A few weeks ago I wrote about the Booking.com breach and the part the official notification didn’t explain:

when a breach includes booking details specifically, the follow-on scam isn’t generic phishing. It’s targeted.

A scammer with your name, your hotel, and your travel dates can reach out in a way that feels completely legitimate, because the details are real.

Since then I’ve had people ask some version of the same question.

How do I know if a message from my hotel is real? How do I verify without getting it wrong?

That’s the right question. Unfortunately it’s also the wrong moment to be asking it.

In this post I'm going to walk through a pre-booking privacy protocol that actually reduces your exposure before anything goes wrong. Most of it is straightforward. One tip comes from a travel insider friend that turns out to have a privacy benefit nobody talks about.

By the Time You Get the Message, It’s Too Late

By the time someone sends you a message referencing your reservation at your hotel, the hard part of the scam is already done. The attacker has what they need. Your vigilance at the point of contact still matters, such as catching the payment method requests, the urgency pressure, the slightly-off domain name. But it’s a last line of defense operating after the window for real prevention has closed.

Researchers at Sekoia documented a campaign in 2025 in which attackers compromised hotel staff credentials and used that access to contact guests directly over WhatsApp and email, with accurate reservation details in hand. The cover story was a routine verification procedure.

It was convincing because the details were real. That campaign predates the Booking.com breach, which means the data exposure problem isn’t specific to one platform or one incident.

The Scale of the Problem is Noteworthy.

According to the FTC, there were more than 58,000 reports of travel, vacation, and timeshare fraud in 2024 totaling $274 million in losses. That almost certainly undercounts the actual number, since most fraud goes unreported.

AI has made the identification problem meaningfully worse. The old tells like awkward phrasing, generic salutations, obvious typosquatting have been largely neutralized. What researchers from iSeatz and Carnegie Mellon have both flagged is that urgency remains one of the more reliable signals, but it’s a thin thread to hang your security on when everything else about the message looks right.

Voice cloning technology now allows attackers to impersonate airline representatives using voice samples pulled from publicly available customer service recordings. Click-to-call ads on mobile search results can route you directly to a scammer posing as your airline without any visible indication something is wrong. The technical sophistication of these attacks is increasing faster than most people’s awareness of them.

The Window Most People Don’t Use

Here’s what I think gets missed in most coverage of this topic. Every article I’ve read (and I’ve read a lot of them recently) focuses on how to recognize a scam when it arrives.

• Check the domain.

• Look for urgency.

• Call the hotel back using a number from the official site.

All of that is correct. But it treats the moment of contact as the starting point.

It isn’t.

There’s a window between when you decide to travel and when you finalize your reservation, and the decisions you make in that window determine how much information is circulating about you when something eventually goes wrong. Travel platforms know a surprising amount:

your name, email, phone number, travel dates, specific property, number of guests, special requests, payment method, and in many cases device and IP data.

That information sits in their systems long after your trip ends, feeding loyalty programs and in some cases data-sharing arrangements you didn’t explicitly agree to.

What you hand over, and to how many different systems, is something you can actually influence, but only before you confirm.

Most people never think about it until a suspicious message lands.

The Pre-Booking Protocol

None of this requires technical expertise. It’s a set of small decisions made earlier in the process than most people consider. Including this first tip from a long time friend in the hospitality industry.