A reservation hijack scam is a type of cyber fraud where criminals exploit travel booking information—often obtained through data breaches or phishing—to manipulate or take control of a person’s hotel, flight, or vacation reservation. The goal is usually to trick the victim into sending money, sharing sensitive information, or unknowingly handing over access to their booking.
This scam has gained attention in connection with incidents involving platforms like Booking.com, where attackers may use leaked or stolen customer data to make their approach appear legitimate. By referencing real booking details, scammers can convincingly pose as hotel staff, travel agents, or even official customer support.
The process typically begins when a scammer contacts the victim via email, SMS, or messaging apps such as WhatsApp or Telegram. The message often appears urgent or important. For example, the attacker might claim there’s an issue with the reservation—such as a payment failure, overbooking, or verification requirement—and instruct the user to take immediate action. This could include clicking on a link, confirming personal details, or making a payment to “secure” the booking.
What makes reservation hijack scams particularly effective is the level of personalization. Instead of generic spam, these messages may include accurate details like the traveler’s name, destination, hotel name, or booking dates. This information builds trust and reduces suspicion, increasing the likelihood that the victim will comply.
In some cases, the scammer directs the victim to a fake website that closely resembles the official booking platform. Once there, the victim may be asked to log in, enter payment details, or update account credentials. These fake sites are designed to capture sensitive data, which can then be used for further fraud or identity theft.
Another variation involves direct payment scams. The attacker may offer a discount, claim a technical issue requires re-payment, or suggest an alternative payment method. Victims are often asked to transfer money via bank transfer, digital wallets, or other non-reversible methods. Once the payment is made, the scammer disappears, and the original booking may remain unchanged—or worse, be canceled without the victim’s knowledge.
Cybersecurity experts, including firms like Norton, warn that these scams are likely to increase following major data breaches, as attackers gain access to more user information. The combination of urgency, realism, and familiarity makes reservation hijacking a powerful social engineering tactic.
To protect against such scams, users should be cautious with unsolicited messages, especially those requesting sensitive information or immediate action. It’s safer to verify any communication directly through the official website or app rather than clicking on links in messages. Legitimate companies will not ask for passwords or full payment details through informal channels.
In essence, a reservation hijack scam is not just about stealing money—it’s about exploiting trust. Staying alert, verifying sources, and avoiding impulsive responses are key to preventing falling victim to such schemes.
Join our LinkedIn group Information Security Community!
