Alert: Traveler Phone Number Phishing Scams in the Travel Industry

As the travel industry experiences robust growth, cybercriminals are continuously evolving their tactics to target both travelers and accommodation providers. Recently, the global travel ecosystem has seen a significant increase in off-platform phishing attempts, directly impacting the reputation of service providers. This article by Hotel Link aims to provide a detailed look into this emerging scam, while offering recommendations and solutions to help hotels protect their guests and maintain data security during operations.

1. Identifying the Phone Number Phishing Scam

This form of fraud does not stem from a direct breach of central reservation management systems. Instead, bad actors exploit information from weaker links in the supply chain or compromised third-party systems where data has been leaked.

How the scam works:

Once attackers obtain a traveler’s phone number, they use popular messaging platforms (such as WhatsApp, Zalo, Viber, etc.) to impersonate hotel staff or reservation agents. They often send urgent notifications such as:

• Payment Confirmation Requests: Claiming a system error and requesting the guest to provide credit card details again or make an additional transfer to secure the booking.
• Fake Offers: Enticing guests with cheap room upgrades or add-on services, provided they pay immediately via a sent link.
• Fraudulent Links: Sending links to websites that look identical to reputable booking platforms to trick guests into entering personal information and bank account details.

The danger of this tactic lies in the accuracy of the booking details (guest name, arrival date, room type), which makes it easy for guests to trust the impersonator and follow their instructions.

2. Key Changes in Guest Data Management

To combat this situation and protect users, international booking distribution systems have begun implementing strict precautionary measures. This has led to several important changes that hotels should note:

• Restricted Display of Phone Numbers: Within partner administrative portals, the ability to view or export guests' personal phone numbers may be temporarily disabled or restricted.
• Substitution with Generic Identifiers: For reservations delivered via API connections (such as Channel Managers), actual guest phone numbers may be replaced with a generic, non-identifiable number.

While these measures may change existing communication habits, they are a necessary step to prevent data from being exploited illegally.

3. Solutions and Best Practices for Hotels

To adapt to these changes while ensuring a positive guest experience and data safety, hotels should proactively implement the following solutions:

Leverage In-Platform Messaging Systems

Most booking platforms now provide secure, in-platform messaging tools. Hotels should prioritize these channels for communicating special requests or booking confirmations. This helps:

• Verify the hotel’s identity to the guest.
• Maintain a record of transaction and conversation history for future reference.
• Avoid exposing guest personal info to unmonitored third-party messaging apps.

Review and Adjust Data Management Processes

Hotels should review departments that frequently use guest phone numbers (such as concierge, airport pick-up, or guest relations). Shift the management mindset by:

• Using the Reservation ID as the primary key for guest verification instead of the phone number.
• Accessing and using personal data only when absolutely necessary and through secured channels.

Staff Training

Employees are the most critical line of defense. Staff must be trained to recognize phishing signs and adhere to these core principles:

• Never ask for credit card information or OTP codes via personal messaging apps.
• Minimize initiating off-platform contact unless specifically requested by the guest or in a verified emergency.
• Always introduce identity and job title clearly, providing specific order details to reassure the guest.

Proactive Communication via Official Email

In cases where phone numbers are hidden, email remains the most professional and secure channel. Hotels should:

• Send a confirmation email immediately after receiving a booking, clearly stating the hotel's official communication channels.
• Explicitly warn guests that the hotel will never request additional payments via personal messaging apps.

Advise Guests via Communication Channels

Post brief notices on the hotel’s website or official social media pages to alert guests about impersonation scams. This not only protects your guests but also affirms the hotel's commitment to traveler data security.

Read more: Online Traps: Exposing Hotel Booking Scams With Hotel Link

Conclusion

Traveler information phishing is a major challenge for the global tourism industry. The tightening of phone number data management by booking partners is a necessary effort to protect the interests of both guests and hotels.

By adhering to new security standards, prioritizing official in-platform communication tools, and increasing staff vigilance, accommodation providers can maintain guest trust and ensure safe, sustainable business operations.

Protecting guest data is protecting your hotel's reputation. Partners are encouraged to review their communication processes and immediately update the security measures mentioned above. Contact Hotel Link if you require more detailed guidance!

Also read: The Hotel Booking Scam Crisis: Consequences & How To Avoid Them