Scammers Are Using Your Real Hotel Reservations to Trick You With Spear-Phishing Attacks | WIRED
Skip to main contentCommentLoaderSave StorySave this storyCommentLoaderSave StorySave this storyTravelers’ information and booking details may have been stolen from hundreds of hotels around the world, according to new findings from security researchers. These swiped trip details, such as booking names and reservation information, are then being repurposed by cybercriminals to create highly targeted phishing messages used to steal credit card information.At least 350 hotels, vacation rentals, motels, and guesthouses in 50 different countries have been caught up in so-called reservation hijacking scams, according to an analysis of phishing messages and cybercriminal infrastructure by security company Norton. Researchers say the use of legitimate booking information in phishing messages may increase the chances that someone clicks on a fraudulent link and hands over other sensitive details to criminals.“This is really targeted,” says Luis Corrons, who led the research by Norton’s parent company, Gen Digital. Phishing websites the company analyzed included hotel names, differing prices for each victim, with specific check-in and check-out details being added to the pages. “It’s spear phishing targeted to the specific victim with the real details of the reservation.”Across the data analyzed by the researchers, Germany appeared to have the most hotels that could have had customer data compromised, followed by France, the UK, Italy, Spain, and the US. The 350 accommodations named in the scam SMS, WhatsApp, and email messages have capacity for around 80,000 guests at their peak, the researchers estimate. “Most of the accommodations are not big, they are small- and medium-size hotels,” says Corrons.While attempts to hack into hotel systems to gather customer booking information have been around for years, the findings come as cybercriminals are continually expanding and developing the “phishing-as-a-service” software they use to send millions of delivery and toll scam messages every month. These phishing kits continually add new lures to trick people into clicking malicious links and can impersonate dozens of global brands. Last year, Americans lost more than $200 million as a result of successful phishing attempts, according to recently published FBI data.Norton started its investigations into hotel-linked fraud in December, after identifying a realistic-looking phishing message. The message, sent on WhatsApp from an account impersonating holiday website Booking.com, said it was from a specific hotel and listed the dates of an upcoming reservation, before asking the individual to click a link and confirm their details. The link led to a false website and included a chatbot that would instantly share any entered details, such as credit card information, with the hackers.Hackers could obtain people’s specific vacation booking details from a variety of places, including accessing hotel systems after sending them phishing messages or through third-party booking services. For example, hackers could send malware-laced emails or files to hotels to try to get their login details, rather than systems containing vulnerabilities that are exploited by cybercriminals. Previous research by Norton published in March mentions both Booking.com and hotel-management-system CloudBeds. “We have been able to get some of the messages that are received by the accommodation staff to get them phished,” Corrons says.“We would not say that every single phishing message we observed was definitively caused by a direct compromise of the hotel’s own internal systems,” the researcher says. Phishing messages could have been sent using information from other data breaches or systems not linked to the travel industry. “The common factor is that criminals are weaponizing real reservation context and pushing travelers into a fake verification or payment flow,” Corrons says.Corrons says Norton has been unable to fully unpack who may be behind the attacks but says investigations are ongoing. Those sending some of the phishing messages appear to be using phishing kits designed to speed up and automate the process of sending and collecting information, he says, and in several cases the same phishing kit or technical infrastructure has been used. The company is not publishing the full list of potentially compromised hotels and holiday accommodations, Corrons says; however, he says the company has been in touch with Europol about its findings.A Europol spokesperson declined to comment, saying it does not discuss its operational activity.“We continue to strengthen our defenses to reduce risk and limit opportunities for bad actors to target our accommodation partners and our customers, and we are seeing results,” a Booking.com spokesperson says.Cloudbeds says the company has not been breached and the attacks described by the Norton researchers are credential-phishing campaigns targeting hotel staff and then customers. “The reason these scams are so effective is that the attacker isn't guessing: They know exactly who the guest is, when they’re arriving, and what they paid,” Aaron Ownbey, vice president of engineering at Cloudbeds, says.Attempts to hack hotels and use customer data to launch phishing attacks have been around for years. Across the travel industry, hotels will often use a range of property-management software or different systems that allow people to make bookings through third-party companies. At the same time, staff can easily manage key customer details and reservations. “The hospitality industry needs to collectively raise the security baseline—better training for front desk staff, wider adoption of phishing-resistant authentication, and tighter controls on how guest data can be accessed and exported from any platform,” Ownbey says.Smaller hotels are less likely to have in place security best practices, such as multifactor authentication for staff members, says Don Smith, the vice president of threat research at security company Sophos, which has worked with companies in the travel industry.For instance, in one incident handled by Sophos, a cybercriminal emailed a hotel saying they had lost their passport during a recent stay. In a follow-up message, the attacker included a link to a photo of the passport; when clicked, however, it downloaded a file that included the Vidar info stealer, which can collect login details from an infected computer. Days after the malware was deployed, fraudulent messages had been sent to customers from the hotel's Booking.com account, and people were complaining they had lost money.“Threat actors love context because context makes a phishing lure much more compelling,” Smith says. “It’s very hard to not simply react and click on something to remove one element of stress from what may be a stressful travel experience.”Corrons, from Norton, says the inclusion of real information in phishing messages can make it harder to determine what is legitimate and what’s a scam. If in doubt, he says, get directly in touch with the hotel or vacation rental through another means of contact. “Even if the data in the message is real,” he says, “that doesn’t mean that you can trust the message.”CommentsBack to topTriangleYou Might Also LikeHow to find us: Add WIRED.com to your preferred sources in GoogleHow the Canvas hack threatened thousands of schoolsBig Story: I've covered robots for years—this one is eerily lifelikeOrbs, saucers, and flashes on the moon—here’s what’s in the UFO filesTake our survey: What does “home” mean to you?Matt Burgess is a senior writer at WIRED focused on information security, privacy, and data regulation in Europe. He graduated from the University of Sheffield with a degree in journalism and now lives in London. Send tips to [email protected]. ... Read MoreSenior writerXTopicssecurityCrimehacksprivacycybersecurityscamsTravelphishingThe Vatican’s Man Inside AnthropicPope Leo XIV may not be able to disarm AI, but he’s got the attention of the industry.Steven LevyBlue Origin Rocket Explodes in Fiery SetbackThe detonation of the New Glenn rocket resulted in a huge fireball in Florida and may have long-term implications for the company's ambitions.Marta MussoThis Privacy Screen Totally Changed How I Feel About Working in PublicI'm one of those people who enjoys working on planes and in public spaces in general. But the issue of privacy was always a hurdle.Luke LarsenPhysical Media Is Making a Comeback. The Next Console Generation Might Kill ItConsoles with disc drives are the easiest way to enjoy all kinds of physical media, but that could end with the next-gen PlayStation 6 and Microsoft's Project Helix.Matt KamenFound: The Rucking Backpack You Can Actually Take AnywhereBuilt like a tank, the endlessly capable GoRuck GR1 is as close to a do-it-all bag as you can get.Scott GilbertsonStreamers Like Clavicular Are Humiliating OnlyFans Girls For CloutSex workers appear on the livestreams of famous manosphere influencers to boost their followings—but often end up being degraded.Ej Dickson The Best Espresso Accessories for Home BaristasA longtime pro barista’s favorite tools for dialing in the perfect shot at home.Pete CottellTop AirDoctor Coupon Codes for June 2026Save up to $400 on top air purifiers and filters with verified AirDoctor promo codes and special offers for May 2026.Molly HigginsEnjoy up to 20% Off With eBay Coupons in June 2026Save up to 60% on a selection of items at eBay, including electronics, home products, card games, car parts and more.Molly HigginsTop Meta Quest Promo Codes and Coupons for June 2026Experience cutting-edge VR and save up to 20% with coupons for the latest games, Meta Quest 3, Ray-Ban AI glasses, and more deals.Brad BourqueTop Bartesian Discount Codes: 35% OffUpgrade your home bar with the latest Bartesian coupon codes and discounts. Save on the Professional Cocktail Maker, enjoy subscription discounts, and get free shipping on your favorite capsules.Matthew KorfhageTop Target