Travelers are increasingly falling victim to a sophisticated online scam that exploits legitimate hotel booking workflows. Cybercriminals are hijacking reservation systems to send guests fake payment requests, often delivered through trusted communication channels. This emerging threat, dubbed the Reservation Hijack Scam, leverages accurate booking details to create convincing fraudulent messages, making it difficult for unsuspecting guests to distinguish real communications from scams.
The scam was detailed in a March 25, 2026 report by Gen Digital, where researchers Martin Chlumecký and Luis Corrons identified the widespread nature of this attack. The highest reported incidents are concentrated in the United Kingdom, France, Germany, the United States, Brazil, and Australia. The fraud primarily operates through two avenues: direct messages to guests mimicking hotel staff, and more insidious attacks that compromise hotel management software directly.
How Attackers Compromise Hotel Systems From the Inside
The most concerning aspect of the Reservation Hijack Scam is the attackers’ ability to infiltrate hotel systems. This often begins with phishing campaigns targeting hotel employees, designed to steal their login credentials for hospitality management platforms like Cloudbeds. Once these credentials are obtained, attackers gain access to a wealth of legitimate reservation data.
With access to internal systems, cybercriminals can view upcoming bookings, including guest names, contact information, dates of stay, and even existing payment details. In some observed cases, attackers employed a tactic termed “Scam-Yourself Attack,” tricking hotel partners into executing a malicious command disguised as a security update. This command would install a remote access trojan, providing a persistent backdoor into the hotel’s network.
Once inside, the attackers can then leverage the hotel’s own communication tools to message guests. This allows them to send fraudulent payment requests that appear to originate from the hotel itself, using channels that guests have already associated with their authentic bookings. These communications can be highly convincing, often mimicking official hotel branding and providing specific deadlines for payment, typically 24 to 48 hours.
The fraudulent payment requests are often delivered via professionally styled PDF documents. To enhance credibility, these documents may be hosted on legitimate partner storage services that have been compromised. Ultimately, victims are often redirected to typo-squatted domains specifically designed to harvest sensitive financial information, including credit card numbers and bank transfer details. Examples of these deceptive domains include frontdesk-reservation[.]com, frontdesk-online[.]biz, and hotel.form842987[.]digital.
This sophisticated approach bypasses many standard security measures because the attack originates from within a trusted system. Guests are conditioned to expect communications from their hotel regarding their booking, and when these communications arrive through seemingly official channels and contain accurate details, they are more likely to be trusted.
For travelers, vigilance is paramount. If any communication from a hotel requests immediate payment verification or re-entry of payment details, regardless of the channel (WhatsApp, SMS, email, or booking platform message), guests should exercise extreme caution. It is advisable to avoid clicking on any links provided. Instead, guests should independently navigate to the hotel’s official website or the original booking platform they used to make their reservation.
Should a guest realize they have already provided payment information as part of a scam, immediate action is required. Contacting their bank without delay to cancel the compromised card and enabling transaction alerts are crucial steps. Staying vigilant for any subsequent fraudulent activity is also recommended.
Hospitality businesses are now urged to re-evaluate their security posture, treating guest communication tools as integral components of their overall security infrastructure. Implementing phishing-resistant authentication for all staff members, enforcing stricter access controls for sensitive reservation data, and deploying anomaly detection systems within messaging workflows are becoming essential. Additionally, having robust and rapid incident response plans in place is no longer optional. Smaller establishments, in particular, which may operate with limited resources, should prioritize immediate implementation of multi-factor authentication to bolster defenses against credential theft and protect their guests from falling victim to the Reservation Hijack Scam.