Phishing, compromised emails and the human factor: the new frontier of cyber fraud targeting travelers
The scam that knows everything about you
You’ve just booked a hotel on Booking.com. Confirmation received, everything in order. Then, within a few minutes or a few hours, a WhatsApp message arrives: the property informs you that the payment failed and asks you to click a link to re-enter your card details, or the reservation will be canceled. The message seems authentic—and in part it is: it knows your name, the hotel name, the exact dates of your stay, and the amount paid. In reality, this is one of the most sophisticated and rapidly expanding cyber scams targeting travelers in Italy and throughout Europe.
The mechanism is simple in logic but refined in execution.
Criminals don’t attack Booking.com head-on but do so “from the side,” targeting the most vulnerable link in the chain: partner accommodations. Through phishing emails that mimic official platform communications, they steal login credentials to the hotel’s extranet—the management panel where all active reservations are stored with names, contact details, dates, and amounts for each customer. Once inside, the scammers exploit Booking’s internal messaging system to contact customers directly, with messages that appear to come from the property itself, and steal money through highly credible messages.
In many cases, however, the entry point is even further upstream: the accommodation’s email account itself. Scammers configure automatic filters and forwards in the mailbox without the hotel owner noticing anything. Psychological pressure does the rest: the customer receives the message on multiple channels simultaneously—email and WhatsApp—with a blunt ultimatum: confirm within 24 hours or the reservation will be canceled. Those about to depart tend to act without verifying. This is exactly the mechanism that experts call social engineering: you don’t break the code, you break the person.
Victims are diverse: not only elderly or inexperienced people, but professionals and frequent travelers. Altroconsumo reports losses exceeding €1,500 per single fraudulent transaction.
Euroconsumers—the group that includes Altroconsumo in Italy, Test Achat in Belgium, OCU in Spain, and DECO in Portugal—has sent a report to the Dutch Privacy Authority (where Booking.com is based) with these requests: call on Booking to comply with GDPR regulations, highlighting the unlawfulness of its data processing conduct; order Booking to implement robust technical and organizational measures; facilitate the victim’s right to compensation provided by Art. 82 of the GDPR.
The role of DMARC: a useful shield, but not infallible
On the technical level, there is an international standard designed specifically to counter email spoofing: DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance. It is an authentication protocol that allows the owner of a domain—for example booking.com or hotelname.it—to specify which servers are authorized to send emails on its behalf, and to instruct receiving servers on what to do with messages that don’t pass the checks: ignore them, quarantine them, or reject them outright.
In theory, an email pretending to come from Booking.com but sent from an unauthorized server should be blocked or end up in spam before even reaching the recipient’s inbox. DMARC, if configured correctly and with restrictive criteria, is an effective tool against sender spoofing—that is, email address forgery. But the system is not infallible: in some more permissive configurations, unauthenticated messages can still be delivered normally. And above all, DMARC can do nothing if the attacker has already gained legitimate access to the property’s email account: in that case the message originates from an authorized server, with a real domain, and no filter intercepts it. Therefore, a necessary but not sufficient tool.
How to protect yourself: essential rules
The good news is that protecting yourself is possible, provided you know the warning signs and adopt some simple precautions:
• Always be wary of urgency: any message that pushes you to act within a few hours, threatening the loss of your reservation, is the classic sign of a scam. Stop and verify before acting.
• Booking doesn’t use WhatsApp: the platform communicates exclusively through its own internal chat. A WhatsApp message claiming to be from Booking or from the property via Booking is almost certainly fake.
• Don’t click on links received via message: always verify the status of your reservation directly from the app or official website, opening the browser independently.
• Check the actual sender: the displayed name can be easily forged. Verify the full email address and phone number, being wary of unexpected foreign prefixes (+90, +91, +55 and similar).
• When in doubt, call the hotel: use the number you find independently on Google or on the property’s website, not the one shown in the suspicious message. Also report the incident to Booking.com.
The human factor: the weak link we must strengthen
This scam is also a mirror of an uncomfortable truth that cybersecurity experts have been repeating for years without being heard enough: technology alone is not enough. Next-generation firewalls, EDR systems, DMARC protocol—all valuable tools, but all bypassable the moment a person falls for the deception. The entire attack architecture rests on a single entry point: a hotel employee who clicks on a phishing link and enters their credentials on a fake page. A gesture of a few seconds that compromises the security of dozens of customers.
This is not an exception: Verizon’s 2024 DBIR indicates that 68% of breaches involved an unintentional human element, including errors (such as cloud misconfigurations), use of stolen credentials, or falling victim to social engineering.
The Italian situation is particularly concerning: the Clusit 2025 Report certifies that Italy, while representing 0.7% of the world’s population, suffered 10% of cyber attacks recorded globally in 2024, compared to 4% in France and 3% in Germany and the UK. ACN—the National Cybersecurity Agency—recorded a 53% increase in cyber events in the first half of 2025 alone compared to the previous year, with confirmed impact incidents nearly doubled (+98%) and phishing campaigns among the fastest-growing phenomena. A negative record that reflects, among other things, a cultural lag in managing cybersecurity at all levels.
Training people: not a cost, but the real defense
In the hospitality sector—small family-run hotels, B&Bs, farm stays—training on cybersecurity is virtually nonexistent. There is no IT manager, there are no codified procedures for handling suspicious emails, no phishing simulations are conducted. These businesses become ideal targets precisely because of this cultural gap, even before a technological one. A dangerous misconception must also be dispelled: those who fall into a phishing trap are not necessarily naive. Modern attacks are designed by psychological manipulation professionals, optimized across thousands of variants, and manage to deceive even prepared and experienced people.
Organizations that achieve the best results adopt concrete and continuous approaches: periodic phishing simulations to test staff with real scenarios—followed by immediate debriefings for those who fell for the test; update sessions on emerging new threats, and above all a corporate culture that rewards reporting suspicions instead of punishing those who almost made a mistake. On the technical level, minimum measures such as mandatory two-factor authentication for all Booking extranet access would have prevented the vast majority of the compromises described in this article. These are not expensive or complex measures: this is basic digital hygiene.
The human factor is not just a vulnerability: it can become the first line of defense. A receptionist who recognizes a phishing email and reports it is worth more than any firewall. Investing in staff awareness—with continuous, practical training adapted even to small businesses—is no longer optional. It is a concrete responsibility toward every customer who books a vacation entrusting their data and money to the property. Because a vacation should remain a moment of relaxation, not the beginning of a digital nightmare.
