Bottom line: Cybercriminals are exploiting stolen travel booking data and WhatsApp for highly personalized phishing attacks that appear deceptively authentic and redirect to fake booking portals.
Since March 2024, cybercriminals have been conducting coordinated fraud campaigns in over ten countries, leveraging stolen booking information to send personalized WhatsApp messages. The attackers redirect victims to deceptively authentic-looking booking portals to harvest payment data.
Bitdefender Labs is currently documenting at least six active fraud waves targeting various travel providers and affecting countries including Germany, France, the United Kingdom and the Netherlands. Unlike classical phishing, these messages contain specific details about hotels, check-in and check-out dates, and reservation numbers. This personalization is based on stolen data from previous security incidents at booking platforms or hotel systems—information that cybercriminals continue to leverage months or years later.
The attackers operate exclusively via WhatsApp and create urgency by claiming that a booking must be re-confirmed or face cancellation. Major events such as Formula 1 races, concerts, or festivals are particularly lucrative, as travelers face short-term pressure. The perpetrators deploy professional infrastructure: they frequently change Internet addresses, automatically generate domains, and employ valid TLS certificates—normally a trust signal.
For CISOs and security officers, this development is critical because it demonstrates how valuable stolen reservation data remains and how precisely attackers combine it with low-barrier attack channels such as WhatsApp. Hotels and booking platforms typically do not communicate via WhatsApp—anyone receiving such messages should contact them directly via official websites or the booking platform itself. Suspicious numbers should be blocked and the affected companies notified. Anyone who has already entered card details must immediately notify their bank, have the card blocked, and monitor account activity.
Source: www.it-daily.net · Published 19 June 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification via Lumi News Pipeline v1.7.1.