Travelers’ personal and booking information from hundreds of hotels worldwide has been compromised, according to new findings. Cybercriminals are now using this data in highly targeted spear-phishing attacks, increasing the likelihood that victims will click on fraudulent links and reveal sensitive information such as credit card numbers.

The analysis by security company Norton revealed that at least 350 hotels in 50 countries are involved in these reservation hijacking scams. The researchers found that phishing websites included hotel names, specific check-in and check-out dates, and varying prices for each victim. This customization makes the attacks more convincing.

The data suggests Germany has the highest number of potentially compromised accommodations, followed by France, the UK, Italy, Spain, and the US. Most hotels are small to medium-sized establishments with a capacity for around 80,000 guests at their peak. Hackers obtain booking details through various means, including phishing messages or third-party booking services.

Phishing kits continually update to stay one step ahead of security measures, with the ability to impersonate global brands and trick millions of people into clicking malicious links each month. In December last year, Norton began investigating hotel-linked fraud after identifying a convincing phishing message sent via WhatsApp from an account mimicking Booking.com.

While Norton could not pinpoint every attacker, they noted that phishing messages often used hotel staff as intermediaries. Smaller hotels are less likely to have robust security practices in place, such as multifactor authentication for staff members. The hospitality industry must collectively raise its security baseline through better training and tighter controls on guest data access.