2 months ago
10
Robert Jackman
January 7, 2026 — 5:00am
When you travel for a living, you pride yourself on being able to spot travel scams from a mile away. You certainly don’t expect to end up almost falling for one and providing your credit card details to a Russian hacker in the process. With the January holiday booking season upon us, consider my tale a timely warning.
In my defence, this particular scam was probably the most sophisticated I have ever seen. Not least as the criminals running it were able to target me using personal information that I’d provided – supposedly safely and securely – to Booking.com.
How on Earth did they get that information in the first place? It turned out that the scammers had stolen the password of a Dubai-based hotel on Booking.com, and were using it to skim the contact details of customers – like me – who had made a reservation on the platform.
The scam began when I received a polite WhatsApp message purporting to be from the hotel manager a few days after making the booking. He explained that there had been a problem with my credit card details and I needed to log on to Booking.com to confirm them.
When I clicked the link in the message (which began with booking.confirmstay.com), I was taken to a webpage that looked exactly like the one I’d seen countless times before. To make it even more convincing, it had the details of my private account and booking filled out as if I was already logged in.
Of course, this website was actually a total fraud. Rather than a legitimate website, it was a near-identical replica of the real Booking.com webpage. Crucially, it was also populated with identikit text fields that would pass on any information inputted (including my credit card details) to the criminals who had laid the trap in the first place.
There’s a reason that you’re warned about not replying to messages sent outside of the platform – and I almost learnt that lesson the hard way.
As impressive as the scam was, I’m aware it still begs some questions. First the obvious one: what on Earth was I doing opening a WhatsApp link, given that hotel platforms warn you not to do that?
On this one, I hold my hands up. Though I will say that, having travelled to Dubai and Abu Dhabi many times, I know how absolutely everyone uses WhatsApp for business in that part of the world. Over the past few years, I’ve had totally legitimate texts from hotels and airlines that looked just like this one.
Then there’s the bigger question: how on Earth did the scammers get hold of my personal information in the first place? The answer to this one definitely isn’t on me – and it also raises serious questions as to how safe and secure Booking.com really is.
What almost certainly happened (though Booking.com won’t say either way) is that hotel staff were tricked into handing over the log-in details for their business account by a clever phishing email. Once the criminals had that information, they could then squat inside the account for as long as they liked, gleaning the personal details of anyone who had made a booking.
As Booking.com handles any payments directly, the fraudsters weren’t able to see my credit card details. Hence them using what personal information they did have on me (like my name and email) to make a bespoke scam website designed to trick me into handing over the last pieces of the puzzle.
How often does this happen? Quite a lot by the sounds of it. The consumer experts at UK consumer site Which? say that one in 10 users of Booking.com report having received a scam message, whether by text or email.
Could the platform do more to stop it? One option would be to require all hotel accounts to use two-factor authentication (meaning that they need to have a text sent to their phone in order to log in, as happens with online banking). At present, though, this is only recommended and isn’t mandatory.
Could Booking.com identify those accounts which may have been compromised? When I looked at the scam website in detail, I found snippets of Russian text within the source code. Surely the fact that a hotel in Dubai was having its account accessed from nearly 5000 kilometres away should have been a sign that something was up?
When I put those questions to Booking.com, it declined to comment. It also refused to say what its policy is when customers actually fall for this scam, or what steps it takes to secure the accounts of hotels who have been targeted by criminals. In short, it wasn’t very helpful whatsoever.
In those circumstances, it’s hard to see how this problem will go away any time soon. Not least as artificial intelligence now makes it easy for scammers to generate professional-sounding emails in a matter of seconds – something that consumer groups have been sounding the alarm about for over a year.
In the meantime, I’d advise anyone using booking platforms to be extremely careful. There’s a reason that you’re warned about not replying to messages sent outside of the platform – and I almost learnt that lesson the hard way.
The Telegraph, London
Sign up for the Traveller newsletter
The latest travel news, tips and inspiration delivered to your inbox. Sign up now.
