The name of the hotel, the dates of your stay and a telephone number are enough to transform a simple, seemingly innocuous message or call into an artfully created cyber trap. This is the principle behind reservation hijacking – in Italian “booking hijacking” – a fraudulent technique in which criminals exploit real information linked to online travel bookings to convince their victims to make payments to fraudulent accounts or to give up sensitive data. The phenomenon returned to the spotlight after the BBC reported the details of a cyber breach involving Booking.com (also confirmed by the platform) and which allowed cybercriminals to access sensitive data such as name, email address and telephone number. Let’s try to understand how the scam works and how to defend yourself.
How reservation hijacking works
The strength of this scam lies not so much in its technical sophistication but in the psychological manipulation that the scammers manage to perpetrate thanks to the reservation hijacking technique. Receiving a phone call from someone who knows the name of the property we will be staying at, the check-in time or even our reservation number naturally makes us more inclined to trust it. Cybercriminals exploit this mechanism to simulate seemingly authentic customer support communications. They almost always do this to trick the potential victim into making an urgent transfer, re-entering their card details or completing a “necessary” payment to confirm the booking.
Let’s be clear: reservation hijacking was not born today. It’s a technique that’s been around for a long time. However, the availability of data obtained through data breaches – computer violations with leakage of information (see the recent case of Booking.com, already mentioned above) – makes these attempts increasingly effective. In the past, scammers mainly tried to compromise the accounts of accommodation facilities to send fraudulent messages to customers directly from the booking platforms. Today they can also contact victims directly, using information already stolen elsewhere.
According to what was reported by BBCsome users began receiving suspicious communications shortly after news of the attack broke. Booking.com said it has updated booking PIN codes and notified potentially affected users via email, inviting them to be alert to possible phishing attempts.
The fraud scheme is quite recurrent. You receive a text, email, or phone call from someone claiming to work for the hotel, airline, or rental car service related to your trip. And the communication almost always focuses on an urgent problem to be resolved: an unsuccessful payment, a card check to be carried out or the need to reconfirm the booking to avoid cancellation. The element of haste is central, because it aims to reduce the probability that the user will go to check the information calmly and instills in the latter a certain pressure linked to not wanting to run into problems during the journey.
To make the scam more realistic, criminals gather details from multiple sources. In addition to data obtained through cyber breaches, compromised emails and content published on social media come into play. If “crumbs” have been left by the user on Instagram, Facebook and TikTok regarding the upcoming holidays, cyber criminals could go and collect them to make the scam attempt more effective.
How to defend yourself and avoid scams
But if reservation hijacking is so insidious, can we really do anything to defend ourselves? Of course yes. Cyber security experts indicate that the most effective countermeasure remains independent verification. If someone contacts us on behalf of an accommodation facility requesting payment, the first thing to do is close the call or interrupt the conversation and contact the hotel directly through the official channels indicated on its official website or in the booking confirmation. This simple step is often enough to unmask the fraud attempt.
The payment methods requested are also a sign not to be overlooked. Booking.com has made it clear to the BBC that it will never ask customers to provide card details via telephone, email, SMS or messaging apps (such as WhatsApp), nor to make transfers other than those specified in the official booking conditions. In general, any request that moves the conversation outside of official channels should be viewed with suspicion.
