Phishing Alert - Beware of Booking.com Phishing Messages Exploiting Suspected Leaked Booking Data

Release Date: 15 Jun 2026

Type: Phishing

Phishing Alert

Current Status and Related Trends

mickmick.net reminds the public to stay alert to phishing attacks impersonating Booking.com and hotel booking notifications. Fraudsters are using what appears to be genuine booking information previously leaked from Booking.com to impersonate the Booking.com platform or hotels, sending travellers emails and WhatsApp messages claiming that there is an issue with their reservation, that payment authorization has failed, or that they must update their payment details within a specified time or their booking will be cancelled. The aim is to lure users into clicking suspicious links and submitting personal information, account credentials, or credit card details.

 

According to public information, Booking.com previously experienced a security incident involving unauthorized access to certain booking data. The affected information may have included guests’ names, email addresses, phone numbers, and communications between guests and accommodation providers. Overseas reports have also indicated that fraudsters have used leaked genuine booking data to send fake Booking.com or hotel messages targeting Japanese travellers as part of further phishing scams.

 

As Booking.com is one of the online travel booking platforms commonly used by Hong Kong residents, local users may also face the same risk. Anyone who has used the platform to book hotels, accommodation, or other travel services should remain vigilant and beware of fraud. Fraudsters may include suspicious links in their messages, directing users to fake login, payment, or verification pages and asking them to enter account passwords, credit card details, one-time passwords, or other sensitive information.

 

Fraudsters may also contact victims through WhatsApp or other instant messaging platforms, asking them to re-verify payment details or complete a so-called booking confirmation process. Such messages often claim that booking information is incomplete and urge users to click suspicious links to provide the missing details. To make the scam appear more convincing, the messages may include genuine information such as the user’s actual check-in date and full guest name.

 

Recently, mickmick.net has also handled phishing cases involving online travel booking platforms such as Booking.com and Klook. These cases show that fraudsters target platforms related to travel bookings by setting up phishing websites to trick users into submitting account details or payment information.

 

The following are phishing website pages from related cases:

 

Image: A phishing website impersonating Booking.com, claiming that users must enter credit card details to proceed with the booking.

 

Image: A phishing webpage impersonating an online travel booking platform.

 

Image: A phishing website impersonating an online travel booking platform’s payment verification page.

 

mickmick.net urges the public not to assume that a message is genuine simply because it contains their name, hotel name, booking details, or itinerary information. Any notification involving account issues, payment issues, or abnormal booking activity should always be verified through official channels in order to protect personal and financial security.

 

Security Advice for the Public

mickmick.net reminds the public to:

 

• Carefully verify the sender’s email address and the full website URL, and not rely solely on the displayed name to judge authenticity;
• If you receive a notification related to booking, payment, or account security, check it directly through the official app or by manually entering the official website address;
• Never click on links in messages from unknown or unverified sources;
• Never enter account passwords, credit card details, one-time passwords, or other sensitive information on suspicious websites;
• If in doubt, verify the matter independently through the official website, app, or publicly available contact details of the hotel;
• Use strong passwords and enable multi-factor authentication to enhance account protection;
• Regularly review bank account and credit card transaction records for any unusual activity.

 

If You Have Already Submitted Information, Take the Following Actions Immediately

If members of the public suspect that they have entered personal information, account credentials, or credit card details on a suspicious website, they should take the following steps as soon as possible:

 

• Immediately stop all contact with the other party and do not provide any further personal, account, or financial information;
• Change the password of the relevant platform account immediately, as well as the passwords of any other accounts using the same or similar password;
• Contact the relevant bank or credit card issuer immediately, report the incident, and request appropriate protective measures;
• Closely monitor bank account and credit card transaction records for any unauthorized transactions;
• Keep all relevant records, including suspicious emails, message screenshots, URLs, website screenshots, and transaction records, for follow-up or reporting purposes.