Scammers Are Using Your Real Hotel Reservations to Trick You With Spear-Phishing Attacks | WIREDSkip to main contentMenuSECURITYPOLITICSTHE BIG STORYBUSINESSSCIENCECULTUREREVIEWSMenuAccountAccountNewslettersSecurityPoliticsThe Big StoryBusinessScienceCultureReviewsChevronMoreExpandThe Big InterviewMagazineEventsWIRED InsiderWIRED ConsultingNewslettersPodcastsVideoLivestreamsMerchSearchSearchMatt BurgessSecurityMay 28, 2026 6:00 AMScammers Are Using Your Real Hotel Reservations to Trick You With Spear-Phishing AttacksCustomer data from more than 350 hotels around the world may have been accessed as part of realistic reservation-hijacking scams.Photo-Illustration: Jobanny Cabrera; Getty ImagesCommentLoaderSave StorySave this storyCommentLoaderSave StorySave this storyTravelers’ information and booking details may have been stolen from hundreds of hotels around the world, according to new findings from security researchers. These swiped trip details, such as booking names and reservation information, are then being repurposed by cybercriminals to create highly targeted phishing messages used to steal credit card information.At least 350 hotels, vacation rentals, motels, and guesthouses in 50 different countries have been caught up in so-called reservation hijacking scams, according to an analysis of phishing messages and cybercriminal infrastructure by security company Norton. Researchers say the use of legitimate booking information in phishing messages may increase the chances that someone clicks on a fraudulent link and hands over other sensitive details to criminals.“This is really targeted,” says Luis Corrons, who led the research by Norton’s parent company, Gen. Phishing websites the company analyzed included hotel names, differing prices for each victim, with specific check-in and check-out details being added to the pages. “It’s spear phishing targeted to the specific victim with the real details of the reservation.”Across the data analyzed by the researchers, Germany appeared to have the most hotels that could have had customer data compromised, followed by France, the UK, Italy, Spain, and the US. The 350 accommodations named in the scam SMS, WhatsApp, and email messages have capacity for around 80,000 guests at their peak, the researchers estimate. “Most of the accommodations are not big, they are small- and medium-size hotels,” says Corrons.While attempts to hack into hotel systems to gather customer booking information have been around for years, the findings come as cybercriminals are continually expanding and developing the “phishing-as-a-service” software they use to send millions of delivery and toll scam messages every month. These phishing kits continually add new lures to trick people into clicking malicious links, and can impersonate dozens of global brands. Last year, Americans lost more than $200 million as a result of successful phishing attempts, according to recently published FBI data.Norton started its investigations into hotel-linked fraud in December, after identifying a realistic-looking phishing message. The message, sent on WhatsApp from an account impersonating holiday website Booking.com, said it was from a specific hotel and listed the dates of an upcoming reservation, before asking the individual to click a link and confirm their details. The link led to a false website and included a chatbot that would instantly share any entered details, such as credit card information, with the hackers.Hackers could obtain people’s specific vacation booking details from a variety of places, including accessing hotel systems after sending them phishing messages or through third-party booking services. For example, hackers could send malware-laced emails or files to hotels to try to get their login details, rather than systems containing vulnerabilities that are exploited by cybercriminals. Previous research by Norton published in March mentions both Booking.com and hotel-management-system CloudBeds. “We have been able to get some of the messages that are received by the accommodation staff to get them phished,” Corrons says.“We would not say that every single phishing message we observed was definitively caused by a direct compromise of the hotel’s own internal systems,” the researcher says. Phishing messages could have been sent using information from other data breaches or systems not linked to the travel industry. “The common factor is that criminals are weaponizing real reservation context and pushing travelers into a fake verification or payment flow,” Corrons says.Corrons says Norton has been unable to fully unpick who may be behind the attacks but says investigations are ongoing. Those sending some of the phishing messages appear to be using phishing kits designed to speed up and automate the process of sending and collecting information, he says, and in several cases the same phishing kit or technical infrastructure has been used. The company is not publishing the full list of potentially compromised hotels and holiday accommodations, Corrons says; however, he says the company has been in touch with Europol about its findings.A Europol spokesperson declined to comment, saying it does not discuss its operational activity.“We continue to strengthen our defences to reduce risk and limit opportunities for bad actors to target our accommodation partners and our customers, and we are seeing results,” a Booking.com spokesperson says.Cloudbeds says the company has not been breached and the attacks described by the Norton researchers are credential-phishing campaigns targeting hotel staff and then customers. “The reason these scams are so effective is that the attacker isn't guessing: They know exactly who the guest is, when they’re arriving, and what they paid,” Aaron Ownbey, vice president of engineering at Cloudbeds, says.Attempts to hack hotels and use customer data to launch phishing attacks have been around for years. Across the travel industry, hotels will often use a range of property-management software or different systems that allow people to make bookings through third-party companies. At the same time, staff can easily manage key customer details and reservations. “The hospitality industry needs to collectively raise the security baseline—better training for front desk staff, wider adoption of phishing-resistant authentication, and tighter controls on how guest data can be accessed and exported from any platform,” Ownbey says.Smaller hotels are less likely to have in place security best practices, such as multifactor authentication for staff members, says Don Smith, the vice president of threat research at security company Sophos, which has worked with companies in the travel industry.For instance, in one incident handled by Sophos, a cybercriminal emailed a hotel saying they had lost their passport during a recent stay. In a followup message, the attacker included a link to a photo of the passport; however, when clicked it downloaded a file including the Vidar info stealer, which can collect login details from an infected computer. Days after the malware was deployed, fraudulent messages had been sent to customers from the hotel's Booking.com account and people were complaining they had lost money.“Threat actors love context because context makes a phishing lure much more compelling,” Smith says. “It’s very hard to not simply react and click on something to remove one element of stress from what may be a stressful travel experience.”Corrons, from Norton, says the inclusion of real information in phishing messages can make it harder to determine what is legitimate and what’s a scam. If in doubt, he says, get directly in touch with the hotel or vacation rental through another means of contact. “Even if the data in the message is real,” he says, “that doesn’t mean that you can trust the message.”CommentsBack to topTriangleYou Might Also LikeHow to find us: Add WIRED.com to your preferred sources in GoogleHow the Canvas hack threatened thousands of schoolsBig Story: I've covered robots for years—this one is eerily lifelikeOrbs, saucers, and flashes on the moon—here’s what’s in the UFO filesTake our survey: What does “home” mean to you?Matt Burgess is a senior writer at WIRED focused on information security, privacy, and data regulation in Europe. He graduated from the University of Sheffield with a degree in journalism and now lives in London. Send tips to [email protected]. ... Read MoreSenior writerXTopicssecurityCrimehacksprivacycybersecurityscamsTravelphishingRead MoreYour iPhone Gets Stolen. Then the Hacking BeginsA bustling underground ecosystem is providing criminals with the tools to unlock iPhones—and wage phishing attacks against their contacts to access bank accounts and more.Matt Burgess‘Reservation Hijacking’ Scams Target Travelers. Here’s How to Stay SafeThe hotel staffer who calls you with an urgent request for payment isn’t necessarily who they say they are.David Nield90,000 Screenshots of One Celebrity's Phone Were Exposed OnlineSpyware appears to have captured everything from intimate photos to private messages from the smartphone of European celebrity. They were publicly accessible until a researcher flagged the exposure.Matt BurgessA Hacker Group Is Poisoning Open Source Code at an Unprecedented ScaleGitHub is just the latest victim of TeamPCP, a gang that has carried out a spree of software supply chain attacks that has impacted hundreds of organizations.Andy GreenbergDangerous New Linux Exploit Gives Attackers Root Access to Countless ComputersThe exploit, dubbed CopyFail and tracked as CVE-2026-31431, allows hackers to take over PCs and data center servers. The Linux vulnerabilities have been patched—but many machines remain at risk.Dan Goodin, Ars TechnicaCybercriminal Twins Caught After They Forgot to Turn Off Microsoft Teams RecordingPlus: Instructure’s Canvas ransomware debacle comes to a close, an alleged dark net market kingpin gets arrested, OpenAI workers fall victim to a supply chain attack, and more.Andrew CoutsThousands of Vibe-Coded Apps Expose Corporate and Personal Data on the Open WebCompanies like Lovable, Base44, Replit, and Netlify use AI to let anyone build a web app in seconds—and in thousands of cases, spill highly sensitive data onto the public internet.Andy GreenbergHackable Robot Lawn Mower Unlocks a New NightmarePlus: Meta officially kills encrypted Instagram DMs, the Trump administration targets “violent left wing extremists,” leaked documents reveal Russia's school for elite hackers, and more.Matt BurgessOpenAI Enables Marketing Cookies by Default for Free ChatGPT UsersChatGPT’s new privacy policy states how the company uses cookies for tracking, to turn free users into paying subscribers.Reece RogersData Brokers’ and AI Firms’ Opt-Out Forms Are Built to Fail, Report FindsA new study finds AI companies, defense firms, and dating apps are among 38 data collectors allegedly using manipulative design to confuse users while collecting their data.Dell CameronOpenAI Rolls Out ‘Advanced’ Security Mode for At-Risk AccountsOpenAI is rolling out Advanced Account Security for people concerned that their ChatGPT or Codex accounts could be potential targets of phishing attacks.Lily Hay NewmanFoxconn Ransomware Attack Shows Nothing Is Safe ForeverFamous for helping build Apple’s iPhones, Foxconn just suffered another cyberattack, highlighting the perils of warehousing some of the world’s most valuable data.Lily Hay NewmanWIRED is obsessed with what comes next. Through rigorous investigations and game-changing reporting, we tell stories that don’t just reflect the moment—they help create it. When you look back in 10, 20, even 50 years, WIRED will be the publication that led the story of the present, mapped the people, products, and ideas defining it, and explained how those forces forged the future. WIRED: For Future Reference.More From WIREDSubscribeNewslettersLivestreamsTravelFAQWIRED StaffWIRED EducationEditorial StandardsArchiveRSSSite MapAccessibility HelpReviews and GuidesReviewsBuying GuidesStreaming GuidesWearablesCouponsGift GuidesAdvertiseContact UsManage AccountJobsPress CenterCondé Nast StoreUser AgreementPrivacy PolicyYour California Privacy Rights© 2026 Condé Nast. All rights reserved. WIRED may earn a portion of sales from products that are purchased through our site as part of our Affiliate Partnerships with retailers. The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast. Ad ChoicesSelect international siteUnited StatesLargeChevronItaliaJapónCzech Republic & SlovakiaFacebookXPinterestYouTubeInstagramTiktok

Customer data from numerous hotels worldwide has been compromised through reservation-hijacking scams, which cybercriminals are now repurposing to execute highly targeted spear-phishing attacks aimed at stealing sensitive financial information. Security researchers, including Norton, analyzed phishing messages and cybercriminal infrastructure to document this extensive data breach. This analysis revealed that at least 350 accommodations, including hotels, vacation rentals, motels, and guesthouses across 50 different countries, were implicated in these scams. The stolen information includes specific traveler details such as booking names and reservation particulars, which are then leveraged to craft personalized phishing messages designed to deceive individuals into divulging credit card details.

The effectiveness of these scams stems from the use of legitimate booking context within the phishing lure. Researchers noted that incorporating real reservation details, such as hotel names, differing prices, and specific check-in and check-out dates, significantly increases the probability that a recipient will click a fraudulent link and surrender sensitive data to the criminals. Luis Corrons, who led the research, observed that this method constitutes spear phishing, precisely targeting the specific victim with authentic reservation details. Geographically, the analysis indicated that Germany contained the highest number of potentially compromised hotels, followed by France, the United Kingdom, Italy, Spain, and the United States. The estimated capacity of these compromised accommodations, most of which are small and medium-sized hotels, amounts to approximately 80,000 guests at peak occupancy.

These findings highlight the expanding capabilities of cybercriminals who utilize "phishing-as-a-service" software. These tools allow attackers to automate the sending of millions of scam messages monthly by continually developing new lures and impersonating diverse global brands. The case of Norton’s investigation began in December after they identified a realistic message sent via WhatsApp, impersonating Booking.com, which attempted to trick individuals into clicking a link leading to a fake website and a chatbot designed to instantly share inputted details, including credit card information. Hackers can obtain these booking details by exploiting hotel systems, accessing data through third-party booking services, or by sending malware-laced emails to hotel systems to acquire login credentials. While researchers acknowledge that not every phishing message resulted from a direct internal compromise of the hotel’s systems, the common thread is the weaponization of real reservation context to push travelers into fraudulent verification or payment flows.

Other incidents demonstrate the vulnerability across the travel industry. For example, a cybercriminal successfully coerced a hotel staffer into providing information, subsequently sending a file that downloaded a Vidar info stealer, which facilitated the collection of login details from an infected computer. This malware deployment was followed by fraudulent messages sent to customers from the hotel’s official account, leading to financial losses for victims. The principle underscored by these events is that threat actors prioritize context because it makes the phishing lure psychologically compelling; removing the stress associated with a potentially stressful travel experience makes individuals more likely to react impulsively to the request.

The hospitality sector faces a critical need to enhance its security posture. Experts suggest that the industry must collectively elevate its security baseline by implementing better training for front desk staff, mandating wider adoption of phishing-resistant authentication protocols, and establishing stricter controls over how guest data is accessed and exported across various platforms. Furthermore, smaller hotels, which often lack robust security measures, are particularly vulnerable. Security researchers emphasize that this gap in security can be exploited; for instance, a cybercriminal exploiting a vulnerability in a system could gain access to sensitive guest records.

The interconnectedness of the travel industry, which relies on various property-management software and third-party booking systems, creates numerous potential weak points. The core challenge involves securing the flow of guest data between various entities. While some systems, such as Cloudbeds, have confirmed they were not breached, the attacks demonstrated that targeting both hotel staff and customers remains a primary strategy for attackers. Ultimately, addressing this systemic risk requires a unified approach to securing the entire data lifecycle within the travel ecosystem to mitigate the evolving threat posed by context-aware phishing attacks.