Booking.com - phishing scam alert! Our tips on how to protect your property and your guests

More and more frequently, Booking.com users report receiving suspicious messages — seemingly from the very properties they’ve booked! — asking them to click a link and repeat an online payment to avoid losing their reservation.

Attention, hosts: this is a real scam, designed to steal sensitive guest information and harm the reputation of your hotel, B&B, or vacation rental.

In this article, we’ll guide you step by step through recognizing and preventing this growing threat — to protect your business and your guests’ trust.

Keep reading to learn how to defend your property from phishing on Booking.com.

What is phishing?

Phishing is an online scam technique that targets sensitive data such as passwords, bank details, or users’ personal information. Scammers use a variety of tricks to deceive victims into believing they’re interacting with a trusted company or individual.

These messages typically contain malicious links or infected attachments which, once clicked or opened, install malware on the user’s device or redirect them to fake websites designed to mimic the look of real ones.

Once scammers get hold of sensitive information, they can use it for illegal purposes, including:

Making unauthorized purchases on the victim’s bank account or credit card.
Selling personal data on the dark web.
Using the victim’s identity to commit further fraud.

How does the latest Booking.com scam work?

After booking a stay, the guest receives a message like the one shown above. If you look closely, you’ll notice that it uses techniques aimed at triggering an emotional response, such as a sense of urgency, claiming there’s a problem with the credit card. The message reinforces this by threatening to cancel the booking if action isn’t taken quickly. Another social engineering trick is to include false promises: although it asks the guest to verify their credit card, it reassures them that no charge will be made.

Recognizing phishing within a trusted platform like Booking.com, and even within the same chat used for official communication with the property, can be especially difficult for the average guest.

One early red flag is often the link in the message: it typically doesn’t come from a verified domain. This link usually redirects the user to a fraudulent page, replicating the look of the real website.

Recently, Booking.com phishing attempts haven’t been limited to platform messages: some customers have received WhatsApp messages using accurate booking details to gain credibility.

In some cases, guests were asked to click a link that mimicked the Booking.com interface to “confirm” their booking. The page showed the correct reservation details and finally prompted the guest to enter their credit card information.

How to recognize and protect yourself from phishing on Booking.com

On average, about 22% of users exposed to phishing tests fall for the scam and fail to detect the fraud in time (source: Cyberment.it).

Here are some practical tips to help you recognize and protect yourself from phishing:

Examine the sender’s email address carefully: Always check the sender’s email. Legitimate Booking.com emails will end in “@booking.com.” Even small variations (like “@booking.com.info”) should raise a red flag.
Watch out for urgent language and unusual payment requests: Phishing emails often pressure you to act quickly and request payments outside Booking.com’s secure platform. Booking.com will never ask you to pay via email or through unknown channels.
Hover over links before clicking: Move your mouse over a link without clicking. A preview of the actual URL will appear in your browser. If it doesn’t match the text or looks suspicious, don’t click.
Verify the message with Booking.com or the property: If in doubt, contact Booking.com or the property directly using official channels. Don’t click any links or enter information in the message itself.
Never enter personal data or passwords on insecure websites or emails.

As a rule, prevention is better than cure: use strong, unique passwords for all your accounts, keep antivirus and anti-malware software up to date, and regularly update your browser and operating system.

2 steps to improve messaging security on Booking.com

Booking.com prioritizes security — for users and partners alike. As part of this effort, its messaging security settings offer extra protection for communication with guests. These are available to accounts with extranet admin rights.

These settings allow you to:

Specify which email addresses can contact guests.
Emails from unregistered addresses will not be delivered.

If you’re a Ciaobooking customer, it’s essential to whitelist the following:

donotreply@ciaobooking.com
contact@ciaobooking.com
Specify which links are allowed in messages to guests.
You can also choose to block all links to prevent them from being sent.

To ensure everything works properly, please authorize the following domain: https://bookpage.io/

Before accessing these settings, you must complete two-factor authentication — an extra layer of protection. You can activate it by following these official Booking.com instructions.

These features help hosts secure guest communication channels and reduce the risk of malicious actors misusing the system.

Bonus: What to do if you fell for a Booking.com scam?

If, while reading this article, you realize you’ve been a victim of phishing, act quickly:

Immediately change the passwords for your online accounts.
Contact your bank or payment provider and inform them of the incident.
Report the case to the appropriate authorities.

If you receive a phishing email or message on Booking.com, it’s important to report it to Booking.com so they can take action and protect others.

Staying informed and taking proactive measures can dramatically lower your risk of falling victim to phishing.
Remember, keeping a close eye on your online security protects not only your personal and financial information, but also your business — and your guests’ trust.