A new lodging reservation scam is targeting travelers with emails that look convincing because they include real booking details.
The email appears to come from a hotel or rental property and includes the property name, the traveler’s exact confirmation number, and the exact travel dates, according to WISH-TV and WRTV.
The message then asks the traveler to click a link to confirm details. Once clicked, a form asks for information such as name, email, phone number, date of birth, and an amount. If the victim keeps going, another page asks for credit-card information.
A person who really did book the property may see the correct dates and confirmation number and assume the message came from the hotel, rental property, or booking system.
The Email Looked Real Because The Booking Details Were Real
Kara Kenney with Indiana’s I-Team received one of the emails but did not enter any information. She called the rental property directly, and the property confirmed it had not sent the message. Indiana’s I-Team then shared screenshots with the Identity Theft Resource Center.
Eva Velasquez, CEO of the Identity Theft Resource Center, told WRTV the scam appears to be tied to infiltration or data breaches of reservation systems. She said bad actors are compromising reservation systems at hotels and rental properties across the country, gathering information about specific reservations, and then sending phishing emails.
The Scammers Still Needed The Credit Card
Velasquez said reservation systems are separate from financial data, which is why scammers still need the victim to provide payment details through the fake form. “What makes this particular scam so convincing is the fact that they have so much valid information,” Velasquez told WRTV. “It looks so legitimate.”
Indiana’s I-Team also shared the screenshots with McAfee. The cybersecurity company scanned the site and found it was a scam, saying the link was on a list of known threats. Abhishek Karnik, McAfee’s head of threat research and response, told WRTV that scams are becoming more targeted and can no longer be judged only by instinct.
The Safer Move Is To Call The Property Directly
If an email asks a traveler to confirm a hotel stay, rental reservation, payment card, arrival time, deposit, or identity details, the safest move is to stop before clicking. Call the property directly using a phone number from the official website, booking app, or original reservation record. Do not use a number inside the suspicious email, and do not click the button in the message.
Travelers can also go to the official hotel, rental platform, or booking site themselves and check the reservation from there. If the property says it did not send the email, delete the message and report it as phishing.
A Real Reservation Detail Does Not Make The Email Safe
AARP warns travelers to verify websites, avoid suspicious phone numbers, research unfamiliar travel companies, and avoid paying for travel services or rentals with gift cards, wire transfers, cryptocurrency, Zelle, or Venmo. The FTC also warns that rental scammers often push people toward payment methods that are difficult to recover.
This lodging email scam is slightly different because it may arrive after a real reservation already exists. That means the usual “I did book this stay” reaction can work against the traveler. A real confirmation number, property name, or travel date inside an email does not prove the email is safe.
If someone clicked the link but did not enter anything, they should avoid returning to the page and run a security scan. If they entered credit-card information, they should contact the card issuer immediately, report the card as compromised, and monitor for unauthorized charges.