Phishing campaigns “i paid twice” targeting booking.com hotels and customers

Intel Name: Phishing campaigns “i paid twice” targeting booking.com hotels and customers

Date of Scan: November 7, 2025

Impact: High

Summary:
A global phishing campaign is targeting the hospitality industry, exploiting compromised Booking.com accounts and WhatsApp messages to defraud hotel customers. The attackers gained access to hotel systems through infostealer malware, stealing credentials for booking platforms like Booking.com and Expedia. These credentials were later sold or misused to send fraudulent emails appearing legitimate due to stolen customer and reservation data. The campaign, dubbed “I Paid Twice,” highlights the ClickFix social engineering tactic, where victims unknowingly compromised hotel accounts—leading to banking fraud and customers being tricked into double payments.

More Details