Travellers are facing a growing wave of cyber fraud in which criminals exploit hotel booking channels, hijack trusted communications and send bogus payment requests that appear tied to genuine reservations. The tactic is drawing attention because the messages often include real hotel names, stay dates or payment references, making them look routine rather than suspicious. Security researchers and travel platforms say the fraud is increasingly built around compromised hotel or partner accounts, allowing attackers to approach guests through systems they already trust. What makes the scheme dangerous is its mix of authentic booking context and social engineering. Attackers do not always need to breach a central booking platform to deceive guests. In many cases, they first target accommodation providers or hospitality staff with phishing emails, steal account credentials and then use those accounts to send payment demands, card verification notices or threats of cancellation. Microsoft said a threat cluster it tracks as Storm-1865 has run phishing campaigns linked to payment data theft and fraudulent charges since at least early 2023, with activity evolving through 2024 and into 2025.
The messages are effective because they imitate the normal friction of travel. Guests are accustomed to being contacted about deposits, check-in windows, tax charges or card verification, especially for international stays. That gives criminals an opening to push urgent instructions that appear mundane. Booking. com’s own traveller safety guidance says no legitimate transaction should require a customer to share card details by phone, text message or email, and advises travellers to distrust any payment demand that falls outside the property’s stated policy. Microsoft’s guidance mirrors that warning, telling users to avoid links in unsolicited messages and to navigate to the provider directly instead.
Evidence from fraud alerts suggests the losses are no longer anecdotal. A UK warning based on Action Fraud reporting said 532 reports linked to the scam were filed between June 2023 and September 2024, with losses of £370,000. In Australia, Scamwatch figures cited by multiple outlets showed 363 reports mentioning Booking. com in 2023, up sharply from 53 a year earlier, with losses of more than A$337,000. Those figures probably understate the wider toll because many fraud victims do not report small or embarrassing losses, and some discover the deception only after travelling.
The hotel sector’s exposure to this type of abuse is tied to a broader cyber-security problem. Hotels and travel companies handle payment details, passport information, loyalty accounts and high volumes of time-sensitive customer communication, all of which make them attractive targets. The US Federal Trade Commission said in October 2024 that Marriott and Starwood’s security failures had contributed to three large breaches affecting more than 344 million customers worldwide. The case centred on older incidents, but regulators used it to underline a persistent weakness in password controls, monitoring, segmentation and multi-factor authentication across a global hotel network.
That backdrop helps explain why criminals are shifting from blunt phishing emails to more tailored fraud. Once inside a hotel-facing system, an attacker can use live booking data to craft convincing payment requests and increase the odds that a guest will act without checking. Security reporting this week described the pattern as a “reservation hijack” scam, where stolen credentials and booking information are turned into targeted fraud rather than mass spam. Microsoft has also described newer campaigns using more elaborate delivery methods, including malware-laced phishing, showing that attackers are refining both access and monetisation.
Travel platforms and law-enforcement bodies are trying to push a simple message: trust the booking record, not the sudden demand. Guests are being told to verify payment terms already listed in their reservation, contact the hotel or platform through official channels, and treat any urgent card request by email, chat or WhatsApp as suspect. For hotels, the burden is heavier. They are being pressed to harden staff logins, enforce multi-factor authentication, monitor unusual messaging activity and train employees to spot credential theft attempts before a guest account or reservation trail is abused.
Topics
Technology