New (at least to me) Scam regarding hotel reservations

Thank you Carol NR for the head’s up. Always a welcome reminder to be on alert and skeptical and to contact the hotel for confirmation.
I expect to see more posts about these hotel scams since many of us have hotel reservations, most cancellable, made through September and beyond.

Carol, any idea how the scammers know that you are staying at these hotels? Did you make the reservation through a particular website?

Oh my! Thanks for the head's up! I am glad you didn't fall into the trap!

My last few years I've gotten this email from one of my regular hotels right after booking so it must be pervasive as I always book directly with the hotel if I can.

"Hotel Muguet will never ask you by e-mail or telephone your credit card details after your reservation has been confirmed (unless you card expires before your arrival date)
If you receive such requests, suspect a fraud.*
If the request comes in the form of an e-mail, don’t click in any link, if your credit card is asked by phone, do not comply.

Please contact directly Hotel Muguet (email address listed) to check the veracity of the phone calls or e-mails

@ Laura. I wondered this myself. The Hawaii Hotel was booked through Booking.com The Helsinki Hotel was booked through Alaska Airlines Vacations (Expedia). In both cases, I was using a special promotion that made booking through a 3rd party worth my while. I do a large number of bookings through Booking.com and this is the first issue I have ever had with one of the reservations.

I have had a number of similar emails that appear to come from booking.com. However his is the first time I’ve heard of the text approach through WhatsApp.

Carol, I'm so sorry that's happening. I just noticed that I've been getting some messages from WhatsApp that are telling me to be very careful of messages that I click on, and showing me examples of what is valid and what is not. Evidently it must be happening a lot.

That said, I did get an email today from Mackenzie Scott, fka Bezos, who told me that she is choosing me as one of several people to receive $2,500,000. I'm so excited! 😂 🙄 💰

Mardee...remember your friends! We'd like to help you celebrate your newfound windfall!

Well, of course, Pam! I'm going to treat us all to a trip with my newfound millions!

Mardee: Woo! Hoo! You can keep buying all new travel stuff, for yourself and all your Forum friends! 😂

Carol: so scary. Thanks for the “heads up.” I’m so leary of getting scammed.

Last year I didn’t realize I wasn’t on a hotel’s official site until after I pressed “purchase.” This was even after my CC asked me if I really intended to complete my transaction.

So, Mardee, where are we going next?! 🤣🤣

As mentioned, there's been targeted campaigns against Travel sites and hotels to get guest information. These are all in the last year. As mentioned below, one red flag is they try to get you to use Whatsapp numbers they give you. Anytime that happens, either call the hotel, or send an email to confirm. And don't go to what you think is their website to ask.

"‘Your reservation is at risk’: beware the Booking.com scam"

https://www.theguardian.com/money/2025/jun/29/your-reservation-is-at-risk-beware-the-bookingcom-scam

"“I Paid Twice” Phishing Campaign Targets Booking.com"

https://www.infosecurity-magazine.com/news/i-paid-twice-phishing-campaign/

And yes, Booking.com isn't the only one. Though Booking.com did ignore the problem for quite a while. Expedia, and no doubt others, as well. One red flag, a lot of these scams try to get you off communicating with the Hotel and try to get you to use a Whatsapp number they give you.

"We found out we'd bought fake flights at check-in"

https://www.bbc.com/news/articles/c743d7vdwzyo

I have had this happen in the last few months for reservations both at booking.com and Airbnb. I think never correspond with a hotel or apartment you booked except through the message system on the actual website you booked through. If you have a question delete the text or WhatsApp and write a message on that website.

Request for additional information, request for a deposit, and request for confirmation have all come by email. A note that my reservation may be cancelled if I didn’t comply accompanied one email. I simply go to the website of my booking and confirm that nothing is amiss. I’m fast at swiping left on emails to avoid issues.

At a NYC hotel back in the 1980’s (immediately after I “checked in”) a gentleman called my room to state that the front desk forgot to take a $200 cash deposit. I was not happy and refused to return to the front desk. He stated that he would gladly come to retrieve it. A gentleman dressed in what seemed like a variation of the staff uniform but more official looking knocked on my door. I was still not happy with the situation, I let him know, and then I decided to ring the hotel manager to protest not having been notified of this requirement. As I picked up the phone to make the call the man bolted like lightning. I then went to the front desk to inquire about the situation only to learn that no such deposit request had been made. Additionally, the hotel had no record of me having checked in. Management and security personnel indicated that the individual who checked me in, the individual who escorted me and my guest to our room, and this unknown gentleman were scammers. The two hotel staff mentioned above were removed from their posts. I was properly checked in and received a room on a different floor in that high rise hotel. Thankfully I was not alone in the room.

I dont think Booking.com reservations will ever use WhatsApp- all comms are done via their own app? Airbnbs will use WhatsApp and it always makes me nervous!

As Carol mentioned above, some of these are sophisticated enough to have fake websites where you think it's the real one. How they got you there; can be different techniques. The App, if they have one, is good for a phone number/email at least.

As before, red flag if they try to get you to switch to Whatsapp. They don't have to pay for the phone calls (free!) and they leave less records.

And someone mentioned "swipe left/right". Mobile is much worse for these than desktop. But people will use them for convenience.

So, Mardee, where are we going next?! 🤣🤣

😂 TTM, how about an around the world trip? 🧳 🌎 ✈️

Woo! Hoo! You can keep buying all new travel stuff, for yourself and all your Forum friends!

Carol, good idea! I'll open an online shop and everything will be free! 😂

Keep in mind that if you use Gmail, you can report "phishing" emails to Google. Just go to the three vertical dots to the right of the reply button when the email is open, and the pop-up menu will show you an option to click on "Report Phishing" next to a fish hook icon. Here is the message Google shows:

Report Phishing: Phishing is a form of fraud in which a message sender attempts to trick the recipient into divulging important personal information like a password or bank account number, transferring money, or installing malicious software. Usually the sender pretends to be a representative of a legitimate organization. If you believe this message is a phishing attack, you can report it to our abuse team and help us thwart this attack and others like it. Reporting this message as an attack will send the entire message to our team for review.

The more reports Google gets, the better ability it has to stop them from coming.

Carol, any idea how the scammers know that you are staying at these hotels? Did you make the reservation through a particular website?

These usually start with scammers phishing the hotel/company employees who are not always vigilant when it comes to cyber security.

Some light reading --
https://www.akamai.com/blog/security-research/sophisticated-phishing-campaign-targeting-hospitality
https://blog.sekoia.io/phishing-campaigns-i-paid-twice-targeting-booking-com-hotels-and-customers/
https://www.hotelmanagement.net/tech/how-cybercriminals-target-hotel-booking-platforms

Honestly I think the booking.com platform is open to the world! Not sure that Carol now retired used them, but this is happening so often with booking.com that... this cybersecurity professional believes they are WIDE open. And yes, the use of What's App is not uncommon on these scams.

I know there are other issues with other hotels but booking.com is very leaky! I refuse to use them.

We always book directly with hotels. If there is a question, or situation that arises, we just pick up the phone and call them. Old fashioned? Yes. Foolproof?, Probably not, but what is these days? Does it greatly decrease the odds of being scammed? Yes. And putting the odds on our side is the best we can do.

TC, if you read Carol NR's post above, she notes that she got some very good deals booking through a third-party site. I agree that it is usually preferable to book direct, but I'd do what she did if I was going to save that much money. It just means being a little bit more vigilant. 😊

I was at an Eldercollege presentation on the weekend on AI in your personal life. The speaker said that WhatsApp is not very secure anymore. He said Signal is a more secure messaging app. It has End-to-End Encryption and many other features that WhatsApp does not have.
I’m such a dinosaur. I used WhatsApp when I was on my last RS tour in 2025 because that was the only way to communicate with the tour members. I’m not on any social media. I have a cell phone and a landline for a backup. Boring…snoozer.

never correspond with a hotel or apartment you booked except through the message system on the actual website you booked through

The Booking.com scam sent to me was thru the booking.com message system. Those are not safe!

I'd do what she did if I was going to save that much money.

Mardee,

I'm not sure how much she saved. I also try to find a good price as I don't like to just throw money away when it is not necessary. But unless it is a great deal of money, to me it's just not worth the additional risks and hassles to deal with a third part should there be an actual problem. Not being critical -- everyone should do what they think is best for them. And I have nothing against those who use third party sites. I just like to keep things as simply as possible as I've had enough hassles in life without asking for more.

So funny to me that anyone would even be worried about whether I did the "right thing" in how I booked my tickets. We all make our travel choices based on our individual needs or goals. Purpose of the post is to simply raise awareness of this type of scam because those messages seem so real at first.

With the fake websites you used to be able to spot small errors. The logo being slightly different. The name having simple misspelling. I never knew if that was them screwing up or some legal thing where they could claim their site was "different" than the one they were copying. Don't think they bother with that anymore, don't know.

Thanks for the warning, Carol! Those scammers are busy out there!

I use Booking.com a lot. Considering I change cities 10+ times during a normal trip, I have a lot of hotel reservations through them each year. It’s not unusual for me to have 20 reservations for upcoming stays, and I find having them all on one site location extremely handy for my ongoing logistics organizing.

I did receive an email in 2024 that looked legit that asked me to use a different credit card. Since I had already paid for that reservation (and I keep screenshots of everything), I knew this was a scam. I notified Booking.com that it happened.

One note about WhatsApp & Booking.com. WhatsApp is a common way for someone to communicate about what time you might arrive, etc. I have had Booking,com reservations where they send me a WhatsApp note a few days ahead and ask me to notify them when I arrive in their city & if there’s any info I need ahead of time, etc.. I stay at small family-run hotels (similar to our B&B’s), so this is not unusual for me. There’s no request for a credit card or links that would be a scam type situation.

I’ve also had chain hotels in the US ask me to “check in on-line” a few days ahead of time. I won’t do it & don’t see the point of doing it. I am not inputting personal information from an email request that I didn’t originate.