Travelers and lodging operators in Costa Rica are being urged to watch for phishing attempts after Booking.com confirmed that unauthorized third parties accessed some customer reservation information in a cyberattack affecting users worldwide.
The company began notifying affected customers in mid-April after detecting suspicious activity tied to guest booking information. Exposed data may have included names, email addresses, phone numbers, reservation details and information shared with accommodations. Booking.com said financial information was not accessed, but it has not disclosed how many users were affected.
The warning matters here in Costa Rica because the site is widely used by tourists, small hotels, vacation rentals and local hosts. No Costa Rica-specific number of affected users has been released, but travelers who recently booked hotels, rentals or tours through the platform should treat any unexpected message about a reservation with caution.
The main risk is not only the data exposure itself. It is how scammers can use real booking details to make fake messages look convincing. Security reports say criminals may impersonate hotels or Booking.com staff and ask guests to confirm credit card information, make a payment, verify an identity or click a link to prevent a reservation from being canceled.
That kind of fraud can be especially effective because the message may include the traveler’s real hotel name, travel dates or reservation information. Someone heading to Costa Rica could receive what appears to be a legitimate note from a hotel in San José, La Fortuna, Manuel Antonio, Tamarindo or Puerto Viejo, when in fact the message is coming from a scammer.
Booking.com said it updated PIN numbers for affected reservations and notified impacted users. The company has also warned customers that it does not ask for credit card details, bank transfers or sensitive financial information through email, phone calls, WhatsApp or text messages.
Travelers should avoid clicking links in messages claiming there is a problem with a Booking.com reservation. Instead, they should open the app or website directly, check the reservation there, and contact the hotel through verified contact information if anything looks suspicious.
Costa Rica hosts and hotel operators should also review their own security practices. Cybersecurity researchers have previously warned that hotel and accommodation accounts are frequent targets because a compromised property account can give criminals access to guest reservation data. Microsoft reported a phishing campaign impersonating Booking.com that targeted hospitality organizations and used fake prompts to deliver credential-stealing malware.
For those small hotels, cabinas and vacation rental managers here, that means staff should be trained not to open suspicious attachments or follow unusual login instructions. Businesses should use strong passwords, avoid shared logins, turn on two-factor authentication when available, and verify any urgent message claiming to come from Booking.com.
The attack comes as travel-related scams continue to grow across online booking platforms. Fake hotel confirmations, payment-verification scams and messages sent through unofficial channels have become common methods for stealing money from travelers. The danger is higher when scammers have access to real reservation details, because the messages no longer look generic.
Tourists who used the website in recent months should monitor their account, review upcoming reservations and watch bank and credit card activity for unusual charges. Anyone who entered payment details after following a suspicious link should contact their bank or card issuer immediately.
The best rule to follow for travelers is to make sure not to pay outside the official Booking.com platform unless the payment process was clearly stated at the time of booking and can be independently verified with the hotel. Any message that creates urgency, threatens cancellation or asks for card details through WhatsApp, email or text should be treated as suspicious
