The Hotel That Wasn't Calling

You booked a hotel room in Luxembourg. A few days before your stay, a message arrives. It looks like it comes from the hotel, through Booking.com's own messaging system, or perhaps a WhatsApp from an international number. They need you to confirm your credit card details to guarantee the reservation. You click, you type, you move on with your day. A few hours later, charges you never authorized start appearing on your statement.

This is not hypothetical. HORESCA, Luxembourg's federation of hotels, restaurants, and bars, issued a warning this week about exactly this kind of phishing campaign targeting hotel guests[1].

How It Works

The scammers contact guests who have already made a reservation, which means they have access to real booking data. They pose as hotel staff and ask guests to update or confirm their credit card details to complete or guarantee the booking. The messages arrive through channels that feel legitimate: some via WhatsApp from international numbers, others directly through the Booking.com messaging system[1].

Using Booking.com's own messaging system is the part that should worry everyone. When a phishing message arrives in the same chat interface where you have been communicating with the actual hotel, the trust barrier is almost zero. You have no reason to doubt it. That is not a user error, that is a platform failure.

The Lighthouse Connection

HORESCA noted that several affected hotels use channel management software from Lighthouse, a company specializing in hotel management software[1]. No direct technical breach has been confirmed yet, but the frequency of reported cases is enough that HORESCA felt compelled to raise the alarm.

Lighthouse responded quickly after being contacted and provided explanations, which is better than silence. But "no confirmed technical connection" is not the same as "no connection." The pattern, multiple hotels using the same platform, overlapping timing, suggests something systematic rather than coincidental. Whether that turns out to be a data leak, an API compromise, or something else entirely remains to be seen.

What Makes This Different

Phishing is not new. What makes this campaign notable is the integration with legitimate booking platforms. Most phishing relies on spoofed emails or fake websites. This campaign appears to use the real messaging infrastructure that hotels and guests already trust. The message does not come from a random Gmail address. It comes through the same system where you discussed your late check-in.

For a small country like Luxembourg, where the hospitality sector is a significant part of the economy, this kind of targeted attack is particularly damaging. Trust is the product hotels sell. When that trust gets weaponized through the very platforms designed to facilitate it, the damage compounds.

What to Do

HORESCA's advice is straightforward: never provide payment details or update banking information in response to an unsolicited message, even if it looks like it comes from your hotel. If you are asked to confirm card details, call the hotel directly using the official phone number from their website, not from the message you just received[1].

For hotels, HORESCA asks affected establishments to report incidents both to HORESCA and to CIRCL, Luxembourg's Computer Incident Response Center[2]. Centralizing reports will help determine the scale and whether there is a common vulnerability being exploited.

The broader lesson is one I keep coming back to: the most effective attacks do not bypass security, they co-opt it. The best phishing does not look like phishing. It looks like customer service.