Scammers Are Using Real Hotel Bookings To Target Travellers In Sophisticated Phishing Attacks

Travellers are being warned to treat hotel payment messages with caution after security researchers found cybercriminals using real reservation details to make phishing scams far more convincing.

Research from Norton’s parent company, Gen Digital, has linked reservation hijacking scams to more than 350 hotels, vacation rentals, motels and guesthouses across 50 countries. The scams use genuine booking details, including names, hotel information, stay dates and prices, to create highly targeted messages designed to steal credit card details and other sensitive information.

The tactic marks a shift from generic travel scams to a more personalised form of fraud. Rather than sending vague messages about a fake hotel booking, scammers are using details that match a traveller’s actual reservation. That makes the message look legitimate and increases the chance that a victim will click a fraudulent link.

The scam commonly begins with a message claiming there is a problem with a booking or payment. It may arrive by email, SMS, WhatsApp or through what appears to be a trusted booking platform or hotel communication channel. The traveller is then pushed toward a fake payment or verification page that uses the real hotel name and booking information to appear authentic.

Security researchers say the information may have been obtained through compromised hotel systems, stolen staff credentials, malware, phishing attacks against hospitality workers or weaknesses in third-party booking workflows. There is no indication that every affected booking came from a single breach. Instead, the campaign appears to exploit the fragmented way hotels, travel platforms and accommodation providers manage reservations.

That fragmentation is part of the problem. A traveller may book through one platform, receive messages from another system, communicate directly with a hotel and then be asked to confirm details through a separate link. Scammers are taking advantage of that complexity.

For Australian travellers, the warning is particularly relevant ahead of peak travel periods and as more people rely on overseas booking platforms for accommodation. Whether booking a hotel in Europe, a guesthouse in Asia, a motel in New Zealand or an Australian holiday rental, the risk is the same: a message that contains real reservation information is not automatically safe.

The danger lies in the credibility of the scam. A traveller who receives a message naming the correct hotel, dates and booking amount may naturally assume it is genuine. If the message then says the reservation will be cancelled unless payment details are re-entered, the pressure can push people into acting quickly.

That urgency is a common feature of phishing scams. Criminals want victims to move before they have time to check. In this case, the use of real booking data makes the pressure more effective.

Cybersecurity experts say travellers should avoid clicking payment links sent through unexpected messages, even when the details appear accurate. Instead, they should open the booking platform or hotel website directly, using the official app or a manually typed web address. If there is any doubt, travellers should contact the hotel or booking provider using contact details from the original confirmation or official website, not from the suspicious message.

Travellers should also be cautious if they are asked to provide card details again after a booking has already been confirmed. Legitimate accommodation providers may sometimes need updated payment information, but they should not pressure guests into using unusual links, messaging apps or urgent verification pages.

Anyone who receives a suspicious message should avoid replying, avoid clicking links and avoid downloading attachments. Screenshots and message details can be useful when reporting the scam to the booking platform, accommodation provider, bank or Scamwatch.

For those who may have entered payment details into a suspicious page, immediate action is important. Contact the bank or card provider, request a card block or replacement if necessary, monitor transactions and change passwords for any affected booking accounts. If the same password has been reused elsewhere, those accounts should also be updated.

Accommodation providers are also under pressure to improve security. Small and medium-sized hotels, motels and guesthouses may not have the same cybersecurity resources as large chains, but they handle valuable guest data. Staff accounts should use multi-factor authentication, booking systems should be monitored for unusual access and employees should be trained to recognise phishing attempts targeting hotel operators.

The hospitality industry has become an attractive target because it holds exactly the kind of information criminals need to make scams believable. A booking record can reveal a traveller’s name, email address, phone number, destination, dates of travel and expected payment amount. That is enough to build a convincing impersonation.

The latest findings also show why data privacy is not only a corporate issue. When customer information leaks from one part of the travel chain, the impact can land directly on the traveller. Even if the hotel itself is not responsible for the scam message, the exposure of reservation data can create a powerful fraud opportunity.

For now, the safest approach is to treat any unexpected payment request as suspicious, even when it contains accurate information. Real details can be stolen. Official-looking pages can be fake. Messages that appear to come from a hotel or booking platform can be manipulated.

The old advice still applies, but it now needs to be taken more seriously: slow down, check directly and never let urgency make the decision for you.

For travellers, the most important lesson is simple. A scam does not need to look random to be fake. Increasingly, the most dangerous scams are the ones that know exactly where you are staying.

Photo Credit: DepositPhotos.com