Reservation Impersonation Becoming Easier as Data Breaches Grow

/in /by

A recent leak of customer information from Booking.com is making it easier for criminals to impersonate hotels and airlines in a scam called reservation hijacking. As hackers steal more of our personal and reservation data, fraudsters can create more convincing impersonations by referencing accurate information, like confirmation numbers, destinations, and personal details.

These kinds of scams are not new, but they seem to be becoming more effective as growing amounts of our data are compromised and available online. Names, contact information, and booking details—all types of information compromised in the recent Booking.com breach—can be enough for a scammer to convince a victim that they are a legitimate representative from an airline, hotel, or spa.

Impersonators will ultimately try to get money, either under the guise of a charge associated with your booking or by requesting payment information to hold your spot. Often, they try to pressure their targets, demanding quick action to secure the reservation or to resolve an issue in the payment process. In most cases, there is not actually a problem with the consumer’s reservation.

Besides a direct breach of an account belonging to a victim, criminals can build a convincing impersonation by collecting enough details via other means. For example, they may gather intelligence through social media, particularly if someone shares a lot of information about a vacation or upcoming plans. Employees of a business may also be targeted for phishing or hacking, resulting in the compromise of customers’ information.

Keep the following tips in mind to better protect yourself from reservation hijacking:

  • Do not respond directly to unsolicited emails, phone calls, texts, or instant messages. If you’ve received a request for additional payment or payment information, reach out to the company you booked through directly via information on their website or in your booking confirmation.
  • Watch out for pressure tactics. Legitimate businesses do not call or send text messages pressuring you to act immediately. They also will not demand payment with a different payment method from the one you used to book your reservation
  • Secure your accounts after a breach. If you receive a notice that you were impacted by a data breach, take the time to change your passwords and check for suspicious activity, like unauthorized payments or logins. Setting up two-factor authentication can also help to better protect your accounts.

To keep up with the latest news regarding data breaches and privacy issues, you can subscribe to the National Consumers League’s #DataInsecurity Digest here.

If you believe you have encountered a scam, please file a complaint on our website. Your report helps Fraud.org alert the public and share critical information with consumer protection agencies and law enforcement partners.

NCL’s Programs

fraud-org
1746770534_HAC-Logo

Fraud.org is a project of
The National Consumers League.

info@nclnet.org
(202) 835-3323

1701 K St NW
Suite 1200,
Washington, DC 20006

© Copyright 2026. All rights reserved.

Tax Season Comes With a Swath of Scams