Hackers Hijack Hotel Booking to Scam Guests with Workflows Fake

Travelers worldwide are falling victim to a sophisticated fraud scheme that weaponizes their own hotel reservations. Cybercriminals are hijacking trusted hotel booking workflows, leveraging legitimate communication channels to deliver highly convincing fake payment requests to guests. This tactic often catches victims unaware, as detailed in recent research on this fraud scheme.

The fraud starts with something as simple as a WhatsApp message. It appears to come from a hotel’s Guest Relations team, references the guest’s real booking details, and asks them to verify payment before arrival.

Since the message includes accurate trip information — the property name, stay dates, and sometimes even the exact amount due — it feels like a routine pre-trip notice rather than an attack.

That sense of familiarity is precisely what makes it work. Attackers do not need polished writing or complex tools. They just need enough real context to make the fraud feel like normal customer service.

Analysts and researchers at Gen Digital identified and documented this threat in a detailed investigation published March 25, 2026.

Researchers Martin Chlumecký and Luis Corrons named it the Reservation Hijack Scam, pointing out that it is not simply a phishing message with a travel theme but a full-scale workflow attack built on stolen context and relayed trust.

The highest volume of observed activity was concentrated across the United Kingdom, France, Germany, the United States, Brazil, and Australia.

The scam operates through two main fronts. The first involves booking-platform lures, where victims receive messages through WhatsApp, SMS, email, or Booking.com messaging that appear to come from hotel staff but push them toward fake payment portals.

The second is more dangerous: attackers directly compromise hotel-side software platforms such as Cloudbeds — a widely used hospitality management system — by phishing hotel employees to steal their login credentials.

Once inside, they access real reservation data and use legitimate hotel communication tools to message guests, making the fraud nearly impossible to separate from a genuine hotel interaction.

How Attackers Compromise Hotel Systems From the Inside

The hotel software compromise path is where this scam truly escalates. After stealing staff credentials through fake login pages, attackers log into real hotel management environments and gain full visibility into future reservations — including guest names, contact details, stay windows, and payment context.

In some cases, they deployed what researchers called a Scam-Yourself Attack Tactic, tricking hotel partners into running a malicious command disguised as a mandatory security update.

That command installed a remote access trojan, giving the attacker a persistent foothold inside the system.

With that access established, the attacker could then send fraudulent payment requests directly through legitimate hotel or booking-linked accounts — channels the guest already associated with their real reservation.

Victims in documented cases received professionally styled PDF documents impersonating hotel groups, complete with payment deadlines of 24 to 48 hours.

Some of those PDFs were hosted on legitimate partner storage that had already been hijacked, adding yet another layer of false credibility before redirecting victims to typo-squatted domains — such as frontdesk-reservation[.]com, frontdesk-online[.]biz, and hotel.form842987[.]digital — built to harvest card numbers and bank transfer details.

If any message claiming to be from a hotel asks you to verify or re-enter payment details — whether through WhatsApp, SMS, email, or inside an existing booking thread — do not tap the link.

Go directly to the hotel’s official website or the original booking platform on your own. If you have already entered payment information, contact your bank immediately, cancel the card, turn on transaction alerts, and stay alert for follow-on fraud attempts in the days ahead.

Hospitality businesses must now treat their guest communication tools as part of their core security infrastructure.

Phishing-resistant authentication for all staff, tighter access controls around reservation data exports, anomaly detection within messaging workflows, and faster incident response plans are no longer optional extras.

Smaller properties, which often rely on lean teams and fast communication tools, are particularly at risk and should implement multi-factor authentication immediately to block credential theft before it reaches their guests.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.