Compass

Your hotel booking confirmation could be a criminal impersonation

Reservation hijacking exploits real booking data stolen from small hotels to send fraudulent payment requests that look legitimate because they are based on genuine reservations.

Maxim KovalLast Updated: June 7, 2026
9 minutes read
Smartphone showing hotel booking confirmation with email notification overlay
Hotel booking confirmation on smartphone with incoming email notification | Illustration: Indoneo

Australia’s national broadcaster ABC has reported a rise in a scam called reservation hijacking, where criminals break into the systems of smaller hotels, steal real booking details, then pose as the hotel to demand fraudulent payments from guests. The platform itself is not breached. The weak point is the hotel partner, and the data already in its inbox is enough to make the con work.

Booking.com reported a 500% rise in travel-related cybercrime between 2019 and 2022. The fix sits with the platforms, not the traveller staring at a message that looks exactly like the hotel they booked.

Here is the part the booking confirmation skips. The platform you trusted is not the thing that gets hacked. The hotel is.

That gap is now the story. Travellers using Booking.com and similar sites are being defrauded through a method security researchers call reservation hijacking. Criminals do not break the platform. They break into a small hotel’s email or booking software, lift your real reservation details, then message you posing as the property you booked. The message has your name, your dates, your room. It asks you to pay again, or to confirm a card.

It works because nothing about it looks wrong. The data is genuine. The timing is right. You are mid-trip or about to travel, and the request arrives through a channel you have already used. The convenience that makes these sites useful is the same convenience that hands criminals a working script.

The weak link is the hotel, not the brand

Professor Daswin De Silva of La Trobe University studies how these attacks land. His point is simple. “Attackers are piggybacking on legitimate reservation data to convincingly impersonate hotels and extract payments,” he said. The booking record is the weapon. They do not need to forge anything when the real details are already in hand.

Australian security researcher Troy Hunt, who built the breach-tracking service Have I Been Pwned, frames the entry point bluntly. “The attackers don’t need to hack Booking.com if they can compromise the hotel’s inbox or channel manager instead,” he said. The central platform can be locked down tight. It does not matter if the small property feeding it data is not.

The data on the line is broad: full name, home address, phone, email, travel dates, payment references, sometimes passport numbers. That last detail matters more than it reads on a screen.

The legal picture is uneven. Under Australia’s Privacy Act 1988, firms turning over more than AUD 3 million must take “reasonable steps” to guard your data and report serious breaches. What counts as reasonable for a 12-room guesthouse is not spelled out. That ambiguity is where the fraud lives.

Cybercrime now follows the supply chain

This is not a travel problem. It is a supply-chain problem wearing a travel coat. Criminals stopped attacking the strong centre years ago and started probing the weak vendors bolted onto it. The diagram above shows the chain in seven steps, and step three — the hotel system — is the only one the platform does not fully control.

The data backs the scale. Booking.com reported that travel-related cybercrime jumped sharply across three years, a curve steep enough that its parent firm now pushes security training and multi-factor logins onto partner properties. Booking Holdings CEO Glenn Fogel put it plainly: “Criminals are going after the weakest link in the chain, often smaller properties with limited cyber defences.”

Regulators are circling the same question from two directions. The EU’s Digital Services Act now forces very large platforms to assess and manage risks created by their third-party business users. Australia leans on softer “reasonable steps” language instead.

So the message that looks exactly like your hotel is not a hotel failure or a platform failure alone. It is the predictable cost of a model that connects millions of bookings to thousands of properties whose security budgets never matched the brand on the booking page. The convenience was always real. So was the trade.

Beyond the headline

The bigger picture

Reservation hijacking is part of a wider shift where cybercrime copies the logic of global supply chains: criminals probe the weakest vendors attached to powerful platforms instead of attacking the platforms head-on. For travel, that means millions of bookings sit inside a mesh of small properties and software middlemen whose budgets lag far behind the brands customers know, turning convenience into an attack surface.

The power behind it

Control over how secure bookings really are does not sit with individual hotels or with travellers, but with the platforms that set the rules of joining. By deciding whether partner two-factor login is optional or required, what logging is demanded, and which outside tools may connect, the platforms set the security floor. Those calls are shaped as much by commercial pull and signup friction as by risk.

What isn’t being said

Most public talk frames this as a personal-vigilance issue — check the link, double-check the payment — while sidestepping who pays to harden thousands of small hotel systems. Missing is a frank talk about whether platforms should fund partner security upgrades, whether regulators will treat insecure hotels as a system-wide risk, and how much fraud is quietly priced into the business.

What to do before your next booking confirms

The fraud arrives looking legitimate, which means the defence has to happen before the message lands. Three groups face different decisions right now.

  • Frequent international travellers

    Turn on two-factor login on your Booking.com, Expedia or Airbnb account today, and delete stored card details you do not need. Bookmark your platform’s official fraud help page and check it before acting on any unexpected payment request. The genuine in-app inbox is your reference point, not your email.

  • First-time platform users

    Before you travel, read your country’s scam guidance — Australia’s Scamwatch portal or the US Federal Trade Commission travel advice. Pay through the platform, never by bank transfer to a new account, and verify any hotel contact number independently. Treat a request to move the conversation off-platform as a stop sign.

  • Small accommodation operators

    Check whether your channel manager software is PCI DSS compliant and patched, and whether staff log into the platform extranet using individual accounts with two-factor login. Your inbox is now the front door criminals try first. If you handle data for customers covered by Australia’s Notifiable Data Breaches scheme, a missed disclosure carries its own cost.

FAQ

How do I check whether a payment message from my hotel is real?

Log into the platform website or app directly and read the message history there. Genuine hotel communications appear consistently inside the in-platform inbox. If bank account numbers or amounts differ between an email and the app, treat that as a red flag and call the hotel on a publicly listed number before paying. Most platforms let you report suspicious messages straight through the app.

I already paid a fraudulent request. Can I get the money back?

Contact your bank immediately to request a recall or trace of the transfer. Speed decides the outcome — recovery odds are far higher within 24 to 48 hours. For card payments, ask your issuer to start a chargeback citing an unauthorised or misrepresented transaction. In Australia, also report the incident to Scamwatch and to the OAIC if your personal information was exposed.

What is a channel manager, and why does it matter to my booking?

A channel manager is software hotels use to sync availability and bookings between platforms and their own systems. It is a common entry point for attackers. Hotels should keep it PCI DSS compliant, require strong staff login, and log every reservation access. Before sharing extra personal data, you can ask whether the property uses reputable, certified software or ad-hoc tools.

Explainer

Reservation hijacking
A scam where criminals access a real hotel booking through a compromised partner system, then pose as the hotel to demand fraudulent payment from the guest. The attack works because the booking details used are genuine, making the message hard to doubt. Unlike older payment scams, it can also expose travel dates that signal exactly when a home will sit empty.
Digital Services Act
An EU law fully applicable to very large online platforms from February 17, 2024, requiring them to assess and manage systemic risks, including those from third-party business users. It extends platform responsibility beyond their own systems to the partners connected to them. For travel platforms, that potentially means accountability for how securely thousands of hotels handle guest data.
Notifiable Data Breaches scheme
An Australian rule in force since 2018 under the Privacy Act, requiring organisations to notify affected people and the OAIC when a breach is likely to cause serious harm. It applies to most major travel platforms and larger hotel chains. The scheme sets a disclosure duty but stops short of prescribing the technical security steps smaller partners must take.
PCI DSS
The Payment Card Industry Data Security Standard, a set of rules governing how organisations store and process card data. Hotels and booking-sync software that handle payments are expected to comply. In reservation hijacking cases, weak adherence among small properties is one reason card details and reservation records leak in the first place.