If fake booking confirmations are circulating with your hotel’s name, the immediate goal is to protect guests, stop further payments to scammers, preserve evidence, and avoid accidentally destroying the trail that law enforcement, banks, online platforms, or courts may need later. In the Philippines, this is not just a “bad review” or customer-service problem. It can involve estafa, cybercrime, identity misuse, trademark or trade-name infringement, unfair competition, data privacy duties, consumer complaints, and possible civil liability depending on how the scam happened.
What “fake booking confirmations using your hotel’s name” usually means
A fake booking confirmation is any voucher, email, screenshot, PDF, text message, chat, QR code, or reservation notice that makes a guest believe they booked with your hotel when the confirmation was not issued or authorized by your hotel, your official booking system, or an authorized booking partner.
Common versions in the Philippines include:
- A fake Facebook page, Instagram account, TikTok account, WhatsApp number, Viber number, Gmail address, or website using your hotel’s name and photos.
- A scammer sending a PDF “hotel voucher” with your logo, address, room type, check-in date, and fake confirmation number.
- A guest paying a “reservation fee” to a personal GCash, Maya, bank, or e-wallet account not owned by your hotel.
- A fraudulent travel agency or “agent” claiming to represent your hotel.
- A compromised staff account, email account, OTA extranet account, or reservation system.
- A fake QR code or payment link inserted into a booking conversation.
- A former employee, unauthorized reseller, or unofficial page continuing to use your hotel’s brand.
The legal treatment depends on the facts. A complete stranger impersonating your hotel is different from a rogue employee, a negligent outsourced booking agent, or a real OTA error.
Why this is legally serious in the Philippines
A fake hotel confirmation can harm several groups at once:
- The guest loses money and may arrive at the hotel with no valid reservation.
- The hotel suffers reputational damage, bad reviews, operational disruption, and possible refund pressure.
- The scammer may continue collecting payments unless accounts and pages are quickly reported.
- Banks, e-wallets, telcos, OTAs, and platforms may delete or overwrite useful records if no preservation request is made.
- If guest data came from your systems, the incident may become a data privacy breach.
Under the Electronic Commerce Act of 2000, RA 8792, electronic documents and data messages can have legal effect and may be admitted in proceedings if properly authenticated. This is why screenshots, emails, transaction receipts, chat logs, URLs, headers, and booking-system logs should be preserved carefully, not merely forwarded casually in a group chat. (Lawphil)
First response: what the hotel should do in the first 24 hours
Act quickly, but do not panic. A scattered response can weaken your evidence and confuse guests.
Confirm whether the booking is truly fake. Check your property management system, channel manager, OTA dashboards, direct-booking inbox, payment gateway, official social media inboxes, and reservation logs. Do not assume it is fake just because the confirmation number looks unfamiliar; some OTAs and wholesalers use their own reference numbers.
Collect the guest’s evidence politely. Ask the guest for:
- The full fake confirmation or voucher
- Screenshots of the conversation
- The URL or profile link of the page or website
- The exact phone number, email address, or account used by the scammer
- Payment receipt, reference number, bank/e-wallet account name, and account number
- Date and time of payment
- Any QR code or payment link used
- The name of the supposed agent or company
Preserve evidence in its original form. Save files without editing them. Take screenshots that show the full screen, URL, date, time, sender profile, and message sequence. Export emails with full headers when possible. Download transaction receipts. Record the device, account, and staff member who collected each item.
Check if the guest paid your hotel or the scammer. If payment went to your official merchant account, reservation account, or accredited payment channel, treat it as a possible internal or system issue. If payment went to a personal or unknown account, treat it as impersonation and fraud.
Post a clear public advisory on official channels. Use calm wording. Identify only your official website, phone numbers, emails, and booking channels. Avoid naming a suspect unless already confirmed by authorities or the platform. Overstating facts can create defamation or unfair accusation issues.
Report the fake page, domain, number, or payment account immediately. File reports with the social media platform, OTA, domain registrar, payment gateway, e-wallet, bank, and relevant authorities. Include evidence that you own or operate the hotel brand.
Assign one internal point person. Guests, front desk staff, sales, accounting, legal, and management should use one incident log. This avoids inconsistent statements such as “we will honor all fake bookings” or “the hotel has no liability” before the facts are known.
Key Philippine laws that may apply
Estafa under the Revised Penal Code
If a scammer pretends to be your hotel, falsely claims authority to accept bookings, and receives payment from guests, the conduct may amount to estafa, or swindling, under Article 315 of the Revised Penal Code.
Article 315 covers fraud committed through false pretenses, including using a fictitious name or falsely pretending to possess power, agency, business, credit, or imaginary transactions. Fake hotel bookings often fit this pattern when the scammer induces the guest to pay based on the false representation that the scammer is connected with the hotel. (Lawphil)
The amount involved affects penalty exposure under Article 315 as amended by RA 10951, but for hotel operators the more practical point is this: every guest payment receipt matters because it helps prove deceit, reliance, payment, and damage.
Falsification of documents
If the scammer creates or uses a fake voucher, fake receipt, fake official reservation form, fake invoice, or fake email confirmation, falsification may also be considered. Article 172 of the Revised Penal Code penalizes falsification by private individuals and use of falsified documents, including commercial documents and private documents made with damage or intent to cause damage. (Lawphil)
A fake booking voucher may be important not only because it deceives the guest, but because it shows the scammer used your hotel’s name, logo, address, room descriptions, and supposed booking authority.
Cybercrime Prevention Act: online fraud and identity misuse
When the scam is done through Facebook, email, a fake website, messaging apps, QR codes, or online payment links, the Cybercrime Prevention Act of 2012, RA 10175 may apply.
Relevant cybercrime concepts include:
- Computer-related fraud, where computer data or systems are used to cause damage.
- Computer-related forgery, where electronic data is inputted, altered, or interfered with so that it appears authentic.
- Computer-related identity theft, which can involve the unauthorized use or misuse of identifying information belonging to another person or juridical entity.
- Section 6 of RA 10175, which can increase penalties when crimes under the Revised Penal Code are committed through information and communications technology.
In Disini v. Secretary of Justice, the Supreme Court reviewed RA 10175 and left key cybercrime provisions in force, while striking down or limiting certain overbroad provisions. For hotel scams, the practical point is that online impersonation, fake electronic confirmations, and digital payment schemes should be treated as cyber-enabled evidence, not just “screenshots.” (Lawphil)
Anti-Financial Account Scamming Act
If scammers use bank accounts, e-wallets, or “mule” accounts to receive guest payments, the Anti-Financial Account Scamming Act, RA 12010 of 2024, may be relevant. The law covers financial account scamming and includes money muling activities, such as using, borrowing, or allowing the use of financial accounts to receive proceeds from crimes or social engineering schemes. (Lawphil)
This is important because many hotel booking scams do not end with the fake page. The payment account may be the fastest route to identifying, freezing, or tracing the network behind the scam.
Trademark infringement, trade-name misuse, and unfair competition
If your hotel name, logo, trade name, or branding is being used without authority, the Intellectual Property Code of the Philippines, RA 8293, may apply.
A registered trademark owner has the right to prevent unauthorized use of identical or similar signs for related goods or services where such use is likely to cause confusion. RA 8293 also protects trade names against unlawful acts even before or without registration, especially when the use is likely to mislead the public. (Lawphil)
Even if your hotel name is not yet registered as a trademark, unfair competition may still be relevant. Section 168 of RA 8293 protects business goodwill and covers deceptive acts that pass off one’s goods, business, or services as those of another. False designation or false representation may also apply when someone falsely suggests affiliation, sponsorship, approval, or connection with your hotel. (Lawphil)
IPOPHL’s adjudication system handles matters such as trademark infringement, unfair competition, and false designation of origin. (IP Office PH)
Civil Code remedies for damage to business and goodwill
The Civil Code can support civil claims for damages even when criminal proceedings are still being investigated.
Relevant provisions include:
- Article 19: everyone must act with justice, give everyone their due, and observe honesty and good faith.
- Article 20: a person who willfully or negligently causes damage contrary to law must indemnify the injured party.
- Article 21: a person who willfully causes loss or injury in a manner contrary to morals, good customs, or public policy must compensate the injured party.
- Article 28: unfair competition in commercial enterprises through deceit, machination, or unjust methods gives rise to a right of action.
- Article 2176: a person who causes damage by fault or negligence may be liable under quasi-delict.
- Article 2180: owners and managers of establishments may be responsible for damages caused by employees in the service of their branches or on the occasion of their functions, subject to proof of diligence. (Lawphil)
This distinction matters. If a total stranger impersonated your hotel, the hotel is usually a victim too. But if the scam involved your employee, your official page, your compromised reservation account, or your negligent handling of guest data, the hotel’s own exposure must be assessed separately.
Data Privacy Act duties if guest data may have leaked
If fake confirmations contain real guest names, check-in dates, phone numbers, email addresses, passport details, IDs, payment information, or booking histories that came from your hotel’s systems, the incident may involve the Data Privacy Act of 2012, RA 10173.
Not every scam is a reportable data breach. But if there is unauthorized access, acquisition, or disclosure of personal data, and the breach is likely to create a real risk of serious harm, the hotel may need to notify the National Privacy Commission and affected data subjects. NPC guidance states that reportable personal data breach notifications through the Data Breach Notification Management System should be submitted within 72 hours upon knowledge or reasonable belief that a personal data breach occurred, with the full report generally due within five days unless additional time is granted. (National Privacy Commission)
Who should you report to?
Use the right channel for the right problem. Reporting only to Facebook or only to the barangay is usually not enough.
| Problem | Where to report or act | Why it matters |
|---|---|---|
| Fake Facebook/Instagram/TikTok page | Platform impersonation or trademark report | Fast takedown and preservation of account data |
| Fake website or domain | Domain registrar, hosting provider, Google Safe Browsing, payment gateway | Takedown and phishing warnings |
| Guest paid to bank/e-wallet | Bank, e-wallet provider, payment service provider | Possible account hold, trace, fraud investigation |
| Online scam, fake page, fake voucher | NBI Cybercrime Division or PNP Anti-Cybercrime Group | Criminal investigation and cyber evidence requests |
| Fraudulent use of hotel name/logo | IPOPHL, civil court, or criminal complaint depending on facts | IP enforcement, injunction, damages |
| Consumer refund dispute involving OTA/travel agency | DTI Consumer CARe System, OTA complaint channel | Mediation or referral for consumer issues |
| DOT-accredited tourism enterprise issue | Department of Tourism, if within DOT jurisdiction | DOT can act on accredited enterprises but does not generally enforce refunds or damages |
| Possible data leak from hotel systems | National Privacy Commission | Breach assessment and required notifications |
The NBI Cybercrime Division’s citizen charter refers to complainants and witnesses executing sworn statements or submitting prepared affidavits, with supporting documents collected by investigators. (National Bureau of Investigation)
Step-by-step guide for hotel owners and managers
1. Build an incident file immediately
Create one digital folder and one incident log. Include:
- Date and time the hotel first learned of the fake confirmation
- Name and contact details of the reporting guest
- Check-in and check-out dates shown in the fake booking
- Fake confirmation number
- Amount paid
- Payment recipient account name, number, bank, or e-wallet
- Links to fake pages, websites, ads, or posts
- Screenshots and downloaded files
- Staff who handled the report
- Actions taken and timestamps
Use a consistent file naming system, such as:
2026-07-04_GuestName_FakeBooking_FBPage_PaymentReceipt.pdf
This makes it easier for investigators, banks, and platforms to follow the trail.
2. Secure your own channels
Before blaming an outside scammer, check whether the scammer may have gained access to your systems.
Review:
- Facebook Business Manager admin list
- Meta ad account access
- Gmail or Google Workspace login activity
- Website CMS users
- Domain registrar logins
- OTA extranet users
- Channel manager access
- PMS user logs
- Payment gateway users
- Former employee access
- Shared passwords used by front desk or reservations staff
Immediately remove unknown users, change passwords, enable two-factor authentication, and disable accounts of resigned employees. Preserve logs before changing or deleting anything when possible.
3. Verify official booking and payment channels
Publish a simple advisory listing:
- Official website
- Official email domain
- Official phone numbers
- Official social media pages
- Authorized OTA links
- Official payment account names
- Statement that the hotel does not accept deposits through personal accounts
Avoid vague language like “Beware of scammers.” Give guests a verification process:
“Before paying, please confirm your booking only through our official email ending in @yourhotel.com or by calling our published landline/mobile number.”
4. Coordinate with affected guests
When a guest arrives with a fake booking, train front desk staff to respond calmly.
A good operational response is:
- Ask for the confirmation and payment receipt.
- Check the hotel’s system.
- Explain whether the reservation exists.
- Avoid accusing the guest of negligence.
- Ask permission to copy the evidence.
- Give the guest your incident reference number.
- Offer available lawful options, such as booking at current rates, waitlisting, or helping them contact the payment provider.
- Document everything.
Do not promise reimbursement before management verifies whether the hotel had any involvement. Also avoid saying “we are not liable” in a harsh way at the front desk. That can turn a scam incident into a consumer complaint or viral reputational issue.
5. Send preservation and takedown requests
For fake pages, websites, and payment accounts, request both takedown and preservation.
A takedown request asks the platform to remove or disable the fake page. A preservation request asks the platform or provider to keep relevant records, such as account registration data, login IPs, linked emails, transaction logs, and communications, subject to legal process.
In practice, platforms may not release records directly to the hotel without legal process. But your prompt report helps establish the date of notice and may prevent routine deletion.
6. Prepare a complaint-affidavit
For NBI, PNP, prosecutors, or IP proceedings, a complaint-affidavit usually includes:
- Identity and authority of the complainant, such as owner, general manager, corporate officer, or authorized representative
- Business registration documents
- Proof that the hotel owns or uses the name, logo, domain, and official accounts
- Narrative of what happened
- How the fake confirmation misused the hotel’s name
- Details of affected guests and payments
- Screenshots and documents, marked as attachments
- Explanation of damage to guests and the hotel
- Request for investigation and appropriate action
If the hotel is owned by a corporation, bring a board resolution, secretary’s certificate, or written authority showing that the representative may file and sign the complaint.
7. Consider civil, criminal, IP, and platform remedies together
Do not rely on one remedy only.
- Criminal complaint helps pursue the scammer for estafa, falsification, cybercrime, or financial account scamming.
- IP complaint or civil action helps stop unauthorized use of your hotel name, logo, trade name, and goodwill.
- Platform takedown stops ongoing public exposure.
- Bank/e-wallet report helps trace or restrict payment accounts.
- Data privacy response addresses potential guest-data exposure.
- Consumer handling reduces complaints from affected guests.
Documents hotels should prepare
| Document | Purpose |
|---|---|
| DTI/SEC registration, mayor’s permit, BIR registration | Proves legitimate hotel business identity |
| DOT accreditation, if any | Supports tourism enterprise status |
| Trademark certificate or IPOPHL filing, if any | Supports brand ownership |
| Domain registration records | Shows official website ownership |
| Social media admin proof | Shows official pages |
| Sample genuine booking confirmation | Helps compare fake vs real confirmations |
| Official payment account certifications | Shows authorized payment channels |
| Guest screenshots and receipts | Shows fraud method and payment trail |
| Incident log | Shows timeline and diligence |
| Staff access logs | Helps rule in or rule out internal compromise |
| Complaint-affidavit | Required for formal investigation or prosecution |
| Board resolution or secretary’s certificate | Needed if a corporation files through a representative |
Special issues for foreign hotel owners, foreign guests, and overseas evidence
Fake Philippine hotel booking scams often involve foreigners or Filipinos abroad because they rely on urgency: airport arrival, visa travel, holidays, or peak season.
Consider these practical points:
- A foreign guest’s screenshots and payment receipts can be useful even before a formal affidavit is executed.
- If a foreign guest will submit a sworn affidavit for use in a Philippine proceeding, prosecutors or courts may require proper notarization and authentication. Depending on where the affidavit is executed, this may involve apostille or Philippine consular notarization.
- If the hotel owner is a foreign corporation, it should show authority to do business, ownership or licensed use of the hotel name, and authority of the Philippine representative filing the complaint.
- Foreign trademark owners may rely on reciprocity and treaty-based protections under Philippine IP law where applicable. RA 8293 extends benefits to nationals, domiciliaries, or real and effective industrial establishments of countries that are parties to relevant conventions or provide reciprocal rights. (Lawphil)
- If payments moved through foreign accounts, coordinate early with the Philippine investigating agency because cross-border requests usually require formal legal channels and take longer.
Should the hotel honor a fake booking?
Not automatically.
A hotel generally does not become bound by a booking created by a scammer who had no authority to act for the hotel. However, the hotel should still investigate whether the scammer appeared to have authority because of something connected to the hotel.
Ask:
- Was the booking made through an official hotel page, email, website, or phone?
- Did a hotel employee communicate with the guest?
- Was payment made to an official hotel account?
- Did the confirmation use a valid internal booking number?
- Was the guest data available only from the hotel’s records?
- Did the hotel previously allow the “agent” to sell rooms?
- Did the hotel fail to remove a former employee’s access?
- Did the hotel’s own advisory or payment instructions confuse guests?
If the answer to all is no, the hotel is more clearly a victim of impersonation. If the answer to any is yes, the hotel should handle the matter as both a fraud incident and a possible internal-control issue.
Common mistakes that make the problem worse
Deleting comments, messages, or logs too quickly
It is understandable to want the fake page gone immediately. But before deletion or takedown, capture evidence. Once a page is removed, account identifiers and public-facing details may become harder to retrieve.
Posting angry public accusations
Avoid statements like “John Doe is a scammer” unless the identity is confirmed and the statement is carefully supported. A safer advisory focuses on verification:
- “This page is not affiliated with our hotel.”
- “We do not accept payments through personal accounts.”
- “Please verify bookings through these official channels.”
Treating it only as a guest complaint
The first guest may be only one of many. Treat each report as part of a pattern. A scammer may be using the same payment account, page template, or phone number across multiple hotels.
Ignoring payment accounts
The fake page may disappear, but the payment account is often the strongest trail. Collect the recipient name, account number, QR code, reference number, and transaction timestamp.
Assuming the barangay can resolve it
Barangay conciliation may help in simple disputes between identifiable parties in the same city or municipality, but online hotel booking scams usually require banks, platforms, cybercrime investigators, or prosecutors. Do not delay cybercrime reporting just because someone suggests “ipa-barangay muna.”
Using unofficial “recovery agents”
Victims sometimes receive messages from people claiming they can recover GCash, Maya, bank, or crypto payments for a fee. This can become a second scam. Use official bank, e-wallet, law enforcement, and platform channels.
Practical prevention measures for hotels
Prevention is partly legal, partly operational.
Register and monitor your brand. Register your hotel name and logo as trademarks if commercially important. Monitor similar pages, domains, and ads.
Use a professional email domain. An official email like
reservations@yourhotel.comis more trustworthy than a generic Gmail address.Publish authorized payment channels. List exact account names. Make clear that personal accounts are not authorized.
Add verification language to every confirmation. State that guests may verify bookings through your official phone, website, or email.
Use watermarks and secure confirmation formats. Include dynamic confirmation numbers, QR codes that resolve only to your official domain, and anti-fraud notices.
Restrict staff access. Use individual accounts, not shared passwords. Remove access immediately when staff leave.
Train front desk and reservations teams. Staff should recognize fake vouchers, suspicious payment receipts, and impersonation pages.
Keep an incident response template. Prepare standard forms for guest evidence collection, platform takedown, bank reports, and complaint-affidavits.
Check OTA and channel-manager settings. Confirm which partners can sell rooms, what guest messages look like, and where payment instructions appear.
Maintain a scam advisory page. A permanent page on your official website can rank in Google and help guests verify whether a booking channel is genuine.
Frequently Asked Questions
Can we refuse a guest who arrives with a fake booking confirmation?
Yes, if there is no valid reservation in your system and the confirmation was not issued or authorized by your hotel. However, handle the guest carefully, document the fake confirmation, and check whether payment or communication passed through any official hotel channel before making a final position.
Is the hotel liable if scammers used our name without permission?
Not automatically. If a third-party scammer used your name without authority, the hotel is also a victim. But liability risk increases if the scam involved your employee, official page, official payment account, compromised system, negligent access control, or confusing public payment instructions.
What crime is committed when someone makes fake hotel booking confirmations?
Depending on the facts, possible offenses include estafa under Article 315 of the Revised Penal Code, falsification under Article 172, cybercrime offenses under RA 10175, and financial account scamming or money muling under RA 12010. If the hotel name or logo is used, trademark infringement, trade-name misuse, unfair competition, or false designation under RA 8293 may also be relevant.
Should we file with the NBI or PNP Anti-Cybercrime Group?
For online impersonation, fake pages, fake websites, and digital payment trails, filing with the NBI Cybercrime Division or PNP Anti-Cybercrime Group is usually appropriate. Bring sworn statements, screenshots, URLs, payment receipts, business documents, and proof that the hotel owns or operates the official brand and channels.
Can we ask GCash, Maya, or a bank to freeze the scammer’s account?
You can report the account immediately and submit proof of fraud, but freezing, disclosure, or release of account information may require the provider’s internal process, regulatory rules, or legal process from authorities. Report quickly because funds may be transferred out within minutes or hours.
What if the fake confirmation came from a real travel agency?
If the agency is identifiable, check whether it is accredited, registered, or actually authorized to sell your rooms. If it made false representations, guests may have consumer remedies, and the hotel may have civil, criminal, or IP remedies depending on the agency’s conduct.
Can we post the scammer’s name and account number online?
Be careful. You may post official advisories and warn the public against unauthorized pages or accounts, but avoid unsupported accusations against named individuals. Focus on verifiable facts: official channels, unauthorized links, and instructions for guests to verify before paying.
Do we need to notify the National Privacy Commission?
Notify the NPC only if the incident meets the requirements for a reportable personal data breach. If fake confirmations contain personal data that likely came from your hotel’s systems, assess immediately. When reportable, NPC guidance points to a 72-hour notification period from knowledge or reasonable belief of a personal data breach.
Can a hotel sue for damage to reputation?
Yes, if the wrongdoer is identified and evidence supports the claim. Possible bases include Civil Code provisions on damages, unfair competition, trademark infringement, trade-name misuse, false designation, and civil liability arising from crime. The hotel must prove the wrongful act, damage, and causal connection.
What is the most important evidence to preserve?
Preserve the fake confirmation, full chat history, profile or website URL, payment receipt, recipient account details, screenshots showing dates and times, guest statement, official booking-system search result showing no valid reservation, and proof of your official channels.
Key Takeaways
- Fake booking confirmations using your hotel’s name can involve estafa, cybercrime, falsification, IP violations, consumer issues, and data privacy duties.
- Preserve evidence before requesting takedown.
- Check whether the scam came from a stranger, employee, agent, OTA, compromised account, or leaked guest data.
- Report fake pages, domains, payment accounts, and cybercrime evidence through the proper channels.
- Do not automatically honor fake bookings, but investigate carefully and treat affected guests with respect.
- Register and monitor your hotel name, publish official payment channels, secure staff access, and train front desk teams to spot fake vouchers.
- If guest personal data may have come from your systems, assess NPC breach notification duties immediately.