Hackers Are Using Your Real Hotel Booking Data to Craft Scarily Accurate Phishing Attacks

Travelers’ information and booking details may have been stolen from hundreds of hotels around the world, according to new findings from security researchers. These swiped trip details, such as booking names and reservation information, are then being repurposed by cybercriminals to create highly targeted phishing messages used to steal credit card information. At least 350 hotels, vacation rentals, motels, and guesthouses in 50 different countries have been caught up in so-called reservation hijacking scams, according to an analysis of phishing messages and cybercriminal infrastructure by security company Norton.

Targeted Spear Phishing with Real Reservation Data

Researchers say the use of legitimate booking information in phishing messages may increase the chances that someone clicks on a fraudulent link and hands over other sensitive details to criminals. “This is really targeted,” says Luis Corrons, who led the research by Norton’s parent company, Gen. Phishing websites the company analyzed included hotel names, differing prices for each victim, with specific check-in and check-out details being added to the pages. “It’s spear phishing targeted to the specific victim with the real details of the reservation.” Across the data analyzed by the researchers, Germany appeared to have the most hotels that could have had customer data compromised, followed by France, the United Kingdom, Italy, Spain, and the United States. The 350 accommodations named in the scam SMS, WhatsApp, and email messages have capacity for around 80,000 guests at their peak, the researchers estimate. “Most of the accommodations are not big, they are small- and medium-size hotels,” says Corrons.

The Growing Threat of Phishing-as-a-Service

While attempts to hack into hotel systems to gather customer booking information have been around for years, the findings come as cybercriminals are continually expanding and developing the “phishing-as-a-service” software they use to send millions of delivery and toll scam messages every month. These phishing kits continually add new lures to trick people into clicking malicious links, and can impersonate dozens of global brands. Last year, Americans lost more than $200 million as a result of successful phishing attempts, according to recently published Federal Bureau of Investigation data. Norton started its investigations into hotel-linked fraud in December, after identifying a realistic-looking phishing message. The message, sent on WhatsApp from an account impersonating holiday website Booking.com, said it was from a specific hotel and listed the dates of an upcoming reservation, before asking the individual to click a link and confirm their details. The link led to a false website and included a chatbot that would instantly share any entered details, such as credit card information, with the hackers.

How Hackers Obtain Booking Data

Hackers could obtain people’s specific vacation booking details from a variety of places, including accessing hotel systems after sending them phishing messages or through third-party booking services. For example, hackers could send malware-laced emails or files to hotels to try to get their login details, rather than systems containing vulnerabilities that are exploited by cybercriminals. Previous research by Norton published in March mentions both Booking.com and hotel-management-system CloudBeds. “We have been able to get some of the messages that are received by the accommodation staff to get them phished,” Corrons says. “We would not say that every single phishing message we observed was definitively caused by a direct compromise of the hotel’s own internal systems,” the researcher says. Phishing messages could have been sent using information from other data breaches or systems not linked to the travel industry.

Ongoing Investigations and Criminal Tactics

“The common factor is that criminals are weaponizing real reservation context and pushing travelers into a fake verification or payment flow,” Corrons says. Corrons says Norton has been unable to fully unpick who may be behind the attacks but says investigations are ongoing. Those sending some of the phishing messages have been linked to broader cybercriminal networks, though the researchers have not yet identified specific individuals or groups. The use of real booking data in these attacks represents a significant escalation in social engineering tactics, as victims are far more likely to trust a message that contains accurate details about their upcoming stay. Norton continues to monitor the infrastructure used in these scams and is working with affected hotels and booking platforms to mitigate further compromises.

Market Context

As of today, May 28, 2026, Bitcoin is trading at $73,374, down 3.3% over the past 24 hours. Ethereum is priced at $1,989.49, a decline of 4.5% in the same period.