Multi-Stage Booking.com Phishing Campaign Targets Hotels and Guests
A sophisticated phishing operation is exploiting trust in the Booking.com ecosystem to defraud both hotel partners and their guests. The campaign, active since early January 2026, uses a three-stage attack chain that begins with credential theft from hotel staff and ends with fraudulent payment requests sent directly to travelers.
How the Attack Works
Researchers at Bridewell have mapped a structured, financially motivated operation that sequentially targets two victims: hotels using Booking.com’s partner platform, followed by the hotels’ customers. The attackers employ distinct phishing kits at each stage, creating a convincing fraud pipeline that uses legitimate booking data to increase success rates.
Stage One: Phishing Hotel Staff
The operation begins with emails sent to hotel reservation or support inboxes. These messages typically reference a guest complaint, booking issue, or room inquiry and urge staff to click a link to review the matter. While the link appears legitimate in the email body, it redirects recipients to attacker-controlled infrastructure.
Key characteristics of this stage include:
- Emails crafted to resemble standard Booking.com partner communications
- Sender addresses following a predictable pattern of 7 to 11 lowercase letters plus 2 to 3 digits
- Links that use internationalized domain name (IDN) homograph techniques, substituting Cyrillic characters to create visually deceptive URLs
- URL parameters commonly including “complaint?optoken=” style strings
Stage Two: Credential Harvesting and Account Takeover
Once hotel employees click the malicious link, they land on fake Booking.com partner login pages. The phishing kit employs strong visual impersonation of the official portal along with multiple evasion techniques. The hosting infrastructure fingerprints visitors and shows benign content when automated security checks fail.
Stolen credentials are then used to access real Booking.com partner accounts, giving attackers access to live reservation data.
Stage Three: Customer-Facing Fraud
With access to legitimate booking records, attackers launch a second phishing wave against hotel guests. This stage uses the stolen data to craft highly convincing messages, often sent via WhatsApp, that include real booking details such as guest names, reservation dates, and property information.
Guests receive urgent requests for payment, often with claims that a reservation requires immediate settlement or that a previous payment failed. The messages include links to a customer-focused phishing kit designed to harvest credit card data. This final stage overlaps with the previously documented “I Paid Twice” campaign, which also abused Booking.com data to trick guests into double-paying for reservations.
Why This Campaign Matters for Travel Merchants
For hotels and travel operators, this represents more than a routine phishing attempt. It is a structured fraud operation designed to compromise trusted partner accounts and then exploit customer relationships. The use of legitimate booking data makes the final stage particularly dangerous, as guests have little reason to doubt the authenticity of messages containing their actual reservation details.
The financial impact extends beyond individual transactions. Hotels face potential chargebacks, reputational damage, and regulatory scrutiny when guest payment data is compromised through their partner accounts. Travelers victimized by these schemes may dispute charges, leave negative reviews, or pursue legal action against properties they believe failed to protect their information.
Detection and Defense Recommendations
Hotel staff should treat any unsolicited communication regarding guest complaints or booking issues with heightened scrutiny. Key defensive measures include:
- Verifying sender addresses carefully and accessing Booking.com partner portals directly through bookmarks rather than email links
- Implementing multi-factor authentication on all partner accounts
- Training reservation staff to recognize phishing indicators, including urgency tactics and unexpected payment requests
- Monitoring for unauthorized access to partner accounts and reviewing login logs regularly
- Establishing clear communication protocols with guests regarding legitimate payment processes
For guests, hotels should proactively communicate how they will (and will not) request payment. Legitimate properties rarely demand immediate payment via WhatsApp or similar messaging platforms, particularly for reservations already secured through established booking channels.
Key Takeaways
- A multi-stage phishing campaign is actively targeting Booking.com partners and their guests, with activity observed since January 2026
- Attackers first compromise hotel staff credentials, then use stolen booking data to defraud guests through convincing payment scams
- The campaign employs IDN homograph techniques and sophisticated phishing kits with built-in evasion capabilities
- Final-stage fraud often occurs via WhatsApp, using real reservation details to establish credibility with victims
- Hotels should focus on staff training, MFA implementation, and clear guest communication protocols to mitigate risk
Sources: Bridewell Security Research, Cybersecurity News, eSecurity Planet
