TRAVEL · BOOKING.COM BREACHJune 18, 20269 min read

The message has your name, your hotel and your dates right. That's the whole point.

A message from "Booking.com" — or from the hotel you actually booked — says your card failed to authorise and your reservation will be cancelled unless you re-verify your payment now. Everything in it is correct: the property, the dates, the confirmation number, your name. It reads as real because most of it is real. Since April 2026, criminals have been working from genuine reservation data stolen in a Booking.com partner breach. So the question that keeps you safe isn't "are these details right?" It's "why is a real booking asking me to type my card into a link?"

Apr 2026
When Booking.com began notifying guests of the partner-data breach (Booking.com)
£370k
Lost to Booking.com-related scams in UK reports, Jun 2023–Sep 2024 (UK fraud reporting)
0
Card numbers in the leaked data — which is why the message asks you to 'verify' it (Booking.com)
Storm-1865
Group Microsoft ties to the hotel-account compromise behind it (Microsoft)
The short answer

After Booking.com's April 2026 breach — in which attackers reached guest reservation data through compromised hotel partners — scammers message travellers by email, SMS and WhatsApp, posing as Booking.com or the hotel. The message quotes your real name, property, dates and confirmation number, then claims your payment failed to authorise and the booking will be cancelled unless you "re-verify" your card through a link. It is phishing: the page harvests the card. The breach exposed contact and booking data, not card numbers — which is exactly why the message has to make you re-enter the card yourself. The rule: a real Booking.com payment happens on the platform under the terms you already agreed; no genuine hotel asks you to re-verify a card through a message link. When in doubt, ignore it and open the official app yourself.

If you have already tapped the link and entered your card, skip to if you already paid — the first call to your bank is the one that matters.

Read the message again. Almost every word is true.

Most phishing fails the moment you stop and look: a bank you don't hold an account with, a parcel you never sent, a fine for a road you've never driven. The Booking.com message does the opposite. Stop and look, and the details hold up — because they were lifted from a real reservation system.

In April 2026, Booking.com began telling customers that unauthorised third parties had accessed guest data through compromised hotel partners. The exposed information included names, email addresses, phone numbers and booking details — in the words of one analysis, "essentially everything you'd need to convincingly impersonate a hotel contacting a guest." So when the message names your property, your check-in date and your confirmation code, it isn't guessing. It's reading them back to you. Recognition feels like proof, and the scam runs entirely on that feeling.

Which means the usual advice — "check for spelling mistakes," "look for details that don't match" — quietly stops working here. The details match. So the tell has to be something the criminals couldn't copy, and there's exactly one: what the message asks you to do.

An annotated recreation of a fake Booking.com message. The traveller's name, the hotel name, the stay dates and the confirmation number are each marked as real, captured in the 2026 data breach. The single fabricated element — a claim that the card failed to authorise and a link to re-verify payment within twelve hours — is flagged in burgundy as the lie that harvests the card the breach never exposed.
Everything the message recognises about you is real — pulled from the breach. The only invented part is the ask: a 'failed authorisation' and a link to re-enter your card. Recreated example — the link is inert.

The one thing the breach didn't leak

Here is the detail that turns a data leak into a payment scam. By Booking.com's account, the stolen data was contact and reservation information — not card numbers. The criminals can sound exactly like your hotel, but they don't have the one thing they actually want.

So the message is engineered to make you supply it. A "failed authorisation," a card that "needs re-verifying," a small charge to "secure" the room before midnight — every version invents a reason for you to type the card in. The thing it asks you to confirm is precisely the thing the breach couldn't hand over. Once you see that, the whole category collapses into a single question: is this message trying to get a payment or a card out of me? If yes, it doesn't matter how much of it is accurate.

"If there is no pre-payment policy or deposit requirement outlined, but you're asked to pay in advance to secure your booking, it is likely a scam."

— Booking.com, official guidance on spotting fraudulent payment requests. Genuine payments are handled on the platform under the terms shown when you book — never re-collected through a message link.

Where the message actually comes from

It's tempting to picture the breach as something that happened to you. It didn't — at least not first. You're the last link in a chain that started inside a hotel.

Microsoft attributes the activity to a criminal group it tracks as Storm-1865, and the entry point wasn't Booking.com's core systems — it was the people working at its partner properties. Hotel staff were lured with fake CAPTCHA or "verify you're human" pages and tricked into running a copy-paste "fix," a technique known as ClickFix, which quietly installed remote-access malware (reported as XWorm and VenomRAT). With a foothold in a property's booking account, the attackers could read genuine guest reservations — and message those guests from a position that looks, to you, indistinguishable from the hotel.

This is why "just be careful" isn't enough on its own. The weak point wasn't your password or your phone — it was a tired front-desk worker clicking a fake verification box in another country. You can't patch that from your end. What you can control is the last step: refusing to move a payment off the platform because a message told you to, no matter how well it knows your trip.

The test that beats every version of it

The wording will keep changing — "authorisation failed," "confirm your card," "a €1 verification charge," "your booking will be released in 12 hours." Chasing each new script is a losing game. One test sits underneath all of them and doesn't move.

A real payment stays on the platform. When you book through Booking.com, payment is handled in the app or on the site under the terms shown at the time. A message that routes you to WhatsApp, SMS or an emailed link to pay or 're-verify' has already left the only place a genuine charge happens.
A real booking doesn't need your card 'again'. If a property genuinely needs payment, it's visible in your reservation when you open the official app yourself. Being asked to re-enter a card to 'keep' a booking you already made is the request that should stop you cold.
The clock is part of the con. A twelve-hour deadline, a 'final notice,' an 'automatic cancellation' — the urgency exists to get you to the card form before you pause to open the app and check. Real cancellations don't hinge on you typing a card into a link in the next few minutes.

Put plainly: judge the ask, not the recognition. The recognition was bought in a breach. The ask is the only thing the criminal had to invent — so it's the only thing worth trusting your decision to.

If you already entered your card — the first hour

Typing your card into the page is not the end of it, but speed decides how it ends. Work in this order:

1Call your bank or card issuer now, on the number printed on your card — not any number from the message. Have the card blocked and ask them to recall the payment or open a chargeback. Minutes matter.
2Stop entering anything further, and don't pay a second 'verification', 'release' or 'refund' charge that the page or a follow-up demands — that is the scam doubling, not a step toward fixing it.
3Screenshot the message and the page — sender, link and all — before you delete anything. You'll want it for the reports.
4Change the password on your Booking.com account and any account whose login you typed into the fake page, and turn on two-factor authentication wherever you can.
5Report the message to Booking.com through the official app or site, and to your national fraud line. If money is gone, report it to your bank and the police. The full country-by-country reporting and refund map is in our scam refund rights guide.
Then watch for the second approach. People who have just lost money are quietly sold on as known targets. Within days, someone may contact you posing as a "fund-recovery" service, a lawyer, or even Booking.com itself, offering to get your money back for an upfront fee. No legitimate body charges in advance to recover funds. The recovery offer is the same trap, a second time.

Will you get the money back?

It turns on one distinction. If criminals captured your card and then spent on it without your say, those charges are unauthorised — and most card networks and banks will refund unauthorised transactions, which is why blocking the card fast matters so much. If instead you were deceived into authorising a payment yourself, recovery is harder and depends heavily on where you are: the UK now forces banks to reimburse most authorised push-payment fraud, while much of the world still has no equivalent rule.

So the captured-card version of this scam is often recoverable, and the talked-into-paying version frequently isn't. That gap is the entire reason the one habit below is worth more than every reporting line that comes after it.

One rule, end to end

If you take one habit from this piece, take this: a real booking never asks you to re-enter your card through a message. The details a scammer recites were stolen, not earned — so let the request, not the recognition, decide. When something feels off, close the message, open the app you actually booked on, and look. If the problem is real, it'll be sitting right there in your reservation. If it isn't, you just walked past the most convincing travel scam of the year.

Got a booking message you're not sure about? Let's look at it together.

Paste the message, the link, the sender. A real expert reviews every case and replies within 24 hours. Free, confidential, no pressure.

Submit a free case review →Can you get the money back?

Common questions about the Booking.com scam

The message has my real name, hotel and booking dates — doesn't that mean it's genuine?

No, and that instinct is exactly what the scam is built on. In April 2026 Booking.com told guests that unauthorised parties had accessed reservation data through compromised hotel partners — names, email addresses, phone numbers and booking details. Criminals now hold genuine reservation information, so a message that quotes your real trip is not proof of anything. The correct test is not 'are these details right?' but 'is this asking me to pay or re-enter my card through a link?' — because that is the one thing a real booking never needs.

Did the breach leak my credit card number?

By Booking.com's account, no — the exposed data was contact and reservation information, not card numbers. That detail is the whole engine of the scam. The criminals have everything needed to sound like your hotel, but not your card — so the message manufactures a reason for you to hand it over yourself: a 'failed authorisation', a 'verification' step, a small charge to 'secure' the room. The thing they ask you to confirm is precisely the thing the breach did not give them.

How do I tell a real Booking.com payment request from a fake one?

Genuine payments for a Booking.com reservation are handled on the platform itself — in the app or on booking.com when you are signed in — under the terms shown when you booked. A real property does not message you on WhatsApp, SMS or email to 're-verify' a card through a link, and Booking.com states that if there is no pre-payment or deposit policy on your booking but you are asked to pay in advance to secure it, it is likely a scam. When in doubt, ignore the message and open the official app yourself: a real issue will be waiting for you there, in the booking.

I clicked the link and entered my card — what do I do now?

Move fast, in order. Call your bank or card issuer on the number printed on your card, have the card blocked, and ask them to attempt a recall or chargeback. Stop entering anything further and do not pay a second 'release' or 'verification' charge. Change the password on your Booking.com account and any account whose login you typed in, and turn on two-factor authentication. Then report the message to Booking.com directly and to your national fraud reporting line. Speed is what decides whether the money comes back.

Where do I report a Booking.com or hotel impersonation message?

Report it to Booking.com through the official app or website so they can act on the property account, and to your country's fraud reporting service — Action Fraud's replacement Report Fraud in the UK, the FTC at reportfraud.ftc.gov in the US, or your national police cybercrime channel. Forwarding the message also helps providers block the sender. If you lost money, report it to your bank immediately and to the police, and ignore anyone who later offers to 'recover' your funds for an upfront fee — that is a second scam aimed at people who were just hit.

Sources & further reading

Every fact in this piece is drawn from these sources. Click any to verify.

Malwarebytes — Booking.com breach gives scammers what they needHKCERT — Booking.com phishing alert (15 Jun 2026)Microsoft Security — ClickFix / Storm-1865 campaignFox News — Booking.com data breach exposes travelers to scams

Keep reading

TRAVEL · TEARDOWN
World Cup 2026 ticket and travel scams — fake tickets, fake rentals, evil-twin Wi-Fi
DATA · 20 COUNTRIES
Scam refund rights — who has to give your money back, country by country
THE RELOAD · TEARDOWN
Recovery scams: why the offer to get your lost money back is a second con