In recent months, sophisticated phishing attacks were launched on the hospitality sector in Europe via fake Booking.com e-mails and a “Blue Screen of Death” type threat vector (BSoD) to entice hotel personnel to download malware. This phishing campaign was reported by cybersecurity professionals on January 7, 2026. The phishing campaign is one of many examples of how sophisticated social engineering tactics are being used to target companies that utilize well-known brands in the travel industry.
Phishing emails at the heart of the attacks: How did they do it?
Phishing emails, sent by attackers, claimed to be from Booking.com, citing urgent booking details or confirming payment. These emails contained a link that, when clicked by the recipient, would redirect to a malicious website that appeared to be a valid Booking.com website. The phishing emails utilized Booking.com’s branding and language to instill a sense of urgency. In addition, the emails instructed hotel employees to review their booking details immediately to avoid cancellation or penalty.
Clicking the link in the phishing email will cause a file to download, labeled as a booking confirmation. When the employee opens the file, a fake BSoD screen appears, stating that the computer system crashed and requires immediate repair. The purpose of the BSoD is to intimidate the employee into contacting the “support number” provided on the screen.
Due to the reliance of hotels on online booking platforms, hotels represent an attractive target for phishers who wish to impersonate booking companies. According to HelpNetSecurity, the attackers are taking advantage of the trust that hotel employees have in Booking.com communications. Additionally, the phishing campaign is targeting European hotels, where Booking.com is commonly utilized for reservation purposes.
The vulnerable hospitality industry was an easy target for hackers
The hospitality industry is also vulnerable due to the fact that hotel staff typically receive high volumes of booking-related emails daily.
What can be attacked?
When the malware is installed on a victim’s computer, the attackers can execute numerous malicious actions, such as:
- Credential Theft: Capture login credentials to booking platforms and/or the employee’s internal hotel systems.
- Network Access: Provide the attackers with lateral movement capability within the hotel network.
- Data Exfiltration: Extract customer information including payment information from the hotel network.
- Ransomware Deployment: Lock down hotel systems and demand money for restoring access to the systems.
The use of the BSoD screen represents a psychological tactic, utilizing fear and urgency to encourage compliance
An attack that is difficult for employees to identify
This phishing scheme is a combination of traditional phishing and tech-support scams, making it much harder for employees to identify the attack.
To reduce exposure to this type of phishing, the following recommendations are made by cybersecurity experts:
- Employee Training: Educate hotel employees on the importance of verifying booking emails through authorized Booking.com channels and never click on links in suspicious emails.
- Multi-Factor Authentication: Add additional security features to booking platform accounts.
- Advanced Endpoint Protection: Install advanced antivirus and monitoring tools to protect computers from malicious downloads.
- Incident Response Plans: Develop plans to quickly respond and recover in the event of a breach.
Booking.com has notified all of its partners regarding this phishing campaign, recommending that any suspicious communication be confirmed directly through the Booking.com website instead of responding to links in the email.
This phishing campaign serves as an example of the continuous evolution of phishing schemes
Phishing schemes are combining the use of brand impersonation with psychological manipulation to develop new methods of attacking the trust between customers and service providers. Cybersecurity experts predict that this type of phishing campaign could expand to hotels throughout the world. Until then, the most effective method of preventing this type of attack is through awareness and pro-active security measures.
Disclaimer: Our coverage of events affecting companies is purely informative and descriptive. Under no circumstances does it seek to promote an opinion or create a trend, nor can it be taken as investment advice or a recommendation of any kind.
