Cybercriminals are leveraging real hotel reservation data stolen from over 350 hotels worldwide to conduct highly targeted phishing attacks aimed at stealing travelers’ credit card information.
What happened
Security researchers at Norton have uncovered a widespread campaign where attackers hijack genuine hotel booking details to craft realistic spear-phishing messages. These phishing attempts impersonate well-known travel brands and include specific stay information such as hotel names and reservation dates, making the scams more convincing. The investigation found at least 350 hotels, vacation rentals, and guesthouses across 50 countries compromised, impacting accommodations that can host around 80,000 guests at peak times.
Phishing messages are distributed through SMS, WhatsApp, and email, often requesting victims to confirm details via fraudulent websites equipped with chatbots that immediately collect and transmit entered credit card information to hackers. The attackers acquire booking details by targeting hotel staff with credential phishing campaigns or by exploiting data from third-party booking services and other breaches. While not all phishing messages result from direct system hacks, criminals use available reservation data to create credible scams.
Countries with the most affected hotels include Germany, France, the UK, Italy, Spain, and the US. Researchers noted that many targeted accommodations are small- and medium-sized establishments, which typically have weaker cybersecurity measures.
Why it matters
This scheme highlights the increasing sophistication of phishing attacks that exploit legitimate contextual information to trick victims into divulging sensitive data. Using actual reservation details dramatically raises the success rate of scams, leading to potentially substantial financial losses for travelers. In 2025, Americans lost more than $200 million to phishing attacks, according to FBI data.
The travel industry’s reliance on varied property and booking management systems makes comprehensive security challenging, especially for smaller hotels that often lack multifactor authentication and adequate staff training. These weaknesses create opportunities for criminals to infiltrate systems, manipulate genuine data, and deploy credible scams.
Background
Phishing attacks targeting hotels and their customers have existed for years, evolving alongside cybersecurity defenses. Many hotels use third-party platforms to manage reservations, which can be vulnerable to credential phishing and malware attacks. Attackers often target hotel employees to access reservation data before directing fraudulent communications to guests.
In response, travel industry stakeholders such as Booking.com and Cloudbeds emphasize strengthening defenses, improving staff cybersecurity training, and implementing phishing-resistant authentication methods. Norton has informed Europol of its findings, though authorities have not publicly commented on ongoing investigations.
Security experts advise travelers to independently verify booking communications by contacting hotels directly rather than clicking on unsolicited links, even if messages contain accurate booking information.
Sources
This article is based on reporting and publicly available information from the following source:
Read more Artificial Intelligence stories on Goka World News.