Scammers are reportedly impersonating staff at three Hilton properties in San José, Costa Rica – selling fake event bookings and collecting payments personally.
This appears to be going on with the Curio Collection Gran Hotel Costa Rica, Hilton Garden Inn San José La Sabana, and Hilton San José La Sabana, which are all managed by the same company. The good news for most of you is that it’s events-focused (weddings, quinceañeras, corporate events) rather than normal stays.
It looks like a common insider scam. But there is also something potentially much larger. A Booking.com data breach has given scammers reservation information that lets them impersonate hotels and get guests to pay them outside of standard channels.
Attackers got access to reservation details — names, email addresses, phone numbers, etc. – and are using that data to make fake messages look legitimate. They’ll reach out to the guest saying there’s an issue with your stay. They ask you to “reconfirm” or “pre‑pay” via Zelle, PayPal, Venmo or a bank transfer (no credit card chargebacks).
The message feels authentic since it’s specific to the details of your stay. Key flags:
- Unexpected payment requests: Hotels generally process payments via the original booking platform or by credit card, not peer-to-peer apps into an individual’s account. A message telling you to pay via PayPal, Venmo or Zelle for ‘reservation issues’ or added fees is more likely than not fraud.
- Links that don’t match the hotel: Scammers will use lookalike URLs, but look carefully, it might be the hotel’s name dot something else. And asking you to reply outside of the hotel’s platform is another flag.
- Unusually urgent requests: “urgent reconfirmation” or “finalize your stay” with demands to do so quickly are scammy.
Reservation payment scams aren’t new, where hotel employees sometimes appear to be scammers contacting guests with future reservations and insisting on payment through third party platforms in advance. Indeed, they’ll even insist prepaid guests pay again through suspicious links. Now, though, it seems that outsides are pretending to be the employees.
If you receive something like this, verify it with the hotel through the public front door and with management. Check with your booking platform. And pay by credit card for dispute protection, not through a peer-to-peer app or bank account.
“or added fees is more likely than not fraud.” meaning it is fraud (not well worded).
People are stupid.
Anyone dumb enough to fall for a scam frankly deserves it. There are so many ways to validate requests. No one should ever respond simply to an email, text or call regarding money due, package to be delivered, unpaid traffic tickets, etc. Just delete or hang up and contact the supposedly requesting party directly (known phone number or website) to see if there are any notifications regarding you. I spent 40 years in IT and was responsible for security policies and procedures at various companies (among other responsiblities) so drill this into the heads of my kids so they won’t be a sucker.
This happened to me for multiple bookings at the Intercontinental Auckland. Received whatsapp messages along these same lines (which I of course ignored). A few weeks later IHG reached out to notify me about the scam, but no doubt some people fell for it.