'Everything looked real': How scammers are hijacking your holiday

Australian travellers are being left out of pocket and fearful their personal data has been stolen amid growing concerns over the security of online travel bookings.

A cybersecurity expert says travel booking information has become a lucrative target for criminals, with stolen data traded and shared on the dark web before it is used in highly targeted scams.

After a data breach revealed by Booking.com in April, ABC News has been contacted by dozens of travellers who say they have been caught up in phishing scams involving fake hotel messages on WhatsApp and emails with their personal details and booking information.

"Travel booking data is highly valuable because it contains detailed information about a traveller's identity, movements and finances," cybersecurity expert Professor Daswin de Silva said.

"There's an assumption that people who travel have financial capacity, which makes them appealing targets for cybercriminals."

'Everything looked real'

Western Australian traveller Grant Holman said he was targeted by a sophisticated scam soon after booking accommodation for a trip to Africa.

The Mandurah resident, a long-time member of Booking.com and a "Genius" loyalty member, said the scam messages appeared legitimate and included highly specific details from his reservation in Addis Ababa.

"It had all the correct information, including the booking reference and PIN," Mr Holman said.

"The urgency was extreme. I was told I only had a few hours to act or my booking would be cancelled."

Mr Holman said he received more than 10 near-identical messages urging him to confirm payment details or risk cancellation and penalty fees.

He said some messages were sent to both his email address and on the Booking.com platform.

"Either the scammers have access to your systems or something has gone wrong somewhere," he said.

"I've lost confidence in their ability to keep my data secure."

Melbourne traveller Meththa de Silva said he almost fell victim this week to a sophisticated WhatsApp phishing scam that used detailed information from a Booking.com reservation for his coming trip to Vietnam.

"The message was pretending to be from the hotel asking me to make the payment. It had my name, hotel name, travel dates and the due fees," Mr de Silva said.

"I provided the details but the transaction didn't go through, and that's when I realised it was a phishing attack."

He has now cancelled his credit card, just days out from his Vietnam holiday, and has lodged a complaint with the Office of the Australian Information Commissioner.

"I sent all the details to Booking.com customer service and they haven't responded and didn't give me any advice," he said.

"There doesn't seem to be any consequences for these multinational companies. Australian law can't touch them."

Inside a more sophisticated scam

Booking.com contacted customers in April warning that their personal details might have been accessed by "unauthorised third parties".

Professor de Silva, from La Trobe University, said online travel platforms relied on millions of hotels, operators and smaller providers worldwide, many of which might not have robust cybersecurity systems in place.

"The weakest link is often the third-party supplier," Professor de Silva said.

He said scammers often targeted frontline staff, such as hotel receptionists, with convincing emails to gain access to booking systems.

"It only takes one employee to click a malicious link or open an attachment," he said.

"From there, attackers can access booking systems and extract customer data."

He said the information was valuable because it was precise, time-sensitive and could be exploited immediately.

"In many ways, we're conditioned to overshare in travel," he said.

Travellers left scrambling

National figures compiled by the ABC show at least 842 complaints were made about Booking.com to state and territory consumer bodies over the past two years, though the true number will be higher since not all states disclosed relevant data.

The complaints vary from refund battles to last-minute cancellations.

Tourism expert Professor Daniel Gschwind, from Griffith University, said travellers were navigating an increasingly complex online environment shaped by digital platforms, fake reviews and AI-generated content.

"Even hotel reviews are becoming harder to trust," Professor Gschwind said.

"Some may not even be written by humans."

He said uncertainty around bookings, cancellations and scams had led some Australians to return to "old-fashioned travel agents".

A Booking.com spokesperson said the company was "dedicated to the security and data protection of our travellers and partners".

"If travellers receive suspicious messages, emails or phone calls, these could be from malicious actors pretending to represent the accommodation or Booking.com," the spokesperson said in a statement.

"We will continue to enhance and extend our robust security measures to protect both travellers and partners.

"We recommend that travellers remain vigilant and, where possible, set up security protocols (such as two-factor authentication) on their devices to keep them safe from phishing attempts."

How travellers can protect themselves

Cybersecurity expert Professor de Silva has these recommendations for travellers:

Enable multi-factor authentication on booking accounts.

Avoid sending copies of passports or government-issued identification unless necessary.

Use a low-balance debit card or temporary payment card for travel bookings.

Limit the amount of personal information shared with hotels and booking providers.

Be cautious about sharing extra details through booking platform chat functions.

Delete old booking records and travel history where possible.

Treat emails or messages demanding urgent payment as suspicious, even if they contain genuine booking details.