How Hackers Are Scamming Travelers via Booking.com: A New Wave of Fraud
Hackers have accessed personal data from thousands of Booking.com users and are now using it to trick people into paying money under the guise of hotels. If you recently booked accommodation—be extra vigilant: scammers know your name, travel dates, and even your phone number.
What Actually Happened?
In March–April 2024, Booking.com detected "suspicious activity" tied to a series of bookings. As a result, attackers gained access to:
- Customer names
- Email addresses
- Phone numbers
- Details of past and current reservations
Important: Payment information—card numbers, CVV codes, expiration dates—was not compromised. Booking.com's payment system remained secure. However, basic booking details give fraudsters a powerful tool: they can contact you and convincingly pose as hotel staff.
How Does "Booking Hijacking" Work?
Cybersecurity experts call this scheme "booking hijacking." Here’s how it plays out in real life:
- You receive an SMS or email from a "hotel" claiming your room is reserved.
- The message says there’s a "problem": for example, payment failed or an additional fee is required for seasonal rates.
- You’re urged to urgently transfer money to a bank account or send card details "for verification."
- As soon as you comply—your money vanishes, and your reservation gets canceled or left unsupported.
It’s like someone knowing your name, address, and pizza order—and calling to "confirm payment details." You trust them because everything sounds familiar. That’s exactly what scammers exploit.
Why Is This Dangerous for Everyone, Not Just Victims?
Booking.com is one of the world’s largest platforms: since 2010, nearly 7 billion stays have been booked through it. Even if the breach affected only a small percentage of users, we’re talking about hundreds of thousands of people globally.
Moreover, such attacks erode trust in the entire online travel industry. When travelers fear booking accommodations—everyone suffers, not just giants like Booking.com, but also small hotels, hostels, and private renters who rely on these platforms for visibility and income.
What to Do If You Get a Suspicious Message?
Booking.com is clear:
- The company never asks for card details via email, WhatsApp, SMS, or phone calls.
- All payments must follow the terms stated in your booking confirmation.
- Any changes to your reservation appear in your personal account on the website or app.
If someone calls or messages you "from the hotel" asking for money—do not respond. Log in to your Booking.com account directly and check your reservation status. If needed, contact support through official channels.
Key Takeaways
- Data breach included name, email, phone, and booking details—but not payment info.
- Scammers use this data to impersonate hotels and demand "additional payments."
- Booking.com has already updated booking PINs and is warning users.
- Similar attacks have been ongoing since 2023 and are becoming increasingly convincing.
- The global scale of Booking.com makes this threat international, not local.
What This Means for Everyday Travelers
If you book lodging online—even through trusted services—always verify the source of any message. Don’t click links in SMS messages, and never send money on first request. Your vigilance is your best defense. Remember: legitimate hotels and Booking.com will never ask you to break the payment rules set during booking.
— Editorial Team