02.06.2026 - The NCSC has noted an uptick in reports of fraudulent WhatsApp messages relating to hotel bookings. The perpetrators are using particularly sophisticated and highly convincing scams to obtain credit card details from their victims.
To do this, fraudsters refer to real hotel bookings to make their scams seem more plausible. The NCSC is aware of two different, personalised variants of this scam. The specific approach and pretext differ, but the overall objective is the same.
Variant 1: Refund scam
In the first variant, victims receive an unsolicited WhatsApp message that appears to come from customer service at Booking.com, or directly from the hotel where they booked a room. The danger lies in the high credibility of these messages, as the criminals refer to actual bookings with the correct dates of stay, the name of the hotel and the exact names of the guests. Victims are led to believe that an error occurred during the original booking and that they are now entitled to a refund (‘cashback’ or ‘refund’). The message recipients are asked to click on a link to receive the money. This link points to a deceptively genuine-looking phishing website imitating TWINT, and then leads to second phishing page belonging to a bank, where the victims are prompted to enter their credit card details.
The reason why the perpetrators have such precise information about past hotel stays is a data leak in the Booking.com environment in April 2026. Criminals gained access to sensitive data as a result and are now exploiting this data in a targeted manner through personalised scam messages.
Variant 2: Account takeover via hacked hotel systems
In the second, albeit long-known, variant of this scam, criminals using phishing techniques or malware to obtain login details for a hotel booking systems. Once they achieve this, the fraudsters gain direct access to user accounts on the booking systems (‘account takeover’), enabling them to target existing or future bookings. Customers are then often contacted via the platform’s official messaging system or additionally via email or WhatsApp. The perpetrators create a sense of urgency by claiming that the booking will be cancelled unless credit card details are verified immediately via a link or advance payment is made.
Regardless of whether the aim is to obtain an alleged refund or confirm an upcoming booking, recipients are always asked to click on a provided link to complete the process. This link leads to a deceptively authentic-looking phishing website, where the victims are tricked into entering their credit card details.
Recommendations
Since the messages appear highly credible due to the correct details and seemingly authentic senders, extreme caution is currently advised. The NCSC recommends the following:
- Be extremely wary if you receive unsolicited messages regarding refunds or urgent credit card verification – even if the sender knows your exact booking details.
- Under no circumstances should you click on links in such messages and never enter your credit card or bank details on the linked pages.
- If you are unsure whether a message is legitimate, log in directly to your booking account directly via the official app or website (without using any links from the message) or call the hotel using the official phone number that you have looked up yourself.
- You will never be asked to provide login details or scan QR codes to receive a refund.
- If you have already entered your card details on such a page, contact your bank or credit card company immediately to block the card.
- If you have suffered financial loss, report the incident to your local police. You can search for police stations near you on the Suisse ePolice website.
Current statistics
Last week's reports by category:
Last modification 02.06.2026
