From ski resorts to F1 weekends: How WhatsApp hotel scams target travelers

Planning a summer getaway? Heading to a Formula 1 race weekend? Looking forward to a long-awaited vacation abroad?

Be careful when that hotel "verification" message arrives on WhatsApp.

Researchers at Bitdefender Labs have been tracking an ongoing phishing campaign impersonating hotels, resorts, and accommodation providers across more than 10 countries. Unlike traditional travel scams that rely on generic phishing emails, this operation uses real booking information, localized messaging, and convincing hotel branding to trick travelers into handing over payment card details.

Hotel impersonation scams are nothing new, but researchers have been actively monitoring this particular WhatsApp-based operation since March 2026. Since then, the campaign has continued to evolve, with new domains, impersonated hotel brands, languages, and target countries appearing over time.

Most concerning of all, victims aren't receiving random spam. The messages suggest attackers may have access to details that travelers would reasonably expect only their hotel, travel agency, or booking platform to know.

Key takeaways

• Researchers at Bitdefender Labs identified a multi-language WhatsApp phishing campaign targeting travelers across more than 10 countries.
• The operation impersonates hotels, resorts, and accommodation providers using real booking information.
• Observed languages include English, German, French, Spanish, Romanian, and Polish.
• Victims receive personalized messages containing names, stay dates, reservation details, and cancellation warnings.
• At least six active phishing campaigns and eight impersonated hospitality brands have been identified.
• The campaign relies exclusively on WhatsApp, with no matching email or SMS infrastructure observed.
• Summer vacations, Formula 1 weekends, concerts, and other travel-heavy events create ideal conditions for this type of fraud.

A global hospitality phishing operation

This is not a localized scam targeting a single hotel chain or country.

Researcher Alecsandru Daj identified activity across the United Kingdom, Germany, Poland, France, Romania, the Netherlands, Canada, Singapore, Portugal, and Colombia.

The operation has also demonstrated extensive localization capabilities. Phishing pages and messages have been observed in English, German, French, Spanish, Romanian, and Polish, allowing criminals to tailor communications to a victim's language and destination.

Investigators identified at least six active phishing campaigns and a growing list of impersonated hospitality brands, including:

• Ramada by Wyndham
• SENSEA Retreat
• Hotel Leon D'Oro
• Rihga Hotel Zest Takamatsu
• Aminess Style Camping Avalona
• Hôtel & Spa Le Maury
• Impressive Playa Granada Golf

The hospitality brands listed above are legitimate businesses whose identities have been misused by cybercriminals. These organizations are victims of brand impersonation, not sources of the security issue. Bitdefender has no evidence that any of these brands were directly compromised or involved in the fraudulent activity.

The geographic diversity suggests attackers are targeting travelers wherever reservation data becomes available rather than focusing on a particular destination.

How reservation data becomes a weapon in fraud campaigns

This phishing campaign highlights a growing problem within the travel industry: reservation data has become a valuable asset that cybercriminals can obtain.

The concern isn't new. For years, threat actors have targeted hotels, travel agencies, and booking platforms because access to reservation information lets them create highly convincing scams that are far more effective than generic phishing attempts.

What has changed is the amount of travel-related data available to threat actors.

Recent incidents affecting the hospitality industry have demonstrated how compromised reservation systems, stolen credentials, and exposed booking information can give attackers the details needed to craft highly convincing scams. Instead of sending generic phishing messages, criminals can now reference real travel plans, hotel names, booking references, and stay dates.

Bitdefender Labs also highlighted this risk in 2025 when researchers uncovered an Agent Tesla campaign targeting Booking.com partners with fake guest complaints and reservation-related messages. The goal was to compromise hotel and accommodation providers, steal credentials, and gain access to systems containing guest information and reservation details.

Researchers observed attackers impersonating Booking.com communications and trying to infect hospitality staff with credential-stealing malware. Once hotel accounts or partner systems are compromised, attackers can potentially gain visibility into guest bookings, travel dates, reservation numbers, and contact information.

More recently, Booking.com disclosed a security incident involving unauthorized access to guest booking information. According to the company, exposed information may have included guest names, email addresses, phone numbers, physical addresses, reservation details, booking information, and communications between guests and accommodations.

Moreover, stolen credentials associated with hotel management portals and booking platforms are frequently traded in underground communities. Once attackers gain access to a hotel's account, they can exploit the trust guests place in legitimate travel communications. A threat actor who knows where you're staying, when you're traveling, and how to contact you doesn't necessarily need your credit card number. They can simply impersonate your hotel and convince you to hand it over.

While there is currently no evidence linking this WhatsApp campaign directly to any specific breach or booking platform incident, the operation demonstrates how reservation data can be transformed into a powerful social engineering tool long after the initial compromise occurs.

How the Attack Chain Works

The campaign follows a consistent pattern across all identified phishing campaigns.

First, attackers obtain guest information, including names and travel dates. Researchers believe this information may originate from compromised booking systems, exposed hospitality data, credential theft, partner abuse, or other travel-related data sources.

Victims then receive WhatsApp messages impersonating hotel staff or reservation departments.

The messages use a carefully crafted combination of urgency and reassurance.

Typically, travelers are told:

• Their reservation requires verification
• No payment will be charged
• A temporary authorization hold may be placed
• Failure to act within 24 hours could result in cancellation

Victims are then directed to a phishing website that closely resembles a legitimate booking portal.

Researchers observed multiple phishing domain families, including:

• pre-registation-booking[.]com
• pre-registration[.]info
• hotelroom-stay[.]com
• authstep-booking[.]com
• approve-reservation[.]com

One particularly telling indicator is the repeated typo "registation" instead of "registration," which appears throughout the infrastructure.

Once victims reach the phishing page, they are asked to "verify" their payment card.

Instead, the information is harvested for fraud.

Coordinated phishing campaigns or one-time scam attempts?

Although researchers identified six separate phishing campaigns, technical evidence suggests these attacks are likely connected or operated by the same cybercriminal group based on observed infrastructure similarities .

Across countries, brands, and domains, the campaign consistently uses:

• The same "temporary hold" payment lure
• The same 24-hour cancellation pressure
• Similar URL structures
• Similar phishing workflows
• WhatsApp-exclusive delivery
• Rotating pools of fake reservation agents

The operation frequently uses hotel staff personas to add credibility to messages.

Researchers also observed automated domain generation, rapidly rotating infrastructure, and newly issued TLS certificates appearing just days before domains became active.

Together, these similarities strongly suggest a coordinated operation rather than independent copycat campaigns.

Why summer travelers are especially vulnerable

The timing of the campaign is unlikely to be accidental.

Summer is one of the busiest travel periods of the year. Millions of people are booking hotels, checking itineraries, arranging transportation, and monitoring travel updates.

During this period, travelers naturally expect messages from accommodation providers. As such, a reservation verification request feels more plausible.

Unlike generic phishing emails about unpaid invoices or suspicious account activity, a message about an upcoming vacation arrives in a context where travelers are already expecting communication from hotels and booking platforms.

Moreover, the use of real booking information makes that assumption especially dangerous for travelers who assume it must be legitimate.

Formula 1 weekends also create ideal conditions for scammers

Although researchers have not observed the campaign targeting Formula 1 events specifically, major race weekends, concerts, or other sporting events create ideal conditions for reservation-themed phishing attacks.

Formula 1 attracts hundreds of thousands of travelers every season. Fans often book accommodation months in advance, particularly for races in destinations such as Monaco, Silverstone, Spa-Francorchamps, Budapest, Monza, Singapore, and Zandvoort.

Hotels near race venues frequently sell out long before race weekend.

As travel dates approach, many fans actively monitor messages regarding reservations, check-in procedures, payment confirmations, and itinerary changes. This creates a perfect opportunity for scammers.

Imagine receiving a WhatsApp message a few days before arriving in Monaco or Silverstone claiming your hotel reservation requires urgent verification to avoid cancellation.

The message contains your name, accommodation details, travel dates, and a warning that your reservation could be canceled within 24 hours.

The fear of losing accommodation during a sold-out race weekend could pressure even cautious travelers into acting before carefully reviewing the message.

The campaign's international footprint is particularly noteworthy in this context. Countries affected by the operation include the United Kingdom, Germany, France, the Netherlands, Canada, and Singapore—all locations with significant Formula 1 audiences or race-related travel activity.

The same tactic could easily be adapted for concerts, festivals, sporting events, conferences, and other high-demand gatherings where accommodations are difficult or expensive to replace at short notice.

Any hotel reservation could be weaponized

Researchers identified multiple hospitality brands being abused throughout the campaign, but the operators do not appear to be tied to any specific hotel chain. Instead, they appear to select brands that match available booking data.

In other words, the users’ legitimate hotel reservations become the primary weapon in the fraudulent campaigns we’ve analyzed.  As such, any hotel, resort, campground, vacation rental, or accommodation provider could be impersonated if attackers gain access to guest booking information.

How to stay safe from travel and reservation scams this summer

As travel scams become more personalized, it's no longer enough to simply avoid suspicious emails. Attackers are increasingly using real booking information, trusted brands, and messaging platforms such as WhatsApp to make fraudulent messages appear legitimate.

Verify all reservation requests independently

If you receive a message claiming your booking requires verification, don't click the link provided.

Instead, contact the hotel directly using the phone number listed on its official website or access your reservation through the booking platform you originally used. Legitimate hotels won’t ask guests to verify payment cards through unsolicited WhatsApp links.

You can also log into the booking platform you originally used, such as Booking.com, Expedia, Airbnb, or the hotel's official website.

If there is a genuine issue with your reservation, it will typically be reflected within your account.

Report suspicious messages

If you receive a fraudulent reservation message, don’t forget to report it.

You can:

• Report the sender directly through WhatsApp.
• Block the number.
• Notify the booking platform or hotel being impersonated.
• Report the phishing attempt to relevant local authorities or consumer protection agencies.

Check suspicious links before opening them

Scammers register domains that closely resemble legitimate booking or hotel websites.

Before visiting an unfamiliar website, use Bitdefender Link Checker to scan suspicious URLs and identify potentially malicious destinations.

Use AI-powered scam detection

If you're unsure whether a reservation message is legitimate, Bitdefender Scamio can help analyze suspicious messages, screenshots, links, emails, and conversations for signs you’re dealing with a scammer.

This can be particularly useful when dealing with highly personalized scams that use real names, travel dates, and accommodation details.

Protect yourself before and during your trip

Travelers often connect to hotel Wi-Fi networks, airport hotspots, and public internet connections while accessing booking information and payment accounts.

A comprehensive solution such as Bitdefender Ultimate Security combines scam protection, advanced anti-phishing technology, VPN capabilities, malicious website blocking, malware protection, identity monitoring, and breach alerts under a single subscription.

Whether you're booking a trip from home, checking your reservation from an airport lounge, or connecting to Wi-Fi from a vacation destination, layered protection helps reduce the risk of becoming a victim.

Monitor your digital identity

One of the biggest concerns raised by this campaign is the apparent use of legitimate guest information.

Identity protection services can help alert you when personal information appears in known breaches, giving you an opportunity to secure accounts before criminals exploit the data.

Act quickly if you entered card details

If you submitted payment information on a suspicious website:

• Contact your bank immediately
• Request a replacement card
• Monitor accounts for unauthorized transactions
• Change passwords associated with travel and booking accounts
• Watch for additional phishing attempts using the stolen information