That Email From Your Hotel Is Probably Not From Your Hotel
Two major hotel data breaches in early 2026 gave scammers something more dangerous than card numbers: your actual booking details. They are using them right now to send phishing messages that look indistinguishable from real hotel correspondence. Here is how it works and what to do before you travel.

The Email Looks Completely Legitimate
It has your name, the right hotel, the correct check-in and check-out dates. It also has a confirmation number that matches the one in your inbox and it appears to be from guest services, and it is asking you to re-verify your payment details because of a processing issue.
You are travelling in three weeks and you want to avoid any problems with your room so of course, you click.
There are no processing issues and the original booking is fine. But... the email is from a criminal who bought your reservation data after it was stolen from a hotel system. They have everything they need to make that message look real, because it is real data.
This is what's known as reservation hijacking. It is new, it is spreading fast, and two of the largest hotel and booking platforms in the world just handed scammers the raw material to run it at scale.
Two Breaches in One Quarter
In the first four months of 2026, the travel industry had two significant data breaches that together exposed guest reservation data from hotels across the world.
Booking.com, April 2026. On April 13, Booking.com began notifying customers that unauthorised third parties had accessed guest reservation data. The stolen records included booking details, names, email addresses, physical addresses, and phone numbers. The access was not the result of a direct attack on Booking.com's core systems. The criminal group responsible, tracked by Microsoft as Storm-1865, used a technique called ClickFix, which tricks hotel staff into installing malware through fake CAPTCHA pages. The malware then harvested credentials and gave attackers access to the reservation data of guests across the platform.
The most alarming detail: Reddit users were already receiving targeted phishing messages containing their real booking details at least two weeks before Booking.com sent its notification. The data was in criminal hands and being actively used before most guests had any idea.
BWH Hotels, October 2025 to April 2026. BWH Hotels, the parent company of Best Western, WorldHotels, and SureStay Hotels, disclosed that an unauthorised party had access to its reservation system for six months before being discovered. The breach ran from October 14, 2025 to April 22, 2026. The data exposed included names, email addresses, phone numbers, home addresses, reservation numbers, dates of stay, and any special requests guests had logged. Payment card data was not stored in the affected system and was not compromised directly. However, that detail matters less than it sounds: scammers do not need your card number from the breach. They will get it from you by using everything else.
Between these two incidents, guest data from more than 350 hotels across multiple countries has been implicated in targeted phishing campaigns.
How the Scam Works
The reservation hijack works because it inverts the normal logic of phishing. Most phishing messages are generic: they blast millions of people with a fake bank alert and hope a fraction of recipients actually bank there. Reservation hijacking is precise. The scammer already knows your name, your hotel, your check-in date, and your confirmation number. They are not guessing. They are impersonating.
The attack follows a consistent structure.
Contact arrives by email, WhatsApp, or SMS. The message references your real booking details, which is exactly what a legitimate hotel communication would do. The sender name, and sometimes the sender address, is spoofed to match the hotel brand or the booking platform.
The problem is something plausible but minor. A card verification failure. A payment that did not process correctly. A new mandatory deposit for the booking period. An upgrade opportunity that requires re-confirming your billing details. The urgency is real enough to act on, but not so extreme that it triggers alarm.
The link goes to a page that is a near-identical clone of the hotel's payment portal or the booking platform's login page. The URL is close but not quite right. The page is professionally designed and may even include the correct reservation details pre-filled.
The harvest. You enter your card number, expiry, and CVV to "verify" your details. Those details are captured immediately. Within hours they are charged, sold, or both.
How It Happens: The Full Chain
┌─────────────────────────────────────────────────────────┐
│ HOTEL SYSTEM OR BOOKING PLATFORM │
│ (Booking.com, BWH Hotels, hotel partners) │
└───────────────────────┬─────────────────────────────────┘
│
Phishing / malware attack
on hotel/platform staff
│
▼
┌─────────────────────────────────────────────────────────┐
│ DATA BREACH │
│ Name · Email · Phone · Address · Hotel name │
│ Check-in date · Check-out date · Confirmation no. │
│ Special requests │
└───────────────────────┬─────────────────────────────────┘
│
Stolen data sold on dark web
or used directly by attacker
│
▼
┌─────────────────────────────────────────────────────────┐
│ SCAMMER TARGETS GUEST │
│ Email / WhatsApp / SMS referencing REAL booking data │
│ Impersonates hotel guest services or platform │
└───────────────────────┬─────────────────────────────────┘
│
Creates urgency:
"Payment failed" /
"Card re-verification required" /
"Secure your booking now"
│
▼
┌─────────────────────────────────────────────────────────┐
│ FAKE PAYMENT PORTAL │
│ Cloned hotel or booking platform page │
│ Real booking details pre-filled for credibility │
│ Collects card number, expiry, CVV │
└───────────────────────┬─────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────┐
│ CARD DETAILS STOLEN │
│ Fraudulent charges applied immediately │
│ Details sold on criminal marketplaces │
│ Original booking may be cancelled as follow-on attack │
└─────────────────────────────────────────────────────────┘
Why This Works Better Than Normal Phishing
Standard phishing messages are easy to dismiss once you know what to look for. They are generic, they do not know your name, and the urgency feels manufactured.
Reservation hijacking removes all of that friction. When a message opens with your correct name, your hotel, your dates, and your confirmation number, every instinct you have says this is legitimate. That is not naivety. That is entirely reasonable inference, based on how hotel communications actually work.
This is what makes the Booking.com and BWH breaches more dangerous than a typical credential leak. Scammers did not get your password. They got your context. They got the specific details that make an impersonation convincing enough to act on.
The timing compounds the problem. Most people receive this kind of message in the days or weeks before travel, when they are already thinking about the booking, already monitoring for hotel communications, and already in a mindset where a message from guest services feels routine.
The Red Flags
The scam is sophisticated, but it is not invisible. There are signals, and they are checkable in seconds.
The sender domain does not match the real platform. Booking.com sends from @booking.com. Best Western sends from @bestwestern.com. Scammers cannot use those domains, so they register lookalikes: booking-guestservices.com, bestwestern-reservations.net, hotelgroup-verify.com. The display name in your email client may say "Booking.com Guest Services." The actual address will not.
The link goes somewhere other than the official domain. Hover over any link before clicking, or copy it and inspect it manually. A link to secure-booking-confirmation.com/payment is not Booking.com, regardless of what the button text says.
Payment verification is not how hotels work. Hotels do not ask you to re-enter full card details by email. If there is a genuine payment issue, the hotel calls you directly or the platform handles it through your existing account. Any email or message asking you to click a link and re-enter billing information is suspect by default.
The urgency is disproportionate. A legitimate payment issue ahead of travel would result in a notification, not a countdown. Scam messages frequently include phrases like "failure to respond within 24 hours will result in cancellation." Real hotels do not operate this way.
The message arrived before the official breach notification. If you received a hotel-related payment request before Booking.com's April 2026 notification, or before BWH's May 2026 disclosure, the timing alone is a red flag.
How to Avoid Being a Victim
These steps apply whether you are travelling soon or just booking ahead.
Verify directly through the official platform. If you receive any message about a payment issue with a hotel booking, do not use any link or contact details in that message. Go directly to Booking.com, Expedia, or the hotel's official website, log in to your account, and check whether any issue is flagged there. If the platform shows nothing, the message is fraud.
Check the sender address before doing anything else. Not the display name. The actual address. In most email clients, you can tap or hover the sender name to see the full address. If it does not match the official domain exactly, treat it as fraudulent.
Do not complete payment flows triggered by inbound messages. Card re-verification is not a standard part of hotel check-in. Any message that asks you to click a link and re-enter payment details should be treated as a scam until proven otherwise.
Run suspicious domains through a risk checker. If you have clicked a link and landed on a page you are not sure about, copy the domain from the address bar and run it through RiskScope before entering any information. Fake hotel payment portals are almost always recently registered domains with no business history, no verifiable web presence, and no match to the brand they are impersonating. Those signals are detectable in under a minute.
Enable two-factor authentication on your booking accounts. On both Booking.com and hotel loyalty accounts. This does not stop the phishing, but it significantly limits what a scammer can do with any credentials they obtain.
Be especially cautious in the two weeks before check-in. That is the window when a message from your hotel feels most plausible and when you are most likely to act fast without questioning it.
What to Do If You Already Responded
If you entered card details on a site you now suspect was fraudulent, time matters.
Call your bank or card provider immediately. Ask them to block the card and issue a replacement. Report the transaction as fraud. Most banks can do this 24 hours a day. The faster you report, the higher the chance of blocking charges before they process or disputing them before they settle.
Check for any other charges. Stolen card details are often sold or shared across multiple criminal networks. Review your full transaction history for anything you do not recognise, not just the most recent charges.
Change passwords on any accounts associated with the booking. Particularly your Booking.com account, hotel loyalty accounts, and any email addresses connected to those accounts.
Report it. This matters beyond your own case. Reports allow platforms to identify compromised data faster and help law enforcement track the scale of the operation.
Report to the relevant authority for your region:
- USA: FTC at ReportFraud.ftc.gov and FBI at ic3.gov
- UK: Action Fraud
- EU: your national cybercrime unit. In Germany, the Bundeskriminalamt (BKA). In France, Cybermalveillance.gouv.fr
- UAE: eCrime, the UAE Cybercrime Combating Centre
- Saudi Arabia: Saudi CERT
- South Africa: SABRIC (South African Banking Risk Information Centre) and the SAPS Commercial Crime Unit
- Australia: Scamwatch and ReportCyber
- New Zealand: CERT NZ
The Bigger Problem
The Booking.com and BWH breaches are not isolated incidents. They are part of a broader pattern in which hospitality platforms and their third-party partners have become a high-value target precisely because travel booking data is so useful for social engineering.
The breaches themselves do not directly expose your card number. What they expose is the credibility layer that makes a phishing message believable. Scammers have long had the technical tools to clone a hotel's payment page. What they were missing was the contextual detail that makes a message worth opening and a request worth acting on. Reservation data solves that problem for them.
This is the trajectory of modern phishing: not brute force against millions of random inboxes, but precision targeting using stolen context. The Booking.com attack was described by researchers as part of a sustained campaign that has already affected properties across North America, Europe, the Middle East, and Asia Pacific.
If you have a hotel booking made through any major platform in the first half of 2026, treat any inbound payment request as suspect by default. Verify through the platform directly. Do not use any link or contact detail in the message itself. That one habit stops the vast majority of these attacks before they land.
If a hotel message directed you to a payment portal you are unsure about, run the domain through RiskScope before entering any details. Fake booking portals are consistently flagged for recently registered domains, no verifiable business history, and phishing database matches. Free to check, takes thirty seconds.
Related Reading
- That Invoice From Your Vendor May Not Be From Your Vendor: the same pattern of data-backed impersonation applied to business payments
- Got a Text About an Unpaid Toll or Traffic Fine?: urgency-based payment fraud using official-looking messaging
- How to Spot AI-Generated Fake Ads: the broader landscape of AI-assisted scam infrastructure
Sources: Malwarebytes: Booking.com Breach Gives Scammers What They Need to Target Guests (April 2026), Tuta: Booking.com Data Breach 2026 (April 2026), Computing: Stolen Booking.com Data Already Used in Reservation Hijacking Scams, SecurityWeek: BWH Hotels Says Hackers Had Access to Reservation Data for 6 Months, TechRadar: Best Western Hotels Warns Customers Reservation Data May Have Been Spilled in Breach, SecurityAffairs: Hackers Accessed BWH Hotels Reservation System for Months, Norton: Reservation Hijacking Scam, National Law Review: Stolen Hotel Reservation Data Used in Targeted Phishing Scams, ScamAdviser: Booking.com Data Breach and How Reservation Hijacking Works
Check Any Website Yourself
RiskScope is free. No signup required. Enter any domain and get an instant risk assessment.