Booking.com QR Code Scam: What It Is and What to Do
A message arrived — through Booking.com's own chat, by email, or by text — asking you to scan a QR code to confirm a payment, pre-authorize your card, or “secure your booking.” Booking.com never sends QR codes for payment. Here's how this scam works and exactly what to do if you already entered your details.
The compromised-messaging attack (the most dangerous variant)
Booking.com has publicly warned travelers about a scam that is uniquely convincing because it arrives through the platform's own messaging system. Here is how it works: attackers target hotel and property staff with phishing emails or malware, gaining access to the property's Booking.com partner account. Once inside, they send messages to recent or upcoming guests directly through the official Booking.com thread — the same channel the real property uses to send check-in instructions.
The message claims the guest's payment method failed to pre-authorize and that the booking will be cancelled unless they re-confirm payment by scanning a QR code within a short window. Because the message appears inside the authentic Booking.com interface — complete with the property name, reservation details, and the familiar Booking.com design — most guests have no obvious reason to doubt it.
The QR code leads to a fake payment page designed to mimic Booking.com's checkout experience. Card details entered on that page go directly to the scammer. The real property receives no payment, and the guest discovers the fraud only when checking bank statements or arriving to a property that has no record of the interaction.
The rule that breaks this scam: Booking.com never asks guests to pay via QR code — not for pre-authorization, not for deposits, not for anything. If a pre-authorization is needed, Booking.com handles it automatically through the card you stored at booking. Any message — even one that appears inside the Booking.com app — asking you to scan a QR code to pay is fraudulent.
The fake Booking.com email scam
A second common variant arrives as a phishing email crafted to look exactly like an official Booking.com message. Attackers reproduce Booking.com's logo, typography, color scheme, and standard email formatting. The subject line is usually something like “Action required: verify your upcoming reservation” or “Complete your check-in for [property name].”
Embedded in the email is a QR code labeled “View your itinerary,” “Complete your reservation,” or “Confirm your payment method.” Scanning the code opens a convincing Booking.com login lookalike hosted on a domain the attacker controls — usually a slight variation on “booking.com” such as a hyphenated version or a different top-level domain. You enter your email and password thinking you're logging into your account and handing your credentials directly to the scammer.
Legitimate Booking.com emails and booking-confirmation pages never contain a QR code. If you receive one, go directly to booking.com in your browser — do not tap the QR code or any link in the email.
The off-platform host message scam
A third variant bypasses the Booking.com platform entirely. After a booking is confirmed, the scammer — posing as the property owner or host — contacts the guest directly by WhatsApp, SMS, or a personal email address. They explain that they prefer to handle a small fee or deposit outside the platform to avoid Booking.com's commission, or claim there was a technical issue and provide a QR code to “sort it out quickly.”
Scammers in this scenario may have obtained the guest's contact information from a data breach or, in some cases, by impersonating the real property and requesting contact details through the platform. The QR code leads to a payment page collecting card or bank transfer details for money the real property never receives.
Legitimate hosts do not move financial conversations off the Booking.com platform. If a contact claiming to be your host asks for payment by QR code — through any channel other than Booking.com's official payment system — treat it as a scam, do not pay, and report it to Booking.com.
What to do right now
If you only scanned and closed the page without entering anything: Your risk is very low. Monitor your accounts and report the incident to Booking.com support.
If you entered card or payment details:
- Call your card issuer immediately using the number on the back of the card. Report the number as potentially compromised, freeze or cancel the card, and dispute any unrecognized charges. Time is critical — the sooner you call, the better your chance of recovering funds.
- Contact Booking.com customer support at booking.com/help. Report the fraudulent message so their trust and safety team can investigate the compromised property account and warn other guests.
- File a report with the FTC at reportfraud.ftc.gov. If the fraud involved an international property, you can also report to your local consumer protection authority.
If you entered your Booking.com login credentials:
- Go to booking.com immediately and change your password. If the attacker has already changed it, use “Forgot password” with your email address to regain access.
- Check your upcoming reservations for any unauthorized changes, cancellations, or new bookings charged to your saved payment methods.
- Enable two-factor authentication in your Booking.com account settings.
- If you use the same password elsewhere, change it on all those accounts and use a unique password for each going forward.
For broader guidance on recovering from a QR code scam, see hotel QR code scams: what to check at check-in. If you paid via Airbnb or VRBO and encountered a similar scam, see Airbnb QR code scam or VRBO QR code scam.
Frequently asked questions
Does Booking.com ever send QR codes for payment?
No. Booking.com processes all payments through its own platform. It never sends QR codes via email, text, or even its own messaging system asking you to pay a deposit or pre-authorization. Any QR code related to a Booking.com stay — wherever it arrives — should be treated as a scam. Go directly to booking.com or the app to manage your reservation.
What is the Booking.com compromised-messaging scam?
Attackers gain access to a hotel's Booking.com partner account — usually by phishing hotel staff — and then send fraudulent payment QR codes to guests through the official Booking.com messaging thread. Because the message arrives inside the real platform, it appears authentic. The QR code leads to a fake payment portal. The real hotel never receives the payment. Always verify any payment request by calling the property directly using a phone number from the official website.
I entered my card details or Booking.com password after scanning — what do I do?
For card details: call your issuer immediately, freeze the card, and dispute any charges. For Booking.com credentials: go directly to booking.com, change your password, enable two-factor authentication, and review your reservations and payment methods. Report the incident to Booking.com support and to the FTC at reportfraud.ftc.gov.
Check any QR code before you scan
QRsafer previews the destination URL of any QR code — giving you a Safe, Risky, or Dangerous verdict before your browser opens it. Free on iOS and Android.