Hospitality.today™

New hotel reservation scam spreads through major OTAs

Phishing scheme uses compromised hotel accounts to trick guests into “paying twice” for their reservation

Nov 14, 2025

A new scam is targeting travelers who book hotels through platforms like Booking.com and Expedia, using compromised hotel accounts to send guests fake payment-verification requests. The campaign relies on a multi-step ClickFix attack that first infects hotel systems, then uses that access to phish customers.

Key takeaways

  • “I paid twice” phishing tactic: Scammers impersonate Booking.com or Expedia, urging guests to “verify payment” to avoid cancellation.
  • Fake landing pages: Links lead to highly convincing spoofed sites designed to capture credit card information.
  • Hotel systems as entry point: Attackers first compromise hotel staff via ClickFix malware delivered through fake error messages or CAPTCHA pages.
  • Remote access takeover: Installed malware (such as PureRAT) allows full device access, credential theft, and control of booking platform accounts.
  • Previous booking.com scams: Past attacks used spoofed CAPTCHAs and homograph URLs to spread malware and mislead travelers.
  • How to stay safe: Hotels and platforms rarely demand payment confirmation through email or messaging apps; guests should verify directly with the hotel using official contact details.

Get the full story at Lifehacker

Related must-reads

JOIN 34,000+ HOTELIERS

Get our Daily Brief in your inbox

Consumers are changing the face of hospitality - from online shopping to personalized guest journeys and digitalized guest experiences ...
we've got you covered.

By submitting this form, you agree to receive email communication from Hospitality.today and its partners.