Travelers beware: your hotel booking details may be compromised. Security researchers have uncovered a widespread campaign targeting hundreds of hotels worldwide, resulting in the theft of sensitive trip information used to craft highly effective phishing attacks. These scams, known as "reservation hijacking," are designed to trick victims into divulging their credit card details. **Scope of the Attack** According to an analysis by **Norton**, at least 350 hotels, vacation rentals, motels, and guesthouses in 50 countries have been caught up in this scheme. The stolen data, including booking names and reservation information, is used to create personalized phishing messages that appear legitimate, increasing the likelihood that recipients will click on malicious links. "This is really targeted," says Luis Corrons, who led the research at **Gen**, Norton's parent company. The phishing websites analyzed contained hotel names, varying prices tailored to each victim, and specific check-in/check-out details. "It’s spear phishing targeted to the specific victim with the real details of the reservation." Germany appears to be the most affected country, followed by France, the UK, Italy, Spain, and the US. The targeted accommodations have a combined capacity of around 80,000 guests. Corrons notes that most of the affected establishments are small- and medium-sized hotels. **Phishing-as-a-Service Amplifies the Threat** The findings highlight the increasing sophistication of cybercriminals who are continually expanding and developing "phishing-as-a-service" software. These kits allow them to send millions of fraudulent messages impersonating various global brands. According to **FBI** data, Americans lost over $200 million to phishing attacks last year alone. Norton's investigation began in December after identifying a realistic-looking phishing message sent via WhatsApp, impersonating **Booking.com**. The message included reservation dates and a request to confirm details via a link. This link led to a fake website with a chatbot designed to steal sensitive information. **How Hackers Obtain Booking Details** Hackers can acquire vacation booking details through several methods, including compromising hotel systems or exploiting third-party booking services. They may send malware-laced emails to hotel staff to steal login credentials. Previous research by Norton mentioned both Booking.com and hotel-management-system **CloudBeds** as potential targets. "We have been able to get some of the messages that are received by the accommodation staff to get them phished," Corrons says. Corrons emphasizes that not every phishing message is the result of a direct compromise of hotel systems. Information from other data breaches or unrelated systems could also be used. "The common factor is that criminals are weaponizing real reservation context and pushing travelers into a fake verification or payment flow." While Norton is still investigating the perpetrators, it appears they are using phishing kits to automate the process. The company has shared its findings with **Europol**, though the agency declined to comment. A Booking.com spokesperson stated, "We continue to strengthen our defences to reduce risk and limit opportunities for bad actors to target our accommodation partners and our customers, and we are seeing results." Cloudbeds asserts that it has not been breached and that the attacks are credential-phishing campaigns targeting hotel staff and customers. Aaron Ownbey, vice president of engineering at Cloudbeds, explains, "The reason these scams are so effective is that the attacker isn't guessing: They know exactly who the guest is, when they’re arriving, and what they paid." **Mitigation Strategies** **Don Smith**, vice president of threat research at **Sophos**, emphasizes that smaller hotels often lack robust security measures like multifactor authentication. He cites an incident where a hotel employee was tricked into downloading the **Vidar** info stealer after clicking a link in an email claiming to be from a guest who lost their passport. This led to fraudulent messages being sent from the hotel's Booking.com account. "Threat actors love context because context makes a phishing lure much more compelling," Smith says. Corrons advises travelers to be cautious and verify any suspicious messages by contacting the hotel or vacation rental directly through alternative means. "Even if the data in the message is real," he warns, "that doesn’t mean that you can trust the message." Ownbey recommends that the hospitality industry collectively raise its security baseline through better training for front desk staff, wider adoption of phishing-resistant authentication, and tighter controls on how guest data is accessed and exported from any platform.