Booking users in Denmark have also already received phishing WhatsApp messages with the correct travel details and booking reservation number - as can be seen from a comment under the original Heise article (11.06.2025; 11:14)
Published on June 26, 2025, Mira Ulz
New trouble for the travel platform Booking.com: In recent months, there have been an increasing number of reports of attempted fraud in which criminals try to obtain customers' payment details via Booking.com 's official messaging system. A series of unexplained phishing incidents has recently raised concerns in South Tyrol - several hotels there have reported that their Booking.com extranet accesses have apparently been compromised and misused to send phishing messages to guests (Heise, 12.06.2025). The cause is still unclear; however, an initially suspected central security vulnerability at Booking.com itself has not been confirmed.
Booking.com emphasizes that its own system has not been hacked. Rather, some hotel partners had fallen for "very convincing phishing emails", allowing cyber criminals to gain temporary access to their accounts. Using these compromised accounts, the fraudsters were then able to impersonate the accommodation and contact guests with fake requests for payment. The fraudulent messages looked deceptively genuine, as the attackers were able to access real booking and contact details. In some cases, they even used the guests' virtual email addresses provided by Booking to infiltrate messages into the system from outside. For travellers, such phishing emails are therefore often barely recognizable as fake.
This scam is not entirely new. In the past, there have been repeated reports of similar phishing attacks in connection with Booking.com. For example, fraudsters have managed to pose as guests and trick hotel employees into opening malicious attachments. The malware (e.g. Trojan "Vidar") spied out the access data to the Booking extranet. The captured logins were then used to send credible phishing messages to real hotel guests - such as requests to transfer deposits to third-party accounts (Heise, 04.12.2023).
As early as 2023, it was documented that organized gangs were apparently behind the attacks, systematically targeting hotels. According to SecureWorks, the perpetrators specifically infected hotel computers with the malware in order to gain access to the booking logins. They then send the phishing messages directly via the booking platform to current or former guests of the hacked hotels. This is precisely what makes these scams so insidious: the emails come via the official infrastructure of the booking provider and contain correct booking details, making them look extremely convincing even to attentive users.
Since the spring of 2023 at the latest, affected users have been posting en masse in online forums and complaining about the apparent inactivity of the portal operator. However, from Booking. com's point of view, these are "only" phishing attacks against partner hotels and not a direct attack on its own platform. Accordingly, the company sees itself as largely powerless: In a statement at the end of 2023 (The Guardian, 2023), Booking.com explained that neither its own backend systems nor its infrastructure were compromised - the problem lies with the hotels and their IT security. The company is working "tirelessly" to support affected accommodations in securing their systems and to help all potentially affected customers.
Booking users in Denmark have also already received phishing WhatsApp messages with the correct travel details and booking reservation number - as can be seen from a comment under the original Heise article (11.06.2025; 11:14)
However, travelers are still left perplexed - and increasingly frustrated. Angry customers are venting their displeasure in forums and comment columns. One Heise reader reports that he received such a scam message for 4 out of 5 bookings via Booking.com during a trip to Iceland - in one case even via WhatsApp. The reaction: Real welcome message, then scam, then warning about the scam - then another scam.
Many other users report the same pattern. Often, shortly after the booking confirmation, a message arrives via the booking portal, allegedly from the accommodation, with a link to enter the credit card for "verification". If you fall for this, you end up on a fake website that closely resembles the legitimate Booking.com website - and in some cases hundreds of euros are stolen. Consumer protection experts confirm this trick: criminals apparently access real booking data and use it to convincingly pretend to be a hotel or guesthouse in order to cash in (the German consumer protection authority, 2024).
Even personal WhatsApp messages with real names and booking details have been sent in parallel to trick victims into entering their credit card details on third-party sites. The response from genuine hotels and Booking.com seems inadequate to many affected customers. Accommodation providers usually advise their guests immediately to simply ignore the fraudulent messages, and Booking.com has also called for the scams to be ignored. Each time, the official response is to reassure guests that no customer data has been leaked - which raises alarm bells for many in view of the personalized WhatsApp contacts. The platform rarely provides customers with more concrete answers or even support in the event of damage.
In view of the ongoing incidents, there are calls for Booking.com itself to take action to prevent such cases of fraud in the future. One measure often mentioned is the introduction of mandatory two-factor authentication (2FA) for all partner accommodation logins. If a second factor (such as a code via an app) were required to log in in addition to a password, criminals would not be able to do much with a spied-out password alone - the whole phishing scam would collapse. However, Booking.com has yet to mandate two-factor authentication. Observers suspect that the company is shying away from greater login hurdles in order to make it as convenient as possible for its hotel partners to use (Heise, 2025).
Booking.com itself now emphasizes that it has invested heavily in cyber security in recent years and has seen a "significant decline" in certain fraud tactics. For example, around 1.5 million fake phishing reservations were blocked in 2023 and only 250,000 in 2024 - which is seen internally as a sign of effective deterrence. The company also sees the existing communication channels, such as the internal messaging system or the use of email aliases, as a deliberate balance between data protection and user-friendliness. According to Booking.com, these measures represent the "least intrusion into the privacy of travelers" (Heise, 2025). Critics, however, disagree: These communication channels are currently a frequent target for cybercriminals. The decline in blocked phishing cases may be a step forward - but as long as users continue to receive fake messages with real booking data, the feeling of security will remain low for many. This raises the core question: Why hasn't 2FA been made mandatory - especially when it comes to access data for thousands of real customer details?
With the summer travel season approaching, the latest phishing wave couldn’t come at a worse time for Booking.com - and the phishing wave has come at a particularly inopportune time for Booking.com. Right now, many people are booking accommodation online again, which fraudsters could increasingly exploit. Travelers should be particularly vigilant. The consumer advice center advises: If you suddenly receive a message after booking via Booking.com that you have to re-enter or verify your payment details - do not engage or respond (the German consumer protection authority, 2024). Do not disclose any bank transfers or credit card details that are requested outside the official platform payment process - even if the message or email looks genuine. If in doubt, you should call the accommodation directly or contact the platform's customer service to check the authenticity of a request.
It remains to be seen whether Booking will draw the right conclusions from these incidents - before the trust of other customers is lost. After all, what good is the most convenient booking process if you are constantly worried about falling victim to fraud?