NCSC Switzerland: Booking.com breach feeds two-pronged WhatsApp hotel-booking phishing against Swiss travellers

NCSC Switzerland's Week 22 report documents a surge in fraudulent WhatsApp messages abusing real booking data leaked in the April 2026 Booking.com compromise (dates, hotel names, guest names) (NCSC-CH, 2026-06-02). Variant 1 sends a fake refund lure on WhatsApp that redirects to pages spoofing TWINT and Swiss bank portals to harvest card data (T1566.002). Variant 2 is the more dangerous: attackers use compromised hotel booking-system credentials (T1078.004) to message guests through the legitimate booking channel, demanding urgent card re-verification — the message carries the trust of the real platform, defeating the usual "is this sender legitimate?" check. NCSC frames the targets as Swiss hotel-booking customers generally; for a federal SOC, staff who book travel through these platforms fall in the same exposed population (analyst inference). Why it matters to us: the account-takeover variant breaks user-awareness controls because the lure originates from a trusted booking system, not a spoofed sender — detection has to move to anomalous outbound messaging from booking-platform accounts and to card-data entry on TWINT/bank look-alike domains.