Reservation Hijack scams: The travel scam that looks like your real hotel booking

You’re so excited for your trip. You book a hotel. Everything looks normal.

Then a message comes in that seems routine, like a standard follow-up message from guest services. It references your trip, including the hotel name, your travel dates, and payment details.

It seems legit, but it’s not.

This is part of a growing scam trend that threat researchers at Gen (the company behind Norton) call the Reservation Hijack scam. It’s so effective because it leverages confidential details that only you and the hotel you booked with should know.

In April 2026, Booking.com, a major online travel booking platform, warned that unauthorized parties had accessed some customers’ booking information, including names, contact details, and reservation data, according to reporting on the breach by The Guardian. The number of customers affected was not disclosed.

What is a Reservation Hijack scam?

A Reservation Hijack scam is a type of targeted phishing scam that uses real hotel reservation booking details to make messages feel legitimate, tricking travelers into sharing payment details or sensitive information.

In advanced cases, scammers gain access to hotel systems or booking platforms like Booking.com, allowing them to contact guests through channels that are normally considered trustworthy and secure. That means scam messages might not only look real, but also be delivered through an authentic platform, making them significantly harder to detect.

That’s what makes the scam so effective — it doesn’t rely on you trusting a strange-looking message from an unverifiable source.

What Norton researchers uncovered

Norton researchers have observed an increase in the number of scams that exploit real booking data and trusted travel platforms. In fact, in just a few months, they identified 350 compromised accommodations across 50 countries — spanning hotels, apartments, hostels, resorts, guesthouses, villas, and other accommodation types.

Key findings include:

• Scammers are increasingly targeting travelers they know have active reservations, not random users.
• Messages are delivered through trusted channels, including booking platforms and official-looking emails.
• Attacks frequently involve urgent payment requests tied to legitimate bookings.
• The use of real reservation details makes these scams significantly more effective than traditional phishing scams.

The emergence of Reservation Hijack scams reflects a broader trend: scammers are moving away from generic messages toward highly contextual, personalized attacks.

How far the Reservation Hijack scam has spread

Together, the 350 compromised properties that were identified have a maximum guest capacity of around 82,000 people at any one time. Applying a conservative 50% occupancy rate and an average stay of 2.5 nights, that translates to an estimated six million guest stays per year where reservation data could potentially be exposed to scammers.

Reservation Hijack scams are concentrated in Europe, but the problem is global. Germany had the highest number of compromised accommodations, followed by France, the UK, Italy, and Spain. Together, the top five European countries accounted for around 45% of all compromised accommodations identified. The top five most affected cities were Paris, London, Berlin, Lisbon, and Amsterdam.

How scammers get access to your reservation details

One of the most unsettling parts of this scam is how much attackers seem to know. They get the information they need to target you by first targeting hotel or booking platform staff, in some cases gaining access to your reservation details by:

• Compromising hotel or partner accounts after targeting hotel staff with phishing attacks or exploiting weak passwords.
• Exploiting third-party vendors connected to booking systems.
• Accessing platform messaging tools to impersonate legitimate properties.

The pretexts used to trick hotel staff may look completely normal: like fake guest-complaint notices, reservation-verification requests, and invoice or payment emails designed to get staff to open attachments or enter their credentials.

What’s going on behind the scenes

Norton researchers found that some of the fraudulent webpages victims are sent to in Reservation Hijack scams share the same underlying templates. They had the same internal file paths, the same card-validation language, and the same page structures, with hotel names, stay dates, and prices inserted dynamically for each victim.

That points to a kit-based operation, with scammers generating property-specific phishing pages at scale rather than building each one manually. And some of the infrastructure involved in the pages comes from legitimate internet services, which removes many of the usual red flags a careful traveler might look for when scanning for signs of a scam, like slow loading pages or no support options.

How the scam unfolds

A Reservation Hijack scam often starts with a message related to a travel booking you recently made. It could arrive via email, SMS, WhatsApp, or even through a booking platform’s proprietary messaging system. The opening message typically references real booking details, meaning it doesn’t immediately raise suspicion.

The message may set up a pretext that requires your attention, like an issue with your payment or a request to verify your reservation. There’s often a sense of urgency, suggesting that your booking could be canceled if you don’t act quickly.

From there, you’re directed to a payment page that appears legitimate but is actually designed to capture your financial or personal information. To ease any hesitation, the page may reassure you that any funds will be reserved and refunded within 10 minutes, making the request feel like a standard verification step.

Some fraudulent pages also include a fake live support chat that appears to be part of the booking process. In those cases, the attacker may be ready and waiting to respond to your questions, explain away a failed payment “validation,” and push you to try again, keeping the interaction alive long enough to capture what they need.

Why this scam is so convincing

What sets this scam apart is how personal it feels. Instead of guessing, attackers may already know where you’re traveling, which hotel you booked, and how long you’re staying.

That context creates a powerful sense of trust. The message doesn’t feel random or out of place. It feels like part of your typical travel experience.

And that’s exactly the point. Scammers are no longer just trying to trick you with poorly written emails. They’re using real information and real moments in your life to make their requests feel completely reasonable.

What scammers can do with your information

Falling for a Reservation Hijack scam can lead to more than just a single fraudulent charge.

Depending on what information is shared, scammers may make unauthorized purchases using your payment details, steal personal information for identity theft, attempt additional scams using your data, or disrupt your travel plans if your booking is affected.

The impact can extend beyond your trip, especially if sensitive information is compromised.

How to avoid a Reservation Hijack scam

The most important principle to remember is to trust your original booking, not any messages you receive afterwards. If you’re ever asked to take action on your reservation, slow down and verify the message is authentic independently. A few simple steps can help protect you from material loss:

• Don’t click payment links in messages: Pause and verify the legitimacy of the message, even if it looks like it’s from your hotel or booking platform.
• Go directly to the source: Log into your booking site or contact the hotel using official contact channels. If the suspicious message is coming from within the platform, try reaching out to the hotel or booking platform by phone, using contact details from the original booking confirmation.
• Be cautious of urgency: Don’t feel pressured to act quickly. Urgent language in a message is often a red flag that it’s part of a scam.

Likewise, keep in mind that Booking.com has stated it will not ask guests to share credit card details by email, phone, WhatsApp, or text. If a message requests any of that sensitive information, it’s a scam, regardless of how legitimate it looks.

What to do if you think you’ve been targeted

If you believe you may have interacted with a scam message, act quickly. Taking fast action can help limit potential damage.

1. Contact your bank or credit card provider immediately.
2. Monitor your accounts for unauthorized activity.
3. Change the passwords on your booking and email accounts.
4. Report the incident to the booking platform and relevant authorities.

Why are these scams increasing?

Scams like this Reservation Hijack scheme are part of a trend where attackers adopt more advanced, targeted tactics. Instead of relying on generic phishing scams, they try to leverage personal details, trusted platforms, and tailored messaging to disguise their communications as routine notifications that are part of everyday life.

At the same time, consistently high levels of travel bookings create more opportunities for scammers to exploit active reservations and reach travelers at the exact moment they’re expecting communication.

The result is a new kind of scam that doesn’t look suspicious at all.

Today, staying safe online isn’t just about spotting big red flags: scams are getting too convincing to rely on intuition alone. Instead, it’s about making sure you have strong Cyber Safety protections in place, adding an extra layer of security even when your guard is down.

AI-powered software like Norton 360 Deluxe  can help keep you a step ahead of scammers by blocking sketchy sites, catching potential phishing attacks, and keeping your personal information locked down so you can travel (and book) with more confidence.

Steps accommodations can take

Reservation Hijack scams frequently start by targeting the hotel or other vacation property, not the traveler. Here's what accommodation providers can do to reduce the risk.

• Enable multi-factor authentication: Use MFA on all accounts that can access guest data, including booking platform partner accounts and property management systems.
• Train staff to recognize lures: Fake guest complaints, urgent reservation-verification requests, and invoice or payment emails are common entry points designed to steal credentials or install malware.
• Control access to guest data tightly: Limit who can view reservation details, and monitor for unusual logins or messaging patterns that could signal a compromised account.
• Have a clear response plan: If an account may have been compromised, guests need to be warned quickly. The longer the delay, the more victims a single breach can impact.
• Get device-level protection: Keep cybersecurity software up to date on any devices used to handle bookings, guest messages, or payment emails, as some scams are designed to install malware through ordinary-looking attachments. Small or family-run accommodations may want to consider Cyber Safety software for small businesses.