Travel booking scams rise after Booking.com data breach

Scam monitoring data shows a spike in travel booking scams after a Booking.com data breach disclosed in April. Impersonation attempts tied to Booking.com rose 56 percent, and weekly scam reports increased for five consecutive weeks. Fraudsters used cloned websites, phishing messages and hijacked rental listings to collect payment and identity data.

Travel purchases attract fraud because they often involve large upfront payments and tight timelines. Booking confirmations can include names, travel dates, contact details and passport numbers, information attackers use to make messages appear legitimate. Airlines, hotels, booking platforms and cruise operators face frequent attacks because of complex IT systems and multiple third-party connections.

Attackers built convincing copies of airline, hotel and booking sites, promoted them through online ads or altered search results so fraudulent pages appeared near the top. In one campaign last year, visitors to cloned Booking.com pages were tricked into downloading a Remote Access Trojan. Phishing messages arrived by email, SMS and messaging apps and sometimes included stolen reservation details to increase credibility.

Rental listing fraud involved fake postings and hijacked legitimate listings. Scammers encouraged renters to move communication and payment off the rental platform to avoid the site’s protections. In 2024 a researcher found a fake short-term rental listing in Amsterdam; the scammer followed up with an email purporting to be from a review site to request payment information.

Recent impersonation techniques linked to Booking.com included fake cashback emails promising refunds of €435 that directed users to phishing sites, in-app messages requesting additional reservation fees, emails with PDF attachments that required a secure-viewer download that installed malware, WhatsApp messages about missing card data and text messages demanding card verification via fake Booking.com pages.

Security advice from researchers and security teams includes using credit cards rather than debit cards or bank transfers because credit cards generally offer stronger fraud protections. Consumers are advised not to pay with cryptocurrency or gift cards for bookings and to verify reservations by contacting properties or airlines using contact details found independently of an emailed link. Avoid sponsored search results and treat requests to move communication or payment off a platform as suspicious.

Do not open unexpected attachments or download software to view them, and keep anti-malware tools and browser protections up to date. Travelers who suspect they encountered a scam should report it to the booking platform, their bank or card issuer and local consumer protection authorities, check statements for unauthorized charges and change passwords for affected travel accounts.