I got phished!

Over the years I have seen many clever phishing attempts. These ranged from copy-cat websites, barely noticeable non-English characters in the domain—such as https://paypał.com, or contact from seemingly legitimate email addresses and phone numbers. I consider myself to be vigilant and fortunately I haven’t fallen for any of these previous attempts. However, this morning I got tricked into inputting my credit card details on a fraudulent website. I am not proud of myself but I am sharing this story in the hope that it might help others.

It started this morning when I received a WhatsApp message from a Business account with the +1 country code.

I was immediately suspicious because the message indicated urgency and I did not recognize the domain. Here is the full text—I redacted the Hotel Name, Reservation ID, URL:

Hello, dear Kevin!

Thank you for choosing [Hotel Name] for your upcoming stay!

To secure your reservation [Reservation ID] and guarantee a seamless check-in experience, kindly complete the verification form via your exclusive link below.

This step is mandatory to protect against unauthorized payment activity and ensure guest safety.

Please note: This form must be submitted within 12 hours from now. Failure to do so will result in automatic cancellation of your booking for 18-11-2026 15:00 – 21-11-2026 11:00, and we will be unable to accommodate you.

Your private verification link (expires in 12 hours):

[Link]

We appreciate your prompt attention and can’t wait to welcome you at [Hotel Name]!

Warm regards,
Front Desk Team
[Hotel Name]

The message contained my name, the hotel, my reservation ID, and the correct dates of my stay at this accommodation. This indicated that whoever sent this message had access to my booking details—which implied that this message came from either Booking.com or the Hotel. I was suspicious but still not convinced, so I opened the link using Incognito.

As can be seen by the preceding screenshot, the website interface was very polished and the form was prepopulated with my name, the hotel details, the amount I will be paying, and the correct dates. I replaced the photo of the hotel with a stock photo of Amsterdam and redacted the hotel’s name and address.

After submitting the above form, I was asked to input my credit card details. OK, now I need to be extra careful. The website text reassured me that the credit card is only needed for securing the booking and any funds withdrawn will be refunded. This matched the booking policy for this accommodation.

Before proceeding with the form, I wanted to do one last check. I opened a new tab and tried to open a variation of the website’s URL by incrementing the Reservation ID. So if my unique link was example.com/p/81111 I tried example.com/p/81112, example.com/p/81113 and so on. My reasoning was that if I could input a reservation ID and get access to another person’s booking, then I can be sure that the website was illegitimate (or terribly insecure). I tried a couple of different URLs but they all returned a 404—the styling of the 404 page matched Booking.com’s. That gave me some confidence (foolishly!) that the URL was unique to my booking/user.

I then opened the on-site chatbot and sent it a query asking who they were.

The result seemed fairly standard chatbot material. The full reply read:

I am a Booking.com support Agent.

🔐 A mandatory one-time verification is required to confirm your booking before check-in. This standard security step ensures your reservation due to high demand at this property. We’ve implemented enhanced verification for popular destinations to protect all guests and prevent overbookings.

📋 Please return to the website, complete the required verification fields, and submit. Your payment is secure — this final step locks in your reservation permanently.

🔔 We apologize for this additional step. Thank you for your understanding and for choosing our service!

I was still not entirely convinced, but I decided to input my credit card details and submit the form anyway. 😔

Right after submitting the form, my doubts got the better of me and I called the bank to block my credit card as a precaution.

Once my kids were at school and the home was a bit quieter, I sat down at my computer to investigate further. Coincidentally, two days earlier Booking.com had attempted to withdraw funds for a different reservation but it failed because of 3DS. Booking.com had sent me an email in which they gave me a 24 hour deadline to update my card details. In hindsight there were many red flags, but the morning hustle and my recent experience with Booking.com was enough for me to lower my guard and fall for this attack.

The primary thing that was still confusing me was the level of detail that the attacker had of my reservation. My personal details, phone number, reservation number, and reservation date. Could it be that Booking.com or the hotel had a data breach that was actively being exploited?

So I re-attempted the previous exercise of cycling through random URLs. After a few iterations I got a hit. Another booking for a certain Rosario at the same hotel. The date and price were updated to reflect this person’s booking (they must be in the presidential suite because they are paying four times my rate!). I tried a few more URLs and now I am getting a lot of hits. Doralina, Fernandes, Thomas, Marilena. There must be hundreds of them and they all have one item in common. The hotel. The hotel must have been hacked. The hackers got access to guests’ booking details and used them to reach out to the guests impersonating the hotel. Crap!

I reached out to Booking.com and the hotel to inform them of the breach, but I have not received a reply so far.

As for me, thankfully no funds were withdrawn and I got away with it. However, it was a close one and now I need to go through the hassle of getting a new card.

Should it really be the customers’ responsibility to recognize if the hotel or vendor got hacked? How can we protect ourselves in an era where AI tools make phishing attacks cheaper to implement yet more sophisticated and harder to detect?