Online scams are becoming not only more prevalent, but more sophisticated – gone are the days of easy-to-spot, poorly run scams that can be identified with just a little awareness.
For those travelling abroad, this can be especially scary.
The prospect of having your personal information leaked while abroad is deeply unsettling.
Earlier this week, Booking.com suffered a security breach with customers’ data leaked to a ‘third party’.
Thousands of customers from Booking.com received an email on Monday morning warning their information may have been affected by the breach.
That information could include ‘booking details, names, emails, addresses, phone numbers, and anything that you may have shared with the property’.
‘We recently noticed suspicious activity affecting a number of reservations and immediately took action to contain the issue,’ the email said.
‘The security of your personal information is our utmost priority. We’ll continue to enhance and extend the robust security measures we have in place to secure your reservations with us.’
Booking.com suffered a security breach with the leaking of some guest information
Luis Corrons, Security Evangelist at Gen, says leaked information can be turned into convincing fraud
Reservation PIN numbers were changed as part of the company’s effort to keep existing bookings secure.
In light of the rise in travel-related scams, the Daily Mail has talked to experts about the impact the Booking.com data breach will have on holidaymakers.
First and foremost, the incident is scary because of of its future consequences – not just the initial wave of scams.
Chris Skipworth, CEO of secure collaboration tool Passpack, said: ‘The real risk here isn’t just the breach itself; it’s what comes next. We’re already seeing reports of targeted WhatsApp messages and phone calls that reference real reservations.
‘Attackers know that travellers are under time pressure; if someone tells you there’s a problem with your booking three days before your flight, the natural instinct is to act immediately rather than pause and verify. That urgency is exactly what criminals exploit.’
Luis Corrons, Security Evangelist at Gen, echoes this, saying: ‘The concern with a breach involving a major travel platform like Booking.com extends further than the exposure of personal data – it’s about how easily the information can be turned into convincing fraud. Even relatively basic details such as names, booking references, travel dates or contact information can be enough to make a message feel authentic and routine.
‘What tends to follow incidents like this is a wave of highly targeted scams that blend into the travel experience itself.
‘Because attackers are working with real data, they don’t need to invent a story – they can mirror genuine booking communications and make fraudulent messages look like standard pre-travel updates or customer service requests.
‘The risk for travellers is that accuracy can create false confidence. A message that contains correct booking details can still be malicious if it introduces pressure, whether that’s a request to verify information, update payment details, or act within a short timeframe.
‘If you think you may have been affected, the key is not to engage with messages at face value. Even if they appear legitimate, the safest approach is to treat them as unverified and go directly to the official booking app or website, or contact the accommodation directly using details you trust.’
It’s clear that scams have become far more complex and specific – and therefore harder to spot.
Chris added: ‘What makes travel platform breaches so dangerous is the specificity of the stolen data. Attackers aren’t sending generic spam anymore; they’re crafting messages that reference your exact hotel, your check-in date, and your booking reference number.
‘That level of detail makes a phishing email almost indistinguishable from a genuine communication. We’ve seen this pattern accelerate dramatically since 2023, with Booking.com itself reporting up to a 900 per cent increase in travel-related scams.
‘Each new breach hands attackers a fresh dataset to weaponise, and this one gives them everything they need to build highly convincing follow-up scams.’
Email impersonation phishing uses the hotel name, where the attacker poses as a legitimate accommodation and sends a pre‑arrival message
So, what can travellers do to stay safe?
Chris advises: ‘The single most important rule is: never act on a link or phone number provided in an unexpected message.
‘If you receive an email or text about your booking, go directly to the Booking.com app or website by typing the address yourself, and check your reservation status there.’
Vonny Gamot, head of EMEA at online protection company McAfee, said: ‘In the wake of a data breach, it’s wise to be cautious.
‘Scammers are likely to capitalise on the situation, posing as Booking.com or other legitimate organisations offering you help to get back into your account – a common tactic after a breach.
‘It’s also important to understand that your information could be used to create a ripple effect of scams targeting your other online accounts. But it isn’t difficult to stay one step ahead and feel confident about your online safety. ‘
Vonny shared her top tips to take control of your personal information and online safety.
‘Number one: Assume you’re affected. Even if you haven’t received notification from Booking.com, assume your information may have been compromised if you are or have been a customer. Companies often take weeks to identify all affected individuals.’
Vonny Gamot, head of EMEA at online protection company McAfee, advises enabling Two-Factor Authentication across devices and accounts
Targeted messages with real details and accurate booking confirmations are more common
She adds you should change passwords immediately.
She says: ‘Thirdly, enable Two-Factor Authentication everywhere: if you haven’t already, enable two-factor authentication (2FA) on all accounts that support it across all banking, email, and shopping accounts. This adds a crucial second layer of security.’
You should also check bank statements, credit card bills, and investment accounts for any unusual activity. Set up account alerts if you haven’t already, many financial institutions offer real-time transaction notifications.
Vonny’s fifth tip is as follows: ‘Consider online protection tools: McAfee’s Scam Detector can also alert you to suspicious text messages and emails that you receive, which is particularly valuable in the aftermath of a breach when criminals often launch targeted phishing campaigns using stolen contact information.’
Booking.com allows customers to make reservations at more than 28-million accommodations around the globe.
It also offers bookings for flights, rental cars and attractions.
The company recommended customers install antivirus software to help protect them against threats, like phishing attempts.
It is unclear how many customers were affected by the breach.
Booking.com said no financial information or physical address were leaked.
