Reservation Hijack Scams Surge in UK as Fraudsters Use Real Booking Details
Reservation Hijack Scams Surge in UK Using Real Booking Data

Reservation Hijack Scams Surge Across the UK as Fraudsters Exploit Real Booking Data

Imagine you have meticulously planned your summer holiday: flights are booked, accommodation is confirmed, and your bags are packed. You are eagerly anticipating your departure. Then, a message arrives, seemingly from your hotel, referencing your exact booking details and urgently requesting verification of payment information before your arrival. This message feels legitimate—and that is precisely why it is so dangerous.

The Rise of the Reservation Hijack Scam

This fast-growing fraud trend has been identified by researchers from Norton, who have coined the term 'reservation hijack scam'. Attackers are using authentic booking details to impersonate hotels and deceive travellers into surrendering sensitive payment information. With the peak travel season approaching, this sophisticated scam is experiencing a significant surge across the United Kingdom.

It represents a notable shift from generic phishing attempts to highly convincing attacks built upon real, stolen data. These scams can swiftly ruin a holiday, and the latest variant leverages your actual reservation information to appear credible.

Wide Pickt banner — collaborative shopping lists app for Telegram, phone mockup with grocery list

How the Scam Operates

The reservation hijack scam typically targets travellers via text message or through trusted communication channels, using details extracted from genuine bookings. Victims are not being caught out by poor spelling or dubious links; instead, they are deceived because the message looks exactly like a legitimate pre-trip communication they would expect to receive.

These attacks are often timed around upcoming travel plans, creating a sense of urgency and relevance. In many instances, the scam unfolds within trusted environments such as official booking platforms, hotel messaging systems, or even WhatsApp, making it considerably more challenging for consumers to identify as fraudulent.

Two Primary Attack Methods

Researchers have identified two primary methods through which attackers are executing these scams:

  1. Impersonation: Scammers pose as hotels or booking providers using highly convincing messages, authentic branding, and contextual details that match the victim's reservation.
  2. Account Takeover: A more sophisticated approach where attackers gain unauthorized access to legitimate hotel or partner systems. This allows them to contact guests through real booking platforms using genuine reservation details, making the communication appear completely authentic and embedded within the actual customer journey.

Alternatively, these attacks can also occur via popular booking websites such as Booking.com, where fraudsters exploit platform vulnerabilities to send deceptive messages.

Why This Scam Is So Effective

What makes the reservation hijack scam particularly effective is that it eliminates many of the traditional warning signs that consumers have been trained to recognize. Messages often reference real bookings, including specific hotel names, dates, and locations, and are delivered via trusted platforms rather than random, unsolicited emails.

Consequently, even cautious and security-aware consumers can be caught off guard, especially when the message creates a pressing urgency around payment confirmations or alleged booking issues.

Expert Insights and Protective Advice

Luis Corrons, Norton Security Evangelist and the lead researcher behind identifying this trend, has detailed how the scam operates and why it poses such a significant threat. He also offers crucial advice for travellers this summer and highlights the responsibilities of hotels and booking platforms in preventing fraud.

Luis told the Daily Mail: 'For years, the best advice on travel scams was simple: watch for bad grammar, generic messages, and suspicious links. That advice still matters, but it is no longer sufficient. What we are witnessing with the reservation hijack scam is a clear evolution in attacker methodologies.'

He emphasized the two main routes: impersonation and the more sophisticated account takeover, where the scam becomes embedded in the genuine customer journey, making it exceptionally tricky to identify.

Pickt after-article banner — collaborative shopping lists app with family illustration

For consumers, the key protective measure is straightforward: trust your original booking confirmation, not unsolicited messages. Even if a message references your real booking, any request to confirm or re-enter payment details should immediately raise a red flag, particularly if there is pressure to act quickly.

'The safest approach is to step outside the conversation and verify independently,' Luis advises. 'Either by logging into the official website directly or contacting the hotel using trusted contact details from your original confirmation. Taking that extra moment to verify can prevent what appears to be a routine travel update from escalating into a costly and distressing scam.'

As the UK approaches its busiest travel period, awareness and vigilance are paramount. Travellers, hotels, and booking platforms must collaborate to combat this evolving threat, ensuring that summer holidays remain enjoyable and secure experiences free from fraudulent interference.