Since January 2026, a phishing campaign has targeted hotels and their customers by impersonating Booking.com to conduct financial fraud. The attack unfolds in three stages: initial phishing emails sent to hotel partners to harvest credentials via a partner phishing kit, followed by customer-targeted phishing to steal financial information, delivered in part through WhatsApp. The campaign uses domain spoofing, typosquatting, and advanced evasion techniques such as user fingerprinting to avoid detection, posing significant risks to the hospitality sector.
The Booking.com Phishing Campaign Targeting Hotels and Customers
