Hotel Booking Confirmation Phishing — How to Spot Fake Reservation Emails

"Your reservation will be cancelled in 24 hours unless you verify your payment details." If you've received an email like this from what looks like Booking.com, Expedia, or Hotels.com — stop. It's probably a phishing attack.

Hotel booking phishing emails surged by over 45% in 2025, with attackers increasingly targeting travelers who actually have upcoming reservations. The timing, branding, and urgency make these scams devastatingly effective.

How Hotel Booking Phishing Works

1. Fake Confirmation/Modification Emails

The most common type. Messages claiming your booking needs "re-verification," your payment failed, or your reservation will be cancelled unless you act immediately.

Examples:

• "Your Booking.com reservation requires card re-verification. Complete within 24h or your booking will be cancelled."
• "Expedia: Payment processing error for reservation #1234567. Update payment method now."

2. Refund/Compensation Scams

"You were double-charged," "Claim your compensation voucher" — designed to get you to click and enter card details.

3. Direct Property Contact Impersonation

Scammers pose as the hotel itself through Booking.com or Airbnb messaging, asking you to "pay outside the platform for a discount."

4. Fake Review Requests

"Write a review and earn reward points" — leading to a fake login page that captures your credentials.

How to Spot Phishing Emails

Indicator	Legitimate Email	Phishing Email
Sender	@booking.com, @expedia.com	Look-alike domains (@b00king.com, @booking-verify.com)
Greeting	Your name or booking number	Generic "Dear Customer"
Links	Official domain URLs	Suspicious shortened links
Urgency	Normal informational tone	"Within 24 hours," "Immediately"
Attachments	None or PDF confirmation	.exe, .zip, or macro-enabled files
Requests	No login/payment requests via email	Asks for password or card details

Hotel Booking Safety Checklist

When Receiving Emails

1. Check the sender's email address — Verify the domain matches the official site exactly
2. Hover over links — Check the actual URL before clicking (long-press on mobile)
3. Go directly to the site — Type the URL in your browser instead of clicking email links
4. Cross-reference your booking — Compare with your actual reservation records

Protecting Payment Information

5. Never pay through email links — Always use the official app or website
6. Use virtual card numbers — Many banks offer virtual cards for online bookings
7. Enable transaction alerts — Get instant notifications for every charge

Managing Booking Information

8. Store confirmations securely — Don't share booking screenshots through regular chat
9. Record booking numbers separately — Keep them with your secure travel documents

If You've Been Phished

1. Contact your bank immediately — Block the card and request a replacement
2. Report to the booking platform — Forward the phishing email to their fraud team
3. Change your passwords — On the affected platform and any sites using the same password
4. File a report — Report to the FTC (US), Action Fraud (UK), or your local authority

Safely Sharing Hotel Booking Information

When sharing hotel details with travel companions — booking reference, check-in time, address — through iMessage or Messenger, that information sits in the chat permanently. Use LOCK.PUB instead:

• Create a secret memo with your booking details
• Set a password and share the link with your travel group
• Set auto-expiration for after your trip ends

This keeps reservation data out of permanent chat histories while remaining accessible to those who need it.

Peak Season Means Peak Phishing

Holiday seasons — summer vacation, Christmas, spring break — see the highest volume of hotel booking phishing. Don't be swayed by "last room available" or "limited-time special rate" emails.

Always book through official apps or websites, and never click links in unsolicited booking-related emails.

Safely share booking information → Create an encrypted memo on LOCK.PUB