A sophisticated phishing campaign is actively targeting Booking.com partners and customers, leveraging the trusted travel brand to orchestrate multi-stage financial fraud. This evolving threat, observed since early January 2026, utilizes cleverly disguised emails and messaging to first compromise hotel accounts and then exploit guest booking details for fraudulent transactions.
Researchers from Bridewell have identified the operation, noting its financial motivations and a three-stage chain designed to maximize illicit gains. The campaign begins with phishing emails directed at hotel reservation or support inboxes, prompting staff to click malicious links under the guise of resolving a “complaint” or “room query.” These links, appearing legitimate, lead to attacker-controlled pages designed to steal login credentials.
Multi-stage Fraud Chain Exploits Booking.com Trust
The initial phase of the phishing campaign meticulously targets Booking.com partners. Attackers employ deceptive tactics, including the use of look-alike domains and domain redirection. A particularly insidious technique involves an IDN homograph trick, where a Cyrillic character is substituted for a letter in “booking,” making the fake domain appear authentic. URLs often feature parameters like “complaint?optoken=” to further legitimize the phishing attempt. Once victims land on these fake portals, their login credentials are harvested.
These stolen credentials are then used to gain unauthorized access to legitimate Booking.com partner accounts. Bridewell also highlighted the defensive evasion mechanisms employed by the phishing kit. The hosting infrastructure is designed to fingerprint visitors; if certain checks fail, visitors are shown benign decoy websites, such as those related to “hotel cleaning,” instead of the phishing page. When the checks pass, victims are redirected to a fake partner sign-in page hosted on a subdomain like “bookling,” utilizing tokenized sign-in paths to mimic a legitimate login process.
Following a successful account takeover of a hotel’s Booking.com portal, the attackers pivot their attention to the guests. They leverage stolen booking details to craft convincing WhatsApp messages, often conveying a sense of urgency and referencing accurate reservation information. These messages then route unsuspecting victims through a Cloudflare CAPTCHA page before directing them to a Booking.com look-alike payment page. This final stage aims to extract financial information or directly effect fraudulent payments.
Hotels are urged to bolster their defenses by enforcing multi-factor authentication (MFA) on their Booking.com partner accounts and restricting access to booking portals. Any unsolicited links received via email, particularly those concerning “complaints,” should be treated with extreme caution, even if they appear to originate from known brands like Booking.com. Implementing robust logging and alerting systems for new sign-ins, password resets, and unusual outbound redirects can also help detect account takeovers before customers are targeted.
Furthermore, hotels should regularly review their email filters, proactively block newly identified look-alike domains used in phishing attacks, and report instances of abuse to domain registrars and Booking.com. Customers who receive suspicious messages related to their bookings should avoid making payments through links provided in chat applications. Instead, they should verify any issues by using the official Booking.com app or by contacting the hotel directly through a verified contact method. If a customer has inadvertently entered details on a suspicious page, they should immediately change their password on relevant accounts, contact their bank to report potential fraud, and ask the hotel to confirm if their Booking.com account has been compromised.