Millions of summer travelers are being warned to think twice before clicking links in hotel emails or text messages after security researchers uncovered a sprawling global scam that uses real reservation information to trick consumers into surrendering credit card data.

According to a new investigation reported by Wired, cybercriminals obtained booking details tied to hundreds of hotels and vacation properties worldwide, then used the information to create highly personalized “reservation hijacking” scams.

The attacks are unusually convincing because the scammers often know a traveler’s actual hotel name, reservation dates and payment details. Researchers at Norton, owned by cybersecurity company Gen, said the criminals are sending messages that appear to come directly from hotels or major booking services such as Booking.com.

“This is really targeted,” Norton researcher Luis Corrons told Wired.

In many cases, victims receive urgent warnings claiming there is a payment issue or that a reservation may be canceled unless they immediately “verify” a credit card. Clicking the link takes consumers to fake payment pages designed to steal financial information.

Researchers estimate the affected hotels collectively serve as many as 80,000 guests at peak occupancy. Most of the compromised properties were reportedly small and medium-sized hotels, guesthouses and vacation rentals rather than major chains. Germany, France, the United Kingdom, Italy, Spain and the United States appeared among the most heavily affected countries.

Weak security practices

The scam appears to exploit weak security practices among hotels and third-party booking systems. Norton researchers said many hotel employees were themselves targeted through phishing emails designed to steal login credentials.

Booking.com denied suffering a direct breach, saying attackers instead targeted hotel partners through credential theft campaigns. Cloudbeds, a hotel-management software provider referenced in the investigation, also said its systems were not breached directly.

Still, cybersecurity experts say the fraud campaign demonstrates how vulnerable the travel ecosystem has become as hotels, booking platforms, payment processors and messaging systems increasingly share customer data across interconnected systems.

The FBI reported Americans lost more than $200 million to phishing scams last year, and travel scams are becoming more sophisticated as criminals adopt AI-generated messaging and automated phishing kits.

Consumer complaints about fake hotel confirmations and fraudulent Booking.com messages have circulated online for years. In one widely shared Reddit post, a traveler described receiving what appeared to be a legitimate in-app message demanding payment verification, only to discover criminals attempted to use the stolen card information within minutes.

Federal regulators have repeatedly warned travelers to avoid clicking links in unsolicited travel messages and to verify reservations directly with hotels or booking platforms. The Federal Trade Commission advises consumers to avoid wire transfers, cryptocurrency or gift-card payments for travel services and to be skeptical of urgent demands for immediate action.

Researchers say travelers should treat any unexpected request for payment verification, account confirmation or reservation updates as suspicious — even when the message contains accurate booking details.