In a case I read (can't remember where), reservation data was somehow leaking (either from booking or from hotels), and scammers were sending messages purporting to be the hotel saying the room was cancelled or mischarged or something like that.

It's even worse than that. Scammers are sending messages through booking.com, so you get a message from the hotel, in your booking.com inbox, with a link to a payment site that just makes a payment to the crooks. The root cause is either hotel employees installing session-stealing malware, either accidentally or by being part of the scam.