Fake Booking.com / Hotels.com / Expedia credential phishing — non-OTA sender impersonates travel booking platforms with fake payout-on-hold, payment-declined, unusual-login, or refund-pending alerts designed to harvest host banking details or guest credit card information

Phishing emails impersonating Booking.com, Hotels.com, or Expedia targeting either hosts or guests. Host-targeting variants: fake payout-on-hold notices claiming the host's banking information cannot be verified and requesting account re-authentication to release earnings — the login page harvests Booking.com Extranet credentials. Guest-targeting variants: fake payment-declined alerts threatening automatic reservation cancellation unless the guest updates their credit card, or fake unusual-login security alerts restricting account access until identity is verified. Key facts: (1) FTC 2024: travel platform impersonation phishing surged 200% — Booking.com is the most impersonated OTA globally, receiving 3x more phishing reports than Expedia and Hotels.com combined; (2) Real Booking.com host payouts are managed entirely within the Extranet — Booking.com will NEVER send an unsolicited email with a "verify banking details" link; (3) Real Hotels.com and Expedia payment failure notices only arrive after a failed charge attempt on a confirmed booking — they always include your booking reference number, which phishing emails typically omit; (4) Legitimate OTA security alerts come from verified domains (@booking.com, @hotels.com, @expedia.com) and never include urgent "account suspended" language without a prior login attempt. Warning signs: non-OTA sender domain, payout/payment urgency without booking reference, request for banking details or card re-entry via email link, "account temporarily restricted" framing.