The hospitality industry has become the latest target of a sophisticated phishing campaign that leverages advanced social engineering techniques to exploit human psychology. In a coordinated cyber deception, threat actors have been impersonating Booking.com to target hotels across North America, Oceania, Asia, and Europe. Identified by Microsoft’s Threat Intelligence team as the work of a group dubbed Storm-1865, the campaign began in December 2024 and remains active (SecurityWeek, 2025). Their objective: deceive hospitality professionals into unknowingly installing malware that steals financial data and login credentials.
Attackers initiate contact through emails that appear to originate from Booking.com, referencing urgent topics such as negative guest reviews, account verification, or promotional offers. These messages include links or PDF attachments that direct recipients to fraudulent Booking.com webpages.
Once there, victims encounter a fake CAPTCHA page—a technique known as ClickFix. This method plays on users' instincts to resolve perceived problems by instructing them to open the Windows Run dialog (Win + R), paste a command from their clipboard, and execute it. This triggers the download of malware strains including XWorm, Lumma Stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT—all capable of harvesting sensitive data.
Storm-1865 has a track record of similar activity. In 2023, the group targeted hotel guests by impersonating Booking.com. In 2024, they shifted to phishing e-commerce customers through fraudulent payment pages. Their adoption of ClickFix marks an evolution in technique—refined to bypass traditional security controls and exploit trust in familiar service providers (Asian Hospitality, 2025).
Booking.com has stated that its systems have not been breached, though it is aware of phishing attempts affecting some partners and customers. The company reiterates that it will never request payment information via email, chat, text, or phone.
By mimicking legitimate interfaces and exploiting the human instinct to “fix” issues quickly, attackers have created a phishing strategy that is not only convincing but increasingly difficult to detect. This underscores the need for organizations to reassess their defense posture—especially in sectors where frontline employees may not have advanced cybersecurity training.
Even in an increasingly digital world, the human element remains both the greatest vulnerability and the strongest defense. With continued vigilance and security education, the hospitality industry can better navigate today’s evolving threat landscape.