computer, hover over the link to see the URL without clicking. On a phone, press and hold the link to preview the address. If the domain is not the official hotel or platform domain, do not proceed.
What should I do if I already entered my card details?
Call your bank's fraud line immediately. Ask for the card to be blocked and for any recent suspicious transactions to be investigated. Report the incident to the booking platform and to your national fraud reporting service.
Do legitimate hotels ever contact guests about payment issues?
Genuine hotels occasionally contact guests about payment matters, but they do so through the booking platform's official messaging system or by phone, and they never ask for your CVV or banking app codes via a link.
How do I report a compromised hotel account on a booking platform?
Contact the booking platform's official support and explain that you received a suspicious message from a hotel's account. Most platforms have fraud teams that investigate and suspend compromised accounts promptly.