The most dangerous phishing email a guest will ever receive is one that already knows their reservation number. That is what security researchers at Norton (Gen Digital) have documented in a year-long investigation: a coordinated scam pulling real booking data from at least 350 hotels, motels, vacation rentals, and guesthouses across 50 countries, then weaponising it into highly targeted spear-phishing messages.

The reporting came via WIRED. The strategic lesson, for anyone running a property, sits squarely inside the operational stack hotels already own.

How the scam actually works

The flow looks roughly like this:

  1. A guest books a real stay through a real channel — direct site, OTA, or a metasearch click-out.
  2. Sometime between confirmation and check-in, attackers obtain the booking record: the guest's name, email, hotel, dates, and quoted price.
  3. The guest receives a message that looks like a routine pre-stay confirmation — payment failure, "verify your card", "complete check-in" — that quotes those exact details back at them.
  4. The link leads to a lookalike payment page, customised per victim: the right hotel name, the right rate, the right check-in date.

The conversion rate on that kind of message is an order of magnitude higher than generic phishing, for an obvious reason. The friction that normally trips a sceptical reader — "I never booked anything for that price" — has been engineered out.

Where the data is leaking from

The headline says "350+ hotels", which is technically accurate and strategically misleading. In most documented cases, the breach is not the hotel's PMS being popped directly. The entry points researchers and security press have flagged over the last 18 months cluster around three places:

  • Compromised staff credentials on extranet portals (OTAs, channel managers, messaging tools). A single phished front-desk login can expose every reservation that flows through that channel.
  • Third-party messaging integrations — automated pre-stay tools, upsell platforms, review-request services — that hold reservation data outside the PMS, often with weaker auth.
  • Dormant integrations from vendors no one at the property remembers signing up with. Tokens issued years ago, never rotated, still pulling bookings.

Every additional system that touches a reservation is another credential to phish and another vendor to breach.

"This is really targeted." — Luis Corrons, Norton (Gen Digital), via WIRED

The structural lesson: fewer hops, fewer leaks

The industry has spent two decades layering systems on top of the booking record — channel managers, CRMs, marketing tools, messaging tools, upsell tools, review tools. Each layer was justified on its own merits. Collectively, they multiplied the number of places where a single reservation lives in plaintext.

The shift towards consolidated, hotel-owned distribution infrastructure — direct AI channels, a single source of truth for guest data, fewer intermediaries between the guest and the property — is not just a margin story. It is also an attack-surface story. The fewer copies of a booking record that exist, and the fewer parties holding tokens to your booking pipeline, the smaller the radius of any single breach.

What to do this week

  1. Inventory the integrations. List every system — PMS, channel manager, OTA extranets, messaging, CRM, upsell tools — that can read reservation data. Most properties undercount by half.
  2. Force 2FA everywhere. Especially on OTA extranets and channel-manager logins. These are the most-phished surfaces in hospitality and the most consistently under-protected.
  3. Revoke dormant tokens. Any integration nobody can name an owner for gets disconnected. The vendor will call if it mattered.
  4. Brief the front desk. Guests will start forwarding suspicious "confirmation" emails. Staff should be able to confirm or deny instantly — and should never ask guests to "re-verify" payment via a link.

The scam is not new in shape. What is new is the scale and the quality of the spoofing. The properties that handle it best in 2026 will not be the ones with the most security tooling — they will be the ones with the fewest places a booking record can leak from in the first place.

Source Based on reporting by Matt Burgess for WIRED, "Scammers Are Using Your Real Hotel Reservations to Trick You With Spear-Phishing Attacks", citing research by Luis Corrons at Norton (Gen Digital). Read the original.