Net-Defence warns travel scams grow more convincing
Fri, 10th Jul 2026 (Today)
Net-Defence has warned that holiday travel scams are becoming more convincing as cyber criminals use real customer data and trusted communication channels. The warning follows the recent Booking.com security incident.
According to the cyber security firm, attackers are moving away from generic phishing emails and towards targeted messages built around genuine reservation details. Access to names, email addresses, telephone numbers and travel booking information can make fraudulent contact appear credible, even when payment card data has not been exposed.
Booking.com confirmed in April that unauthorised parties accessed customer reservation data, including contact details and travel booking information. Net-Defence warned that this kind of non-financial data can still be used to build highly persuasive scams tied to specific trips, hotels and travel dates.
The latest case shows how fraud is shifting from broad, low-accuracy campaigns to trust-based attacks that use authentic information in real time. Criminals can use legitimate booking references, accommodation details and arrival dates to time messages around payment requests, booking changes or cancellations.
That creates a different challenge for consumers and businesses alike. Messages containing genuine travel details may no longer resemble the poorly written phishing attempts many users have been trained to spot. In some reported cases, scam messages were delivered through legitimate Booking.com messaging channels.
"What makes this incident particularly concerning isn't simply that customer information was accessed, it's how that information can be weaponised. When criminals know your destination, your hotel and your travel dates, they can create scams that feel entirely legitimate. Cybercriminals are increasingly exploiting trust rather than technology. They're using genuine customer data, recognised brands and legitimate communication channels to bypass traditional security awareness. That represents a significant evolution in the threat landscape and changes how organisations need to think about cyber resilience," said Debra Cairns, Managing Director, Net-Defence.
Supply chain risk
Industry reports have suggested the compromise may have come through hotel or accommodation partner accounts connected to the wider Booking.com network, rather than through the company's core systems. If confirmed, the incident would add to a growing list of supply chain breaches in which attackers use a trusted third party to reach a wider ecosystem.
Net-Defence said this reflects a broader issue for modern organisations, many of which depend on cloud providers, software suppliers, outsourced IT firms and payment processors. In that environment, any external partner with access to systems or sensitive information becomes part of the security boundary.
"Even security-conscious individuals can struggle to identify these attacks because the information contained within the messages is genuine," said Cairns.
Many organisations have focused heavily on their own infrastructure while paying less attention to weaknesses introduced through suppliers. That imbalance matters more as businesses share more data and operational access across interconnected platforms.
"Many organisations invest heavily in protecting their own infrastructure but spend considerably less time understanding the risks introduced by suppliers and service providers," said Cairns.
Travel exposure
The timing of the warning is significant because the summer travel period creates a large pool of targets whose plans can be used against them. Fraudsters can send realistic messages asking travellers to confirm payment, resolve booking issues or follow links to payment portals that mimic legitimate services.
Net-Defence said the risks extend beyond direct financial loss. Travel information can reveal when someone is away from home, while compromised personal devices or accounts may also expose business systems if employees use the same equipment or credentials for work.
That overlap between personal and corporate exposure is becoming harder to ignore as remote working, mobile access and blended device use remain common. A scam that begins with a holiday booking can, in some cases, lead back into the workplace if attackers gain access to a business email account or corporate login details.
"People don't stop being cyber targets when they leave work. Employees travelling for business or booking personal holidays remain attractive targets. If a personal device, business email account or corporate credentials become compromised, the consequences can quickly extend back into the workplace. Security awareness needs to extend beyond office walls," said Cairns.
Broader review
Net-Defence said organisations should review supplier assurance, phishing defences and incident response arrangements in light of more tailored attacks. It also pointed to multi-factor authentication, ongoing staff training and monitoring for unusual activity as practical measures to reduce exposure.
The broader message is that cyber resilience now depends on understanding not only internal systems but also the risks introduced by external partners. As more commercial activity moves through shared digital platforms, trust itself has become an attack surface.
"Cyber resilience is no longer simply about protecting your own network, organisations need visibility across their entire digital supply chain. Businesses that regularly assess supplier risk, continuously monitor their environments, educate their people and prepare for incidents before they happen will be significantly better positioned as cyber threats continue to evolve. The organisations that thrive will be those that recognise trust has become one of the most valuable and most targeted assets they possess," said Cairns.