Phishing scheme uses compromised hotel accounts to trick guests into “paying twice” for their reservation
Nov 14, 2025
A new scam is targeting travelers who book hotels through platforms like Booking.com and Expedia, using compromised hotel accounts to send guests fake payment-verification requests. The campaign relies on a multi-step ClickFix attack that first infects hotel systems, then uses that access to phish customers.
Key takeaways
- “I paid twice” phishing tactic: Scammers impersonate Booking.com or Expedia, urging guests to “verify payment” to avoid cancellation.
- Fake landing pages: Links lead to highly convincing spoofed sites designed to capture credit card information.
- Hotel systems as entry point: Attackers first compromise hotel staff via ClickFix malware delivered through fake error messages or CAPTCHA pages.
- Remote access takeover: Installed malware (such as PureRAT) allows full device access, credential theft, and control of booking platform accounts.
- Previous booking.com scams: Past attacks used spoofed CAPTCHAs and homograph URLs to spread malware and mislead travelers.
- How to stay safe: Hotels and platforms rarely demand payment confirmation through email or messaging apps; guests should verify directly with the hotel using official contact details.
Get the full story at Lifehacker
