Hackers Exploit Hotel Booking Systems to Send Fake Payment Requests to Guests

The rise of "Reservation Hijack" scams marks a shift from generic phishing to context‑rich attacks that exploit the hospitality industry's digital workflow. By stealing credentials from hotel staff or partners, cybercriminals gain direct access to reservation databases, allowing them to craft messages that reference exact stay dates, hotel names, and payment statuses. This granular personalization builds trust, bypassing the skepticism that typically guards against traditional phishing emails. As travelers increasingly rely on messaging apps and integrated booking chats, the attack surface expands, blurring the line between legitimate service updates and malicious solicitations.

For hotels, the breach is not merely a data‑theft incident but a systemic vulnerability. Compromised accounts can be used to send fraudulent payment links through official channels such as Booking.com’s messaging system or a hotel’s own guest‑relations portal. Because the communication originates from a verified source, standard security alerts often fail to flag the activity. The multi‑channel nature of the scam—spanning WhatsApp, SMS, and email—means that a single point of failure can cascade into widespread fraud, potentially costing establishments millions in chargebacks and eroding guest confidence.

Mitigation requires a layered defense strategy. Implementing phishing‑resistant authentication methods, such as hardware tokens or password‑less login, reduces the likelihood of credential theft. Regular staff training on social engineering tactics and continuous monitoring of outbound guest communications can spot anomalies before they reach customers. For travelers, the safest practice remains verifying any payment request through the official hotel app or website rather than clicking embedded links. As attackers refine their techniques, the hospitality sector must treat its communication platforms as critical assets, integrating security into the guest experience to stay ahead of evolving fraud schemes.