A new security investigation has revealed that customer booking data from more than 350 hotels, vacation rentals, motels, and guesthouses across 50 countries may have been accessed and weaponized in sophisticated phishing campaigns.

Cybercriminals are reportedly using real reservation details—such as guest names, check-in dates, and hotel information—to craft highly convincing scam messages sent via SMS, email, and messaging apps like WhatsApp.

According to researchers at Norton, these attacks rely on “reservation hijacking,” where stolen or obtained booking information is inserted into fake verification or payment requests.

The use of authentic travel details makes the phishing attempts significantly more believable, increasing the likelihood that victims will click malicious links and provide sensitive financial information.In some cases, the fake websites even include chatbots designed to instantly collect and transmit user-entered data to attackers.The analysis suggests that hotels in Germany, France, the UK, Italy, Spain, and the United States are among the most affected.

Many of the targeted establishments are small and medium-sized businesses, which often lack advanced cybersecurity protections such as multi-factor authentication or robust staff training.

Researchers note that attackers may gain access to reservation data through multiple pathways, including phishing hotel staff, exploiting third-party booking platforms, or leveraging previously leaked datasets.The broader ecosystem of “phishing-as-a-service” tools is also making it easier for criminals to automate large-scale attacks.Industry representatives from Booking.com and Cloudbeds emphasized that their systems were not directly breached, instead attributing incidents to credential theft and social engineering against hotel staff.Experts warn that the growing use of real contextual data in scams makes detection harder and increases success rates.Travelers are advised to independently verify any urgent payment or confirmation requests by contacting hotels directly through official channels.