Fake Booking.com messages cost hotels more than money

Phishing scams targeting guests are on the rise - leaving hotels to deal with the fallout, from lost trust to unexpected financial strain

A growing wave of phishing scams on Booking.com is not just hurting travelers - it’s damaging hotels. Cybercriminals impersonate hosts and send convincing messages through WhatsApp or even Booking.com’s own app, tricking guests into paying outside the platform. While the platform claims its systems are secure, hoteliers are left to deal with confused, upset guests and potential reputational damage—despite having no involvement in the scams. As trust in the booking process erodes, the hospitality industry is paying the real price.

Key takeaways for hoteliers

• Scam activity is rising sharply: Booking.com admitted to a 500–900% increase in scams over an 18-month period. Yet robust preventative action appears lacking - raising concern for accommodation providers.

• Scammers target guests with real reservation data: Guests receive phishing messages referencing accurate booking details (dates, hotel name, etc.), making the scam highly believable. These messages often arrive via WhatsApp or Booking.com chat and request payment confirmation through third-party links.
• Hotels are being blamed for breaches: Booking.com claims its systems haven’t been compromised and often attributes the breach to the host’s website or account being infected with malware - putting responsibility on individual property owners.
• Low verification standards for new hotels are a weak link: Scammers can create a host account on Booking.com in under 15 minutes with minimal ID verification. This allows bad actors to infiltrate the platform easily and exploit its trust-based communications.
• The impact on legitimate hoteliers is real and costly: Guests arrive thinking they’ve already paid and realize they’ve been scammed. Some hoteliers have offered discounts or absorbed costs to help distressed guests - even when their own systems weren’t at fault.
• Reputational damage is long-term: Scammed guests often blame the property or lose trust in the booking process. In some cases, they publicly vow never to use the platform again, affecting both direct and OTA-driven bookings.
• Platform support is limited and reactive: Hoteliers report receiving little meaningful support from Booking.com beyond being told to change passwords. There is often no compensation or proactive resolution process offered.
• Protective measures are essential: Hoteliers should:
  • Regularly update passwords and enable two-factor authentication.
  • Educate staff to recognize suspicious communications.
  • Proactively inform guests never to complete payments outside official Booking.com channels.
  • Monitor communications within the Booking.com extranet for unusual activity.

  Get the full story at the Mirror