Reservation Hijack Scams: How AI and System Breaches Turn Your Travel Plans into a Trap

Summary

• Identity criminals are shifting from basic travel scams to advanced “reservation hijack scams” using stolen guest data. 
• The criminals are compromising hotel and restaurant systems directly, stealing names, phone numbers and reservation details. 
• Scammers now use artificial intelligence and spear-phishing to generate highly personalized emails and texts that look completely real. 
• Financial targets are expanding beyond apps like OpenTable to include hotel guests worldwide and high-end restaurant deposits. 
• If you suspect your travel or dining reservation has been hijacked, contact the Identity Theft Resource Center for free help via text or phone call at 888.400.5530 or live chat on our company website 

What’s Happening?

The hospitality sector has long been a major target for identity criminals, but the threat has evolved beyond simple robocalls. In a recent discussion between Identity Theft Resource Center President James Lee and Luis Corrons from Threat Labs, experts sounded the alarm on a massive global spike in hotel and restaurant reservation breaches. Hundreds of millions of users worldwide are now at risk as bad actors bypass consumers entirely to attack hospitality staff credentials and internal systems. 

Once inside a system, the scam becomes a multi-layered trap. Instead of generic phishing messages, bad actors use the stolen reservation data alongside AI to create highly personalized spear-phishing attacks. For example, in a recent investigation, attackers compromised hotels in Europe, stealing the precise information of 1,000 reservations to send hyper-targeted messages directing guests to fake payment portals. 

This financially motivated trend is hitting small-to-medium, independently owned boutique hotels and high-end restaurants the hardest. Scammers have also set up fake websites in search results, a tactic recently spotted targeting luxury dining in Spain and popping up in places like New York during Restaurant Week, tricking diners into paying steep, non-existent “reservation deposits” directly to fraudsters. 

Who Are the Targets? 

Travelers and diners. Anyone booking hotel accommodations online, making restaurant reservations through platforms like OpenTable, or searching Google for popular local dining spots. One-time travelers staying at an unfamiliar hotel are at a uniquely high risk, as they are less likely to recognize what an official communication from that specific property should look like. 

What is a Reservation Hijack Scam? 

The scam takes two primary paths: 

1. The Hijack: After making a real hotel or dining reservation, you receive a text, WhatsApp message or email that looks identical to the business’s official branding. Using AI-generated copy, it greets you by name, references your exact booking dates and claims you must click a link to verify your credit card, pay a deposit or claim a “refund” due to a system error. The link leads to a cloned phishing page designed to steal your financial data. 
2. The Cloned Website: When searching for a popular restaurant or hotel online, you accidentally click on a fraudulent, copycat website dominating the search results. The site requires an upfront credit card deposit (often around $100/100 euros per person) to secure a table or room that does not exist. 

What They Want 

Identity criminals want your credit card numbers, banking details and credentials to drain your accounts, commit financial identity theft or sell your validated data on the dark web. 

How to Avoid Being Scammed 

• Don’t Trust the Context: Just because a caller or an email knows your name, arrival date and room type does not mean they are legitimate. AI and data breaches allow scammers to mimic official staff perfectly. 
• Go Directly to the Source: If you receive a message demanding immediate payment or card verification to hold a reservation, do not click the link. Hang up or close the app, and call the hotel or restaurant directly using a number found on their official, verified website—not the number provided in the suspicious message. 
• Watch for Deposit Red Flags: Be highly skeptical of restaurants or independent hotels suddenly requiring steep, per-person electronic deposits through unverified links or search engine results. OpenTable, for example, typically only requires your name, email and phone number for standard bookings. 
• Report and Secure Your Accounts: If you receive a fraudulent OpenTable text or email, report it to [email protected]. If you encounter a broader travel scam, report it to the Federal Trade Commission (FTC) at ftc.gov. For peace of mind, update your booking platform passwords to passkeys or unique, 12+ character passphrases. 

Contact the ITRC 

If you believe your reservation has been hijacked, if you have paid a deposit to a fraudulent website, or if you are worried that your personal data was exposed in a hospitality breach, the ITRC is here to help. Our expert advisors will provide a customized roadmap to secure your financial identity. 

ITRC services are always FREE. You can speak with an advisor toll-free by phone or text at 888.400.5530 or via live chat at www.idtheftcenter.org. 

This blog was created on 7/5/2023 and was updated on 6/25/2026.