Cybersecurity often focuses on external attackers, but the Booking.com “I Paid Twice” campaign shows how insider accounts can be weaponized to devastating effect. This incident is not just another phishing story. It is a case study in how attackers exploit trust, compromise insider access, and turn legitimate communication channels into tools of fraud.
How the Scam Unfolded
Guests at Booking.com hotels began receiving messages through the official platform. The messages asked them to re-confirm or repay their reservations. On the surface, nothing seemed unusual. The communication came from the same system guests had used to book their stays. The branding looked correct. The sender appeared to be hotel staff.
But clicking the links led to malware downloads or fraudulent banking sites. Victims were tricked into entering payment details or downloading malicious files. The campaign was dubbed “I Paid Twice” because guests were asked to pay again for reservations they had already secured (BleepingComputer, November 2025).
Why This Was Insider Related
The critical detail is that attackers did not spoof Booking.com from the outside. They compromised legitimate hotel staff accounts inside the Booking.com partner portal. These accounts were trusted by both the platform and the guests. Once inside, attackers could send messages that looked authentic because they were authentic.
This is what makes the incident insider related. Even if hotel employees were not malicious, their accounts became insider conduits for external attackers. In some cases, insiders may have been tricked or bribed into handing over access. In others, credentials were stolen but still tied to legitimate accounts. Either way, attackers weaponized insider trust to bypass skepticism and filters.
Hospitality as a Target
Hotels are uniquely vulnerable to insider related risks. Staff handle sensitive guest information, process payments, and communicate directly with customers. Their accounts are trusted by Booking.com and by guests. That trust makes them prime targets.
Unlike corporate IT departments, hotel staff may not receive the same level of cybersecurity training. They may reuse passwords or fall for phishing attempts. Once compromised, their accounts provide attackers with a direct line to guests. This is why hospitality insiders are increasingly targeted compared to other industries.
The Booking.com case shows that attackers understand the psychology of trust. Guests are far more likely to believe a message from their hotel than a random email. By hijacking insider accounts, attackers bypass the usual defenses and exploit human confidence.
The Ripple Effects
The impact of the “I Paid Twice” campaign went beyond individual victims.
- Guests: Many suffered financial loss, identity theft, or disrupted travel plans.
- Hotels: Their reputations were damaged. Guests who believed they were communicating with trusted staff suddenly found themselves victims of fraud.
- Booking.com: The platform faced questions about its ability to protect insider accounts and prevent misuse.
This incident also highlights the reputational risk of insider threats. Even if the platform itself was not breached, the perception of insecurity can erode trust among customers.
Lessons for Organizations
- Protect insider accounts. Even non-technical staff need strong authentication and training.
- Segment access. Limit what hotel staff accounts can do to reduce the impact of compromise.
- Monitor anomalies. Detect unusual messaging patterns before they spread to guests.
- Educate employees. Make staff aware that their accounts are valuable targets.
- Communicate transparently. Inform guests quickly when insider accounts are compromised.
Final Thoughts
The Booking.com “I Paid Twice” campaign is a reminder that insider threats are not confined to corporate offices. They can emerge in hotels, schools, factories, and anywhere trust and access intersect. Attackers know that insider accounts carry credibility. By compromising them, they bypass skepticism and filters.
For cybersecurity professionals, the lesson is clear. Insider threats are diverse, global, and evolving. Protecting against them requires not only technology but also awareness, training, and vigilance across every sector.
Sources
- BleepingComputer. “Booking.com hotels targeted in ‘I Paid Twice’ phishing campaign.” November 2025. Link
Leave a Reply