For millions of travelers, booking accommodation online has become second nature. A few taps, a confirmation email, and a sense of relief that one major part of a trip is settled. But a growing number of experts now warn that this convenience has created an opening for one of the most convincing travel scams seen in recent years — one that doesn’t begin with a suspicious website, but with a message that appears completely legitimate.
The scam does not start with panic. There is no obvious threat, no poorly written email, no demand for immediate payment. Instead, it begins with reassurance. A message arrives that appears to come directly from a hotel. The wording is polite. Professional. Calm. The sender claims there is a small issue with the booking — often involving card verification — and provides a link to “securely confirm” the details.
At first glance, nothing seems out of place.
That is precisely why the scam works.
One travel writer recently experienced this firsthand while preparing for a trip to Dubai. After booking a hotel through a major online platform, he received a WhatsApp message just days later from someone identifying themselves as the hotel manager. The tone was polite and businesslike. The sender explained there was a minor problem with his card details and that his reservation could not be finalized unless he followed a provided link.
The link looked convincing. It even resembled the booking platform’s real web address.
When he clicked, he was taken to a page that appeared identical to the booking site. His reservation details were already visible. The layout, fonts, and colors matched perfectly. There were no obvious red flags.
And yet, it was not real.
What the traveler had unknowingly opened was a replica site designed to harvest personal and payment information. Every number he entered went straight to criminals.
By the time he realized what had happened, his card details had already been compromised.
Cybersecurity experts now believe this scam is spreading rapidly because of how well it blends into legitimate booking processes. Unlike older scams that rely on crude spelling mistakes or suspicious URLs, these operations use stolen business accounts, hacked staff credentials, and detailed reservation data to make their messages appear authentic.
Investigators suspect that hotel staff accounts on booking platforms are being targeted with phishing emails. Once criminals gain access, they can see upcoming reservations and customer contact details. They then pose as hotel employees and reach out directly to guests.
Because many hotels, particularly in parts of the Middle East and Europe, regularly communicate with guests through WhatsApp, travelers often see nothing unusual about receiving a message outside the booking platform.
That familiarity is what lowers defenses.
According to fraud prevention agencies, travelers in the UK alone lost more than ÂŁ11 million to holiday-related scams last year. A significant portion of those losses came from booking-related fraud, including fake accommodation listings, duplicate sites, and payment redirection schemes like this one.
Victims often describe the same feeling afterward: embarrassment mixed with disbelief. Many insist they normally spot scams easily. But in these cases, the messages arrived at the exact right time, contained accurate booking details, and looked indistinguishable from legitimate communication.
The psychological trick is simple. When people believe a problem already exists with their booking, they become focused on fixing it quickly. That urgency overrides caution.
Security analysts say scammers now use artificial intelligence to refine their messages, adjusting tone, grammar, and formatting to match real business communications. Some systems even analyze past hotel responses to mimic writing styles.
Booking platforms themselves acknowledge the risk.
A spokesperson for Booking.com has warned that customers should never enter payment details through links sent by email, text, or messaging apps. The company says all legitimate payment issues are handled directly through its official platform or through verified in-app communication.
The company also urges travelers to carefully check web addresses, noting that even slight variations can indicate a fake site.
But even that advice has limits. In the case described by the travel writer, the website address was only subtly different from the real one. To an average user, it appeared perfectly legitimate.
Action Fraud reports that more than 500 formal complaints have been filed about this specific scam type, with losses exceeding £370,000 — and experts believe the real number is far higher, as many victims never report the crime.
For some, the consequences go beyond money. Identity theft, credit score damage, and months of stress often follow.
One victim described being unable to book future travel without anxiety, constantly double-checking every message and fearing another deception.
Experts say prevention now depends less on technical knowledge and more on strict personal rules:
Never click payment links sent outside official booking apps.
Never enter card details through third-party messages.
Always log into the platform directly instead of using provided links.
Contact customer service if anything seems unusual.
Even then, scammers continue to adapt.
Cybersecurity professionals warn that holiday scams are becoming more personal, more targeted, and more convincing. Instead of sending thousands of generic messages, criminals now focus on fewer victims with highly tailored attacks.
“Cybercrime has become a business,” one expert explained. “And like any business, it’s focused on efficiency. That means better targeting, better messaging, and better deception.”
Travelers are no longer being tricked by obvious lies. They are being misled by realistic imitations of systems they trust.
For the travel writer who nearly lost everything, the lesson was painful but simple: no legitimate company will ever ask for payment details through a messaging app.
He now advises travelers to treat any unexpected message about a booking as suspicious — even if it looks perfect.
Because in today’s digital travel world, the most dangerous scams are the ones that look completely normal.
Emily Johnson is a critically acclaimed essayist and novelist known for her thought-provoking works centered on feminism, women’s rights, and modern relationships. Born and raised in Portland, Oregon, Emily grew up with a deep love of books, often spending her afternoons at her local library. She went on to study literature and gender studies at UCLA, where she became deeply involved in activism and began publishing essays in campus journals. Her debut essay collection, Voices Unbound, struck a chord with readers nationwide for its fearless exploration of gender dynamics, identity, and the challenges faced by women in contemporary society. Emily later transitioned into fiction, writing novels that balance compelling storytelling with social commentary. Her protagonists are often strong, multidimensional women navigating love, ambition, and the struggles of everyday life, making her a favorite among readers who crave authentic, relatable narratives. Critics praise her ability to merge personal intimacy with universal themes. Off the page, Emily is an advocate for women in publishing, leading workshops that encourage young female writers to embrace their voices. She lives in Seattle with her partner and two rescue cats, where she continues to write, teach, and inspire a new generation of storytellers.
