HKCERT Urges Summer Travellers to Beware of Phishing and Scams Targeting Travel Booking Platforms and Instant Messaging Apps

(Image created using generative AI and reviewed under professional human supervision.)

(Hong Kong, 29 June 2026) With summer holidays just around the corner, many citizens are booking flights and hotels, and planning trips. The Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) urges the public to stay vigilant: scammers are exploiting increased travel demand to launch phishing attacks related to travel bookings.

HKCERT recently spotted scammers using genuine reservation details, suspected to have originated from an earlier Booking.com data leak, to impersonate the platform or hotels and send phishing emails and WhatsApp messages to travellers. HKCERT has also received reports of WhatsApp account takeovers. Scammers may set up phishing sites that resemble the official WhatsApp website to trick users into pairing their accounts to attacker-controlled devices. In some cases, they may also exploit known, older vulnerabilities in unpatched operating systems and outdated WhatsApp versions to hijack accounts.

Booking.com Leak Fuels "Hyper-targeted" Phishing Scams
HKCERT has previously issued a phishing alert about this trend, warning the public about messages that impersonate Booking.com or hotel booking notifications. Using suspected leaked booking details, scammers send convincing emails and WhatsApp messages to travellers, claiming issues such as “booking problems” or “payment authorisation failed”, or urging users to update payment details within a limited time to avoid cancellation.

As these messages may include genuine details such as the traveller’s name, hotel name, check-in dates or itinerary, victims are more likely to trust them. They may then click links to fake login, payment or verification pages and enter account passwords, credit card information or one-time passwords, resulting in financial loss or personal data exposure.

Hijacked WhatsApp Account Used for Further Fraud 
Beyond travel booking related scams, HKCERT has recently received cases involving hijacked WhatsApp accounts. Scammers may send messages falsely claiming that a user’s WhatsApp account has been “locked due to security risks”, urging them to click a phishing link to verify or unlock. They may also host phishing sites that closely resemble the official WhatsApp website. After a victim lands on the phishing site, if they use WhatsApp’s “Linked devices” feature to scan the QR code shown on the phishing site, or select “Link with phone number” and enter a so called verification code shown on the phishing page, their WhatsApp account may be linked to an attacker controlled device. The attacker can then access the account without authorisation and impersonate the victim to send fraudulent messages to family, colleagues or business contacts, causing further losses.

In addition, recent overseas research shows that some iPhone users may have their accounts hijacked even without clicking suspicious links, scanning QR codes, entering verification codes, or linking any new device in WhatsApp. Attackers may exploit known, older vulnerabilities in iOS and WhatsApp to take over accounts without user interaction. This shows that account compromise is not always due to falling for phishing or user error; using devices and apps running older system versions also carry risk.

HKCERT advises users to promptly update their systems and WhatsApp to the latest versions, enable WhatsApp’s two step verification, and watch for any unusual account activity. For more details, please refer to the HKCERT security bulletin: https://www.hkcert.org/security-bulletin/whatsapp-security-restriction-bypass-vulnerability_20250901

Scammers Exploit Real Details and a Sense of Urgency to Make Victims Let their Guard Down
Recent phishing attacks often combine real data (e.g. username, hotel name, check in date, booking details) with urgent language such as “account locked”, “payment failed”, or “booking will be cancelled if not handled immediately”, pressuring users to act before verifying.

Phishing is not limited to email. Scammers increasingly send messages via WhatsApp and other instant messaging platforms, steering victims to fake websites to enter credit card information, one time passwords, and even to operate account security features, making the ploy more deceptive.

In addition, during major sporting events such as the FIFA World Cup, related topics are frequently exploited by scammers to launch phishing attacks. Scammers may set up fake ticketing websites, post on social media, or send messages impersonating official sources, and use lures such as “limited-time discounts,” “insider tickets,” and “free or low-cost live streams” to trick users into clicking phishing links, making payments, or installing fake apps, ultimately stealing personal and financial data, including credit card information.

HKCERT's Cybersecurity Advice 
To enjoy safer travel this summer and protect your personal data, finances and accounts, HKCERT recommends the following measures:

• If you receive notifications about travel bookings, payments or account security, verify directly via the official app or by manually entering the official website address. Do not click links in messages.
• Carefully check the sender’s email address and the full URL. Even if a message includes real names, hotel names, check in dates or other itinerary details, do not assume it is genuine; confirm via official channels.
• Never enter account passwords, credit card details, one time passwords or other sensitive personal data on suspicious websites.
• Only download apps from official sources and do not install apps from unknown sources.
• Regularly update the operating system and apps on your phone and other mobile devices to the latest versions and enable automatic updates to reduce risk.
• Do not trust messages claiming your WhatsApp account is locked and asking you to click a link to verify or unlock.
• Do not scan unknown QR codes, and do not, at the instruction of unfamiliar websites, use WhatsApp’s “Linked devices” feature to link any device.
• Regularly review WhatsApp’s linked devices list and remove any unknown devices immediately.
• Use strong passwords and multi factor authentication and enable WhatsApp’s two step verification to strengthen account protection.
• Regularly check bank and credit card transactions and enable transaction alerts to spot unauthorised activity early.
• If friends or family send unusual requests via messaging apps (e.g. asking for money, verification codes or to click a link), verify their identity through another channel first.
   

If You Suspect You have been Compromised, Act Immediately
If you suspect that you have entered personal information, login credentials or credit card details on a suspicious website, or that your WhatsApp account has been hijacked, take the following steps immediately:

• Stop communicating with the scammer and do not provide any further personal, account or financial information.
• Immediately change the passwords for the affected platforms and any other accounts that use the same or similar passwords.
• Contact your bank or card issuer at once to report the incident and request protective measures.
• Check WhatsApp’s “Linked devices”, remove any unknown devices, and enable or reset two-step verification.
• Inform family, friends and contacts that your account may have been compromised to prevent impersonation scams.
• Preserve evidence, including suspicious emails, message screenshots, URLs, website captures and transaction records, for follow-up and reporting.
   

-Ends-