The Reservation Hijack: When Your Hotel Booking Becomes a Cyber Trap

Imagine receiving a WhatsApp message from your hotel’s Guest Relations team just days before your family vacation. It contains your correct check-in date, the exact property name, and a professional-sounding request to verify your payment method to ensure a “smooth arrival”. It doesn’t feel like a scam—it feels like excellent customer service.

This is the reality of the Reservation Hijack Scam, a sophisticated fraud pipeline recently detailed in a report by Gen Digital. Unlike traditional phishing that relies on “bad grammar” or “generic messages,” this new wave of attacks is “built on stolen context and relayed trust”.

The core of this scam’s success is its use of legitimate data to bypass our natural suspicion. Most phishing is easy to spot because it arrives without context, but these messages reflect “real context back at the victim,” including the hotel name, destination, and genuine stay window.

As the report explains:

“When a scam contains real details, it stops feeling like spam and starts feeling like customer service”.

To further bypass defenses, attackers often add a “short fuse”—typically a 24 or 48-hour deadline—to force fast compliance before a traveler thinks to call the property directly.

The report identifies two distinct “fronts” for this scam:

• The Booking-Platform Lure: Attackers use WhatsApp, SMS, or email lookalikes to push victims to fake guest portals or “typo-squatted domains” designed to harvest credit card details.
• The Hotel Software Abuse: This is the most dangerous variant. Attackers first phish the hotel staff to steal credentials for hospitality management platforms like Cloudbeds.

Once inside the real management environment, the criminal can see future reservations and contact guests through “legitimate hotel-linked workflows”. In these cases, the phishing message isn’t just plausible; it arrives as a “legitimate continuation of their existing booking conversation,” making it nearly impossible for the average traveler to detect.

This is not a localized issue. High activity has been concentrated in the United Kingdom, France, Germany, the United States, Brazil, and Australia. The theft often involves a “pipeline” of deception, including branded PDFs that act as a “buffer” to add one more layer of credibility before the final theft of payment information.

Because these attackers use “trust amplifiers,” standard advice is no longer enough. To stay safe, Gen Digital offers these critical tips:

• Trust the booking, not the message: If you receive a request to verify payment details, “do not tap the link,” even if it appears in an existing chat thread.
• Use official channels: Go directly to the hotel’s official app or website yourself to check your status.
• Verify contact info: If you need to call the property, use a number from your “original booking or the verified website,” not a number provided in a suspicious message.

The hotel is no longer just a potential victim; “in the eyes of the guest, it can become the face of the scam”. Robust, phishing-resistant authentication and anomaly detection are now essential to protecting both guest data and brand reputation.