A new scam is targeting users of the accommodation site Booking.com, demanding their payment details be confirmed by a link that leads to a phishing site.

The scammers have been utilising Booking.com’s official email address, ‘[email protected]’, and the messaging feature in the Booking.com app. For many users, a potential scam sent out through the site’s official channels signalled some alarm bells. 

There have been numerous claims of other users receiving messages from hotels across Japan, Europe, and other popular overseas locations over the past two months. A customer on Reddit said that she received an "obviously scammy message" claiming to be from a hotel she booked in Sanur, Bali. 

Typically, the message or email is received shortly before the customer is due to check in, has checked in, or has just booked the accommodation. The scam message claims that the stay will be cancelled if payment details are not confirmed via the provided link, and if they fail to do so within 4 to 12 hours, the scammer will "cancel the reservation". 

Booking.com has denied its system has been hacked and has instead blamed the scam on a breach of their partner hotels’ email systems. After being notified about the scam, a Booking.com spokesperson told 7NEWS, “As a rule, it's important to remember that Booking.com will never require customers to provide credit card details by text, message, or email”. They also recommended customers contact the 24/7 customer service support team if they're questioning the validity of a message they received.

If you receive a sketchy message from a hotel you’ve booked, it's a good idea to contact the hotel directly. One user wrote on Reddit, “I almost fell for this, but thankfully got in touch with the hotel directly and they confirmed it was a scam”. As an extra precaution, we also recommend changing your Booking.com password and being wary of any odd grammatical errors or spelling mistakes in messages or emails that could point to it being a scam.