The Booking.com scam crisis – how a simple message revealed a sophisticated fraud

I was preparing for a long‑awaited weekend in Vilnius when my phone vibrated. The WhatsApp message came from someone calling herself Emma Larsen, claiming to be the reservation manager at the hotel I had booked through Booking.com.

She knew my name, my travel dates, and the exact reservation number. Her tone was urgent: there had been a problem with my payment, and I needed to re‑verify my card details to secure the booking.

A friendly link promised that the process would be “quick and completely safe” and warned that if I didn’t respond within 24 hours, my booking would be cancelled – a textbook tactic designed to panic travellers.

Something felt off, so I called the hotel directly. They knew nothing about any payment problem. And I wasn’t alone – Reddit threads are full of people getting the same message from the same “Emma Larsen,” and the scams span continents.

What began as a nuisance turned into my research. Reading reports and looking through news articles revealed that my experience is part of a far‑reaching phishing campaign dubbed “I Paid Twice.” This operation exploits compromised hotel accounts on platforms like Booking.com and targets both hotel staff and guests with a mix of malware, social engineering, and insider data.

How the scam works

Researchers at the French threat‑intelligence firm Sekoia uncovered that criminals first compromise hotel systems by sending spear‑phishing emails from a legitimate or spoofed hotel address. These emails typically pretend to be new reservation requests or guest messages and contain links to malicious websites.

Victims who click are taken through a ClickFix social‑engineering chain, where they are asked to copy and paste a command into their computer’s Run box. Doing so downloads the PureRAT remote‑access Trojan, giving attackers control over the machine.

Stolen credentials for Booking.com, Expedia, and other booking platforms are then sold on cybercrime forums or used to log in as the hotel and contact guests. A post from the Sekoia report described one actor advertising Booking.com logs for anywhere between US$30 and US$5,000, depending on the number of reservations and the hotel’s tier.

Once attackers have access to a hotel’s extranet account, they exploit trust. Guests receive messages via the Booking.com app, email, or WhatsApp that include reservation details such as the guest’s name, booking reference, and stay dates.

The message claims there’s a problem with payment verification and asks the guest to click a link to update their banking details. The link leads to a fake Booking.com page that closely mimics the real site.

Visitors are pressured to act quickly or risk cancellation. The Hacker News summarised the tactic succinctly: attackers use compromised accounts to send messages instructing guests to confirm their card details “in order to prevent their bookings from being canceled”. Then, unsuspecting users who oblige have their payment information stolen.

A global campaign

The scope of this phishing campaign is overwhelming. Microsoft’s security team noticed a wave of attacks impersonating Booking.com in December 2024, ramping up before busy travel periods and continuing into February 2025.

These campaigns targeted hospitality organisations across North America, Europe, Oceania, and Asia and used the same ClickFix tactic to deliver multiple families of credential‑stealing malware. Action Fraud – the UK’s national fraud reporting centre – recorded 532 reports of travellers being scammed between June 2023 and September 2024, with victims losing a total of £370,000.

Adam Mercer, deputy head of Action Fraud, urged anyone booking holidays to be wary of unexpected requests for bank details and to contact Booking.com or the hotel directly if they’re unsure.

Consumer organisations are also sounding the alarm. A survey by the watchdog Which? found that almost one in ten Booking.com customers has received a scam message through the platform’s messaging system. Which? is calling on the UK telecoms regulator Ofcom to investigate whether Booking.com is doing enough to remove illegal content and protect users.

Many travellers share stories of being asked to transfer money to secure bookings or stumbling across fake listings with stolen photos and manipulated reviews.

Euronews highlighted how easy it is for fraudsters to list properties: consumer advocates listed a fake holiday home on Booking.com in minutes without showing proof of identity. Travellers sometimes arrive to find that the property doesn’t exist, leaving them scrambling for accommodation and unable to secure refunds.

The hospitality industry is feeling the pain too. Sekoia’s analysts observed that criminals are selling stolen extranet credentials and even advertising “traffer” teams to distribute malware. Infosecurity Magazine noted that these credentials fetched US$5 to US$5,000 and that one seller claimed to have made over US$20 million.

Cybercriminals treat this as a scalable business. It looks like a highly organised cybercrime market trading Booking.com logs, phishing kits, and log‑checker tools. The criminals’ professionalism mirrors what we see in other malware‑as‑a‑service ecosystems.

What Booking.com says and does

When asked about the scam wave, Booking.com told The Guardian that there is an “increasing number of online scams targeting many businesses in the eCommerce space”. However, they emphasise that incidents on its platform are rare and that the company continues to invest in cybersecurity.

Official guidance from Booking.com’s partner portal stresses that the company will never make urgent requests without prior communication and warns partners to watch for urgent language, spelling errors, and suspicious email addresses.

The site lists legitimate Booking.com email domains and instructs partners to hover over links to check the destination before clicking.

If partners suspect phishing, they should reset their passwords, scan their devices, and report the incident within 24 hours. The company also advises guests to check payment policies in their confirmation emails and to be wary of any request for advance payment that contradicts the original booking.

How to protect yourself

As travellers, we can take practical steps to stay safe and avoid phishing traps:

1. Don’t trust urgent payment requests. Phishing messages create a false sense of urgency – threats of cancellation, countdown timers, and warnings that your booking is at risk. Legitimate companies won’t ask for immediate payment by email or WhatsApp.
2. Verify directly with the hotel or platform. If you receive an unexpected message, contact the property or Booking.com through the official app or phone number listed on the website. Never use the contact details provided in the suspicious message.
3. Check payment policies. Booking.com advises guests to cross‑check the property’s payment policy in the booking confirmation. If there is no pre‑payment requirement yet someone asks you to pay in advance, it’s likely a scam.
4. Examine email addresses and links. Scam emails often have subtle misspellings or come from domains that look similar to Booking.com. Hover over links to see the real URL and ensure it ends in .booking.com. On a smartphone, long‑press the link to preview the destination.
5. Use multi‑factor authentication and strong passwords. Microsoft and other security experts recommend enabling two‑factor authentication on all accounts. Reset your Booking.com password if you suspect your account has been exposed.
6. Report suspicious messages. Forward fraudulent emails to [email protected] (in the UK) and report fraudulent texts to 7726. Within Booking.com’s extranet, use the security reporting tools to flag incidents.
7. Pay with credit cards and consider travel insurance. Credit cards often offer better fraud protection than debit cards. Mastercard warned that travel scams rose 12% in 2024, with fraud jumping up to 28% in popular destinations during peak seasons. Travel insurance with fraud coverage can also help recover lost funds.
8. Read recent reviews and be sceptical of too‑good‑to‑be‑true listings. Which? investigators found it easy to create fake listings on Booking.com, and travellers have arrived at non‑existent properties. Switch review filters to “newest” to see if recent guests warn that a listing is a con.

Where we go from here

The “I Paid Twice” scam isn’t just a one-off trick – it shows bigger security gaps in the travel-booking world. Scammers are getting more organized, selling access to hacked systems and using trusted platforms to reach travelers.

In my view, booking platforms need stronger partner verification, better malware detection, and faster reporting systems for users. And travelers need to stay cautious – that small moment of doubt can stop a scam before it starts.

Travel should feel exciting, not stressful. The more we talk about these scams, the harder we make it for fraudsters to succeed – and the easier it is to enjoy the trip ahead.