Reservation Hijack Scam

The message looks routine because it uses your real hotel name, your real travel dates, and sometimes your real reservation number, then says your card needs to be “re-verified” or your stay will be canceled. Security researchers at Gen Digital say that mix of accurate details and urgency is the core of the “reservation hijack” scam. (gendigital.com) This is not the old version of travel fraud where a fake hotel emails thousands of strangers and hopes a few click. In the newer version, criminals often get access to real reservation data first, so the message feels like customer service instead of a scam. (gendigital.com) Gen Digital says the scam usually runs on two tracks. One track sends fake WhatsApp, text, or email messages that imitate a booking platform, and the other steals hotel staff credentials so criminals can work from inside real hospitality software. (gendigital.com) That second track is the one that makes people drop their guard. If attackers get into a hotel’s account or property-management system, they can message guests through channels that normally carry legitimate pre-arrival notes, invoices, and check-in instructions. (us.norton.com) Booking.com has been tied to this pattern before because its messaging system is a place guests already trust. Consumer group Which? says Booking.com would not ask customers to share payment information by email, chat, text message, or phone, so a request to type card details into a link sent that way is a scam signal, not a booking step. (which.co.uk) The hotel side often starts with a phishing email sent to staff, not guests. Microsoft Threat Intelligence said in March 2025 that a campaign impersonating Booking.com was targeting hospitality workers across North America, Europe, Asia, and Oceania to steal credentials and enable financial fraud. (microsoft.com) Once criminals are inside, they do not need to invent a believable story from scratch. They can see who is arriving, when the stay begins, and which reservation is expensive enough that a guest might quickly pay a “deposit” rather than risk losing it. (gendigital.com) That is why these messages often push a short deadline like 24 hours or say payment failed just before arrival. Norton says the scam is designed to make travelers act before they stop and call the hotel on a number they found themselves. (us.norton.com) For hotels, the damage is not limited to one stolen card. Malwarebytes has warned that a compromised booking workflow can expose guest names, contact details, payment context, and in some cases open the door to wider ransomware or data-theft incidents. (malwarebytes.com) For travelers, the safest rule is blunt: never pay through a link dropped into a message that claims there is suddenly a booking problem. Which? says any genuine payment issue should be checked by logging into the platform directly or calling the hotel through contact details you looked up independently. (which.co.uk) For hospitality teams, the fix is boring but visible: tighter staff login security, fewer ad hoc payment requests, and one consistent confirmation channel. In a scam built to mimic normal service, every extra payment exception and every off-platform message makes the fake one easier to believe. (gendigital.com)