Booking.com phishing scam campaigns are using a deceptive Unicode character to trick users into visiting malicious sites. The attack replaces expected URL symbols with a Japanese hiragana character that closely resembles common punctuation. This clever substitution makes fake links appear genuine, leading victims to phishing pages that install dangerous malware.
How the Scam Works
Cybercriminals insert the hiragana character “ん” (Unicode U+3093) into URLs. On most devices, it looks similar to a forward slash or tilde, causing unsuspecting users to believe they are clicking on a legitimate Booking.com link.
For example, a phishing link may appear as:
https://account.booking.comんdetailんrestric-access.www-account-booking.com/en/
The real domain in this case is www-account-booking[.]com, not Booking.com. The fake link then prompts the download of an MSI installer from a content delivery network. Once executed, this file can deploy malware, such as infostealers or remote access trojans.
Homoglyph Attacks Explained
This is a form of homoglyph attack, where attackers use lookalike characters from different alphabets to mimic legitimate domains. By exploiting how quickly people skim URLs, scammers can bypass casual checks and increase their success rate.
Connection to Other Phishing Campaigns
Security researchers also discovered a similar campaign targeting Intuit customers. In that attack, scammers replace the uppercase “I” in “Intuit” with a lowercase “L” to create “Lntuit.” In certain fonts, the change is almost invisible, making it easy to lure victims.
Risks for Victims
Falling for these phishing campaigns can have severe consequences:
- Stolen login credentials for Booking.com accounts.
- Compromised personal or financial information.
- Malware infections that allow remote control of devices.
How to Stay Safe
You can avoid falling victim to the Booking.com phishing scam by following these precautions:
- Hover over links before clicking to reveal the true destination.
- Check the registered domain carefully — only trust booking.com, not variations.
- Keep your antivirus software and operating system up to date.
- If in doubt, access Booking.com directly through its official app or by typing the URL in your browser.
Final Thoughts
The Booking.com phishing scam shows how attackers are becoming more creative with deceptive URLs. By swapping a simple character, they bypass casual inspection and lure victims into installing malware. Staying alert, double-checking links, and keeping security tools active are the best ways to defend against this evolving phishing tactic.
