Norton uncovers spear-phishing campaign exploiting stolen hotel reservation data
Cybercriminals are leveraging stolen guest names, dates, and prices to launch highly personalised phishing attacks via SMS, WhatsApp, and email, with small- to medium-sized hotels in Europe and the US most affected.
Security researchers from Norton have identified a sophisticated spear-phishing campaign that exploits legitimate reservation data from more than 350 hotels, vacation rentals, and guesthouses across 50 countries. The attacks utilise stolen booking details—including guest names, check-in and check-out dates, and prices—to create highly targeted messages that impersonate travel platforms such as Booking.com or specific properties. These communications, delivered via SMS, WhatsApp, and email, direct victims to fraudulent websites designed to harvest credit card information.
The analysis, led by Luis Corrons at Norton’s parent company Gen, reveals that the majority of compromised establishments are small- to medium-sized hotels. Germany, France, the UK, Italy, Spain, and the US were among the most affected nations, with the identified accommodations holding a combined capacity for approximately 80,000 guests at peak times. The use of real reservation context significantly increases the likelihood that recipients will click on malicious links, as the messages appear authentic and address specific stress points in the travel experience.
Norton’s investigation began in December after researchers identified a realistic phishing message sent via WhatsApp. The message impersonated Booking.com, listing specific reservation details and directing the recipient to a fake website equipped with a chatbot to instantly capture entered data. The attacks are facilitated by a “phishing-as-a-service” model, allowing criminals to automate the sending and collection of data. In some instances, hackers compromise hotel staff accounts using malware-laced emails, such as those containing the Vidar info stealer, to send fraudulent messages from legitimate hotel systems.
Industry experts warn that the hospitality sector’s reliance on diverse property-management software and third-party booking services creates multiple entry points for data theft. Aaron Ownbey, vice president of engineering at Cloudbeds, noted that the effectiveness of these scams stems from attackers knowing exactly who the guest is and what they paid. Don Smith from Sophos added that smaller hotels are less likely to have robust security practices, such as multifactor authentication for staff, making them prime targets for credential phishing.
Norton has shared its findings with Europol, although the agency declined to comment on operational activities. Booking.com stated it continues to strengthen its defences, while Cloudbeds confirmed it has not been breached, describing the incidents as credential-phishing campaigns targeting staff. Experts urge the industry to raise security baselines through better staff training and wider adoption of phishing-resistant authentication to mitigate these risks.
