Cybercriminals Exploit Hotel Booking Systems to Defraud Guests with Fake Payment Requests
In a rapidly evolving cyber threat landscape, travelers worldwide are falling victim to a sophisticated fraud scheme that manipulates legitimate hotel booking processes to issue fraudulent payment requests. This deceptive tactic, known as the Reservation Hijack Scam, leverages authentic reservation details to craft convincing messages, leading unsuspecting guests to transfer funds directly into the hands of cybercriminals.
The Mechanics of the Scam
The fraud typically initiates with a message sent via platforms like WhatsApp, SMS, email, or even through official booking platform communications. These messages, appearing to originate from a hotel’s Guest Relations team, reference genuine booking information, including the property name, stay dates, and sometimes the exact amount due. This level of detail fosters a false sense of security, making the request seem like a routine pre-arrival payment verification.
Cybersecurity researchers Martin ChlumeckĂ˝ and Luis Corrons from Gen Digital have extensively analyzed this threat. They highlight that the scam is not merely a phishing attempt with a travel theme but a comprehensive attack that exploits stolen reservation data and the inherent trust between guests and hotels. The highest incidence of this scam has been reported in countries such as the United Kingdom, France, Germany, the United States, Brazil, and Australia.
Dual-Front Attack Strategy
The Reservation Hijack Scam operates on two primary fronts:
1. Booking-Platform Lures: In this approach, victims receive messages through various communication channels that appear to be from hotel staff. These messages direct guests to counterfeit payment portals, designed to harvest financial information.
2. Direct Hotel System Compromise: This more insidious method involves attackers infiltrating hotel management software platforms, such as Cloudbeds, by phishing hotel employees to obtain their login credentials. Once inside, cybercriminals gain access to real reservation data and use legitimate hotel communication tools to send fraudulent payment requests, making the deception nearly indistinguishable from genuine hotel correspondence.
Infiltration of Hotel Management Systems
The compromise of hotel management systems marks a significant escalation in this scam. By stealing staff credentials through deceptive login pages, attackers can access hotel management environments, viewing future reservations, guest names, contact details, stay periods, and payment information. In some instances, attackers have employed tactics that trick hotel partners into executing malicious commands disguised as mandatory security updates. These commands install remote access trojans, granting persistent access to the system.
With such access, attackers can send fraudulent payment requests directly through legitimate hotel or booking-linked accounts—channels that guests trust and associate with their actual reservations. Victims have reported receiving professionally crafted PDF documents impersonating hotel groups, complete with payment deadlines of 24 to 48 hours. These documents often redirect victims to typo-squatted domains designed to harvest credit card details, bank transfers, or other payment information.
Broader Implications and Related Threats
This scam is part of a broader trend of cyber threats targeting the hospitality industry. For instance, a phishing campaign identified in November 2025 targeted hotel establishments and their guests through compromised Booking.com accounts. Dubbed the I Paid Twice scheme, this operation combined credential theft with multi-stage malware deployment, creating a complex threat to the global hospitality sector. Attackers compromised hotel administrator systems through spear-phishing emails impersonating legitimate Booking.com communications, leading to unauthorized access to booking platforms and subsequent fraudulent activities.
Another notable attack involved cybercriminals impersonating Booking.com to trick hotel staff into installing malware on their systems. This campaign leveraged social engineering techniques and exploited the time-sensitive nature of hotel bookings to create a sense of urgency, compelling victims to act without proper security verification. Malicious actors sent fake Booking.com emails to hotel staff containing seemingly legitimate reservation details, instructing recipients to copy and paste a URL into their browser to confirm the booking, ultimately leading to malware installation.
Protective Measures for Hotels and Guests
To mitigate the risks associated with these scams, both hotels and guests must adopt proactive security measures:
– For Hotels:
– Implement Multi-Factor Authentication (MFA): Enforce MFA on all partner accounts to add an extra layer of security.
– Restrict Access: Limit access to booking portals to authorized personnel only.
– Vigilant Email Practices: Treat unexpected emails, especially those containing links or attachments, with caution, even if they appear to come from known brands.
– Monitor System Activity: Log and alert on new sign-ins, password resets, and unusual outbound redirects to detect potential breaches early.
– Regular Security Training: Educate staff on recognizing phishing attempts and the importance of verifying the authenticity of communications.
– For Guests:
– Verify Payment Requests: Be cautious of payment requests received through chat apps or emails. Confirm any payment-related communications by contacting the hotel directly using verified contact methods.
– Avoid Clicking Suspicious Links: Do not click on links in unsolicited messages. Instead, manually enter the hotel’s official website URL into your browser.
– Monitor Financial Statements: Regularly review bank and credit card statements for unauthorized transactions.
– Report Suspicious Activity: If you suspect you’ve been targeted by such a scam, report it to the hotel and relevant authorities immediately.
Conclusion
The Reservation Hijack Scam underscores the evolving tactics of cybercriminals who exploit trust and legitimate processes to deceive victims. By understanding the mechanics of these scams and implementing robust security practices, both hotels and travelers can better protect themselves against such fraudulent activities.
