A new wave of cyberattacks is targeting travelers by misusing hotel booking systems to steal payment details. Security experts warn that hackers are now combining real reservation data with social engineering to make scams appear highly credible.
This method, known as a “Reservation Hijack Scam,” uses genuine booking details such as hotel name, stay dates, and payment status. These details make the message look authentic and similar to a routine pre-arrival check, reducing suspicion.
Unlike traditional phishing, which depends on generic messages, this approach builds trust using real booking context. Attackers do not rely on advanced malware or perfect grammar. They only need accurate information to make their requests believable.
In more advanced cases, hackers target hotel staff or partners. They use fake login pages or malicious “security updates” to steal credentials for booking management systems. Once access is gained, attackers can view real reservations, guest details, and sometimes payment information.
The scam usually begins when a traveler receives a WhatsApp or SMS message claiming to be from the hotel’s guest relations team. Victims are then contacted through WhatsApp, SMS, email, or booking platform chats with personalized messages.
These messages often redirect users to fake payment pages, guest portals, or PDF links, urging “payment verification” within 24–48 hours. Victims who enter card details or approve payments risk financial loss, as attackers exploit or resell the data.
In some cases, attackers send fraudulent requests within legitimate chat threads, such as on Booking.com. Because the message comes from a trusted channel, it becomes much harder to detect.
Researchers have reported high activity in the United Kingdom, France, Germany, the United States, Brazil, and Australia. The scam operates across multiple channels, including Booking.com messaging, WhatsApp, SMS, and email.
This shift from identity spoofing to abusing real systems makes the threat more dangerous. The use of urgency, often demanding action within 24 or 48 hours, further reduces the chance of verification.
For travelers, the main risk is misplaced trust. Experts advise avoiding links in unexpected messages and verifying requests through official platforms.
For hotels, the threat highlights the need for stronger security. Measures like phishing-resistant authentication, staff training, and monitoring guest messaging systems are becoming essential.
As these scams evolve, the gap between genuine service communication and fraud is narrowing, making awareness critical for both travelers and service providers.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
