The trip is booked, the hotel reservation is confirmed and everything seems to be fine. However, just before departure, you receive a WhatsApp message claiming that the reservation needs to be additionally confirmed, otherwise it will be cancelled. The message contains a link, a deadline that corresponds to the actual dates of your trip, and even addresses you by name on your private cell phone number. At first glance, everything seems legitimate, especially since the message refers to an actual reservation.
‘Reservation Hijacking’
But it didn’t! Don’t fall for the trap in the new phishing campaign that has been heating up these days with the reservations of hundreds of hotels in Europe. It is particularly convincing because it targets people who really have an upcoming stay at the hotel, and the dangerous messages on WhatsApp were also received by guests of a large number of Croatian hotels, who posted a warning on social networks.
“Warning – impersonation on behalf of Zaton Holiday Resort. We warn you of active fraud attempts via WhatsApp messages that are falsely sent on behalf of Zaton Holiday Resort. The messages contain an invitation to click on a fake link under the pretext of booking verification. Caution! Do not open suspicious links and do not enter card information or perform transactions related to your reservation. Zaton Holiday Resort never requests payment or card verification via WhatsApp message or link from unknown numbers. If you have received a message like this: do not click on the link and do not enter the card information. Please check the reservation information only through the official channels of Zaton Holiday Resort. If you have already entered the card information, please contact your bank immediately,” reads Zaton’s warning on social networks.
Valamar also sent a similar message to its guests on social networks, from which they inform us that they immediately informed all their guests about possible fraud attempts and recommended extra caution when opening links.
Hacker break-in
Aminess also reports that they have been informed of the appearance of fake WhatsApp messages that contain a request to open a link under the pretext of confirming or verifying an accommodation reservation. “Immediately upon learning about the case, we warned guests about possible fraud attempts and urged them not to open suspicious links and not to share personal or payment card information through messages coming from unknown or unofficial phone numbers and e-mail addresses. We are closely monitoring the situation and taking all necessary steps in accordance with positive regulations to protect our guests and inform them in a timely manner of all relevant circumstances,” they said from Aminess.
Apparently, this is part of an increasingly widespread fraud trend that threat researchers from the American company Gen (owner of the Norton brand) call “Reservation Hijack”. This scam is so effective because it uses confidential information that only you and the hotel you booked with should know.
Although guests are often informed of the possibility that these are fake messages, they are concerned about how the fraudsters got their personal information in the first place and how it is possible for them to know the correct information about their reservations. This indicates that the hackers most likely broke into the global reservation systems used by companies across Europe, and not into the systems of individual hotels, insiders tell us. And examples of hotels across Europe confirm this thesis. In a quick search of published texts in the last few days alone, we found them in Ireland, Luxembourg and the Netherlands.
In April, Booking.com warned that unauthorized persons had accessed some users’ booking data, including their names, contact details and booking information, although the number of users affected was not disclosed.
As reported by specialized media, the appearance of “Reservation Hijack” scams reflects a broader trend in cybercrime in which fraudsters are increasingly moving away from generic messages and switching to highly personalized attacks that use specific context and real data about the victim. In his analysis, which began in December 2025, Norton came to the conclusion that the fraud has so far affected around 350 compromised accommodation facilities that have a capacity of approximately 82,000 guests. Norton says that “Reservation Hijack” scams are most concentrated in Europe, and the largest number of compromised accommodation facilities was recorded in Germany, France, the UK, Italy and Spain.
Europol was also informed
According to Wired magazine, Norton launched its investigation into hotel scams in December after identifying a highly convincing phishing message. The message, sent via WhatsApp from an account posing as travel platform Booking.com, claimed to be from a specific hotel and contained the dates of an upcoming booking, before asking the recipient to click on a link and confirm their details. The link led to a fake website that included a chatbot, which immediately forwarded all entered information, such as credit card information, to the hackers. Norton has not yet been able to fully reveal who is behind the attack, but investigations are still ongoing. Norton informed Europol about his findings.
