Phishing Active · 2024-2026 Travel fraud

Got a payment-problem message about your hotel booking? Here's what it is.

ScamChecker.online · Last verified June 2026 · Active and spreading · 5 min read

In a nutshell

You booked a hotel through a legitimate platform. The booking is real. Your name, dates, and reference number are stored in the property's account.
Attackers compromised the hotel's management account and can now message you through the platform's own genuine messaging system.
The message looks real because it is real - it arrived through the actual platform. Your booking details are correct because they were stolen from the hotel's account.
The link in the message does not go to the booking platform. It goes to a card-harvesting page.
If you entered card details: call your bank now and cancel the card.

Our verdict

This is a scam. No booking platform will send you a payment link through a message and threaten cancellation within hours. If your card was charged at booking, there is no reason to re-verify it. The urgency and the link are the two tells.

Does this sound familiar?

Your hotel booking was confirmed weeks ago. Then a message arrived - through the platform's own messaging, or by email, or on WhatsApp - from what appeared to be the property. It quoted your real check-in dates, your real name, possibly your room type. It said a payment problem had come up and your booking would be cancelled within 24 hours unless you verified your card through a link.

Below are reconstructed examples of what these messages look like. The exact wording varies - the platform imitated changes - but the structure is always the same. (Illustrations of typical message formats, not real screenshots. Names and references are fictional.)

Booking Platform - Messages

From the property

🏨

The Grand Venezia Hotel

Via booking platform messaging

Dear J. Morrison,

Re: Booking BDC-4829-K7 · Jun 15-18

Our payment processor flagged an issue with the card on file for your reservation. Please re-verify your payment details within 24 hours to avoid automatic cancellation.

⚠ Action required to keep your booking

Verify payment details →

Today 09:14

Arrives through the platform's genuine messaging channel - the same one used for real check-in instructions and welcome notes.

The link in the message is the tell

🔒

Legitimate platform

booking.com/mytrips/verify

Exact platform domain, HTTPS, no extra words

⚠

Scam link

booking-verify-payment[.]com/secure/pay?ref=BDC-4829

Different domain entirely - designed to look official at a glance

⚠

Another scam variant

hotel-secure-payment[.]net/confirm/BDC4829K7

Includes your real booking reference to look legitimate

The booking reference in the link is real - copied from your stolen booking data. Check the domain before the first slash. Everything after the domain is designed to distract you.

‹

Hotel - Sarah (Guest Relations)

online

Hello J. Morrison 👋

This is Sarah from The Grand Venezia. Our system shows your card ending 4829 failed verification for your upcoming stay Jun 15-18.

Please complete payment here to secure your room:
booking-verify-payment[.]com/secure

You have 12 hours before the room is released to the waiting list.

9:22 AM ✓✓

Some variants arrive on WhatsApp rather than the platform itself. The hotel's name and your booking dates are correct - both taken from the compromised property account.

The impersonated platforms vary: Booking.com, Airbnb, Hotels.com, Expedia, and smaller regional booking sites have all been used. What doesn't vary is the mechanism: real booking details, fake urgency, link to a card-harvesting page.

How it works

This scam runs in four phases. The reason it's convincing is that phases one and two happen before you're involved at all. (Interface illustrations below reconstruct the typical appearance of these systems.)

Your real booking is in the system

You make a legitimate reservation on a travel booking platform. The platform processes your payment and sends a confirmation. Your name, check-in dates, room type, booking reference, and contact details are stored in the property's account on the platform's management portal.

✓

Booking Confirmed

PropertyThe Grand Venezia Hotel

DatesJun 15-18

RefBDC-4829-K7

GuestJ. Morrison

All this data is now accessible to anyone who gains access to the hotel's management account.

The hotel's account is compromised

Attackers target hotel and property managers with phishing emails or credential stuffing. When they gain access to the property's management portal, they can read every upcoming guest booking - including yours. The booking platform itself is not compromised; the hotel's account credentials are.

🔓

Property account accessed

Attacker can now read all upcoming reservations:

Guest name Check-in dates Booking reference Email address Room type

↓

Can now message guests as the hotel

💡 The hotel is also a victim. Its credentials were stolen before you were ever contacted.

The urgent payment message arrives

Using the hotel's compromised account, the attacker sends a message through the platform's genuine guest messaging system - the same channel the property normally uses for welcome notes and check-in details. The message cites your real booking reference and sets a deadline, typically 12-24 hours, threatening cancellation.

🏨

The Grand Venezia Hotel

⚠ Payment verification required for booking BDC-4829-K7 (Jun 15-18). Please verify your payment details within 24 hours or your reservation will be cancelled.

Sent through the real platform's messaging - where you'd expect a hotel to contact you

The deadline is artificial. Real payment issues don't work this way. It exists to prevent you from pausing to verify.

A fake payment page harvests your card

The link bypasses the real booking platform and opens a cloned payment page. The domain looks plausible at a glance - often incorporating the platform's name - but it is not the real site. Card number, expiry, and CVV entered there go to the attacker. Some victims are then charged immediately; others have their card details sold on criminal marketplaces.

⚠ booking-verify-payment[.]com/secure/pay?ref=BDC-4829

Complete Payment Verification

Card number

•••• •••• •••• ____

Expiry date

__ / __

CVV / security code

___

Confirm and secure booking

Not the real booking platform. Domain is fake.

Details entered here go to the attacker, not the hotel or platform.

The key facts

Booking platforms do not send payment links through guest messages and threaten cancellation within hours.

If your card was charged at booking, there is no payment problem. The platform already has your payment.

Correct booking details in the message don't prove it's real - they were taken from the hotel's account.

Any link outside the official platform domain is suspect. Check the domain before anything else.

Red flags to catch it early

None of these alone is proof. Several together means don't click anything until you've verified through the platform's official app or website directly.

A tight deadline: 12 or 24 hours

Real payment issues don't come with arbitrary cancellation deadlines. The time pressure exists to stop you from pausing to verify.

A link to re-enter your card details

Booking platforms already have your payment method on file. Any message asking you to re-enter it through a link is suspicious by design.

"Click here to verify your payment and secure your reservation"

The link domain isn't the booking platform

Check everything before the first slash. booking-verify-payment[.]com is not booking.com. Real platform links always use the platform's own domain.

Your booking details are correct - and that's being used to disarm you

Victims trust the message precisely because the dates and name are right. Those details came from the hotel's compromised account. Accuracy is not authenticity here.

Request for your full card number, not just confirmation

A genuine platform would at most ask you to confirm the card already on file. A fake page needs your full number, expiry, and CVV to commit fraud.

The message arrives via WhatsApp or email, not the platform's secure inbox

Some variants skip the platform entirely and contact you off-platform. If a "hotel" you booked through an app reaches you on WhatsApp with a payment link, treat it as suspect.

Already entered your card details?

If you submitted details on a suspicious page

Act on the card first. Document second. Report third.

Speed matters. Fraudulent charges often appear within hours of card details being submitted.

Call your bank immediately and cancel the card Report that you entered your card details on a suspected phishing page. Ask them to freeze the card and dispute any unauthorized charges. UK banks have strong mandatory reimbursement rules for fraud; US banks vary by card type but start the dispute now.

Check your booking through the platform's official app Log in to the booking platform directly - not through any link in the message. Check whether your reservation is actually active. In most cases it is fine. Contact the platform's official customer support if you see anything unusual.

Screenshot the message and the link Capture the full message text, the URL you were sent to, and any transaction confirmation. Essential for your bank dispute and for any fraud report.

Report the scam message directly to the booking platform Most platforms have an in-app reporting option. Reporting helps them identify and lock the compromised hotel account so future guests aren't targeted. Do this through the official app - not by replying to the suspicious message.

Report to the appropriate fraud authority See the reporting section below. UK victims should report to Action Fraud; US victims to the FTC. Your report helps investigators track these operations and warn others.

Ignore any follow-up offer to "recover" your money People who've been defrauded are quickly targeted again by a money recovery scam - a second fraud that charges an upfront fee to retrieve funds. No legitimate agency or service works this way.

Where to report it

Start here

FTC - ReportFraud.ftc.gov

Federal Trade Commission. Covers phishing, impersonation fraud, and card theft. Your report feeds directly into investigator databases used to track fraud patterns.

reportfraud.ftc.gov

If you lost money

FBI - IC3.gov

Internet Crime Complaint Center. File here if unauthorized charges were processed. The IC3 tracks phishing campaigns against travel platforms specifically.

ic3.gov

If personal data beyond the card was involved

IdentityTheft.gov

FTC tool that creates a personal step-by-step recovery plan if your passport, address, or other identity details were also submitted.

identitytheft.gov

Start here

Action Fraud

UK national fraud and cybercrime reporting. Reports go to the National Fraud Intelligence Bureau. Online or phone: 0300 123 2040. UK Action Fraud has received significant volumes of reports specifically about booking platform payment phishing.

actionfraud.police.uk

To report the fake URL

NCSC - Report a Suspicious Website

National Cyber Security Centre. Reporting the fake payment domain helps get it taken down faster.

ncsc.gov.uk

If a financial product was impersonated

FCA ScamSmart

fca.org.uk/consumers/report-scam

Also contact your bank's fraud team directly. Under UK APP fraud reimbursement rules (effective October 2024), many victims of authorized push payment fraud are entitled to reimbursement.

Start here

Scamwatch (ACCC)

Australian Competition and Consumer Commission. Your report helps warn others and track emerging phishing patterns targeting travellers.

scamwatch.gov.au/report-a-scam

To report the phishing website

Australian Cyber Security Centre

cyber.gov.au/report-and-recover/report

If identity information was shared

IDCARE

Australia and New Zealand's national identity and cyber support service. Free specialist help.

idcare.org

Canada

Canadian Anti-Fraud Centre

antifraudcentre-centreantifraude.ca

European Union

Europol Cybercrime Reporting

europol.europa.eu

Anywhere - especially for losses

FBI IC3 (accepts international reports)

ic3.gov

Also report to the booking platform directly through its official app or website. The platform can identify the compromised hotel account and protect other guests.

How widespread is this?

Booking platform account compromise attacks became significantly more prominent in 2023 and have remained active through 2025-2026. Security researchers have documented coordinated campaigns targeting hotel and property managers specifically to gain messaging access to booked guests.

$2.95B

Reported losses to government and business impersonation fraud in the US in 2024, according to the FTC1

Category. Impersonation was the most-reported fraud type in the FTC's 2024 Consumer Sentinel data - more reports than any other fraud category1

<5%

Estimated share of fraud victims who ever file a report - meaning documented loss figures significantly undercount the real scale1

Hundreds

Of reports received by UK Action Fraud specifically linked to booking platform messaging fraud, with losses totalling hundreds of thousands of pounds by late 20242

What makes this pattern particularly effective is that the attack surface is the hotel - not the traveller. A phishing email targeting a hotel manager is a much softer target than a large consumer platform's own security infrastructure. Once the hotel account is compromised, the attacker can reach every upcoming guest with a message that passes every visual authenticity check except one: the link domain.

The scam is sometimes called "booking platform phishing," "hotel payment phishing," or "accommodation booking fraud." The pattern is distinct from fake listing fraud (where a non-existent property is advertised) - in this case, the booking is real. That's the hook.

Sources

Federal Trade Commission, "New FTC Data Show Consumers Reported Losing Nearly $12.5 Billion to Fraud in 2024", February 2025. Source of the $2.95B impersonation figure, #1 fraud category ranking, and <5% reporting estimate.
Action Fraud (UK National Fraud Intelligence Bureau), actionfraud.police.uk, reports and warnings on accommodation booking fraud, 2024. Basis for UK report volume reference. Action Fraud has issued specific alerts about booking platform phishing campaigns targeting UK travellers.
Federal Trade Commission, "How to Recognize and Avoid Phishing Scams", consumer.ftc.gov. FTC guidance on phishing mechanics and warning signs referenced in this guide.
National Cyber Security Centre (UK), "Phishing attacks: defending your organisation", ncsc.gov.uk. NCSC guidance on credential phishing and account compromise patterns including those targeting businesses.

Researched and maintained by ScamChecker.online

This guide describes a scam pattern in which criminals compromise hotel and property management accounts to impersonate those properties in guest communications. Both the booking platform and the property are impersonation victims in this pattern. This guide does not assess the security practices or liability of any named business or platform. We document recurring patterns using primary sources - government agencies, law enforcement, and verified security research. Ads on this page do not influence our reporting. Read about how we research or who we are.

Last verified: June 2026 · Reviewed against FTC, Action Fraud, and NCSC guidance