Booking.com Phishing Scam Uses Sneaky Characters to Trick Users

A new phishing campaign is targeting Booking.com customers using a clever trick with foreign characters. Cybercriminals are inserting the Japanese hiragana character “ん” into web addresses to make fake links look like they belong to the legitimate booking.com domain. At a quick glance, the character can resemble a forward slash or letter sequence, fooling unsuspecting users.

When victims click these deceptive links, they are taken to a malicious website that appears authentic but is actually registered under a lookalike domain. From there, users are prompted to download a file disguised as a Booking.com update. In reality, the file installs malware capable of stealing personal information or even granting hackers remote access to the victim’s device.

Fig 1. The Booking.com phishing email. Source: JamesWT

How the Scam Works

The malicious emails contain links that, on the surface, look nearly identical to a real booking.com address, in this case “https://admin.booking.com/hotel/hoteladmin/…”. However, the hyperlink actually points to a domain using the “ん” character:

“https://account.booking.comんdetailんrestric-access.www-account-booking[.]com/en/”

When a user looks at this URL in their web browser’s address bar, the “ん” characters appear like they are just part of a normal URL path. This makes the address look trustworthy at first glance.

In reality, the actual registered domain, “www-account-booking[.]com.”, belongs to the attackers. Everything before this part of the link is just a disguise. Once clicked, victims are redirected through multiple steps before being served a file installer. This installer then downloads additional malicious programs, which can include infostealers designed to grab saved passwords, or remote access tools that let attackers control the computer from afar.

Not Just Booking.com: Intuit Users Targeted

The same approach has been spotted in another phishing campaign impersonating Intuit, the financial software company. In this case, scammers swapped out the letter “i” in Intuit with a lowercase “L,” producing domains like “lntuit.com.” In certain fonts, especially on small mobile screens, the difference is almost impossible to spot.

These fake Intuit emails were crafted with narrow layouts, suggesting they were designed to be read on smartphones. The goal was to trick mobile users into tapping a “Verify my email” button without carefully checking the link. Once clicked, the phishing link redirected through suspicious domains but, if accessed directly, sometimes pointed back to the legitimate Intuit login page—an extra layer of deception to make the scam harder to detect.

Fig 2. The intuit phishing email. Source: Bleeping Computer

How to Protect Yourself

These incidents are examples of homograph attacks, where attackers use characters from different alphabets that look nearly identical to the ones we’re used to. They exploit the fact that most users scan URLs quickly, especially on phones.

To protect yourself, always hover over links (or press and hold on mobile) to see the full destination address. Focus on the actual domain name, which is the part immediately before the first single slash. For example, “booking.com” is legitimate, but “account-booking.com” is not.

Even with careful checking, homoglyph tricks can still be convincing. That’s why keeping your antivirus software updated is important—it can block many malicious downloads before they infect your device. As phishing campaigns become more sophisticated, combining safe browsing habits with modern security tools remains the best defense.