A New Hotel Booking Scam Is Defrauding People Who Use Sites Like Booking.com.
If you booked a hotel through platforms like Booking.com or Expedia, be wary of any messages asking you to confirm your payment details to secure your reservation. Fraudsters are targeting the hospitality industry with phishing campaigns designed to deceive travelers.
According to information security company Sekoia.io and reported by The Hacker News , the scheme is dubbed “I Paid Twice” because it tricks hotel guests into providing their bank details. Fraudsters contact guests via WhatsApp or email regarding their booking, claiming they need to confirm payment or risk cancellation. The link leads to a fake page masquerading as Booking.com or Expedia, where victims are asked to provide their card details.
This isn’t the first scam to target Booking.com: scammers have previously spoofed the site to distribute malware directly to users using fake CAPTCHAs and homograph attacks , which use similar characters in a URL to redirect to a malicious website.
How the ClickFix scam works on Booking.com
This multi-stage campaign actually begins with hackers targeting hotels themselves with ClickFix attacks, a type of social engineering attack designed to trick users into downloading malware via fake error messages or CAPTCHA forms. (I’ve covered several ClickFix schemes, such as those spread through AI-generated tutorial videos on TikTok and expired Discord invite links .)
The scam works like this: hotel managers receive emails from hacked accounts containing phishing links that redirect to a supposed reCAPTCHA page. This is a component of ClickFix, as victims are asked to complete a task to “secure their connection.” Several redirects lead the user to copy and execute a PowerShell command, which downloads a remote access Trojan (such as PureRAT) to their device.
Once installed, the malware allows attackers to gain remote access, including mouse and keyboard control, data theft, command execution, file uploading and downloading, keylogging, and webcam and microphone capture. Hackers can steal administrator credentials to access booking platforms and send the aforementioned phishing emails to hotel guests, or sell this information to other cybercriminals.
Avoid hotel booking scams
You can’t control whether a hotel manager grants access to your booking information. However, you can prevent further leaks of your personal and financial data by responding carefully to any unexpected messages about your booking. A reputable hotel will likely not contact you through the booking platform (or the platform itself) demanding payment to hold a confirmed reservation.
This sense of urgency is designed to force you to act quickly. So, if you’re unsure about a situation, call the hotel directly at the number listed on the official website ( not in an email or WhatsApp message). Don’t click on any links or enter any information unless you’re sure you’re on the official booking platform or the hotel’s website.