Claire was halfway through packing for her trip to Santorini when her phone rang. The caller ID showed the boutique hotel she had booked six months earlier, and the man on the line sounded exhausted but professional—the way hotel employees always sound when they've dealt with too many tourists and too little sleep.

“There has been a problem with her reservation,” he explained with a thick Greek accent. “Your payment authorization has failed, and the booking must be secured before midnight, or we will have to release the room.”

Claire felt the first jolt of panic, not because the request sounded strange, but because it sounded completely normal.

The caller knew everything: her arrival date, her room type, the fact that she had requested a balcony overlooking the caldera, even the bottle of champagne she had pre-ordered for her anniversary. That level of detail overcomes suspicion. It's also the oldest trick in espionage.

Most people imagine spies steal secrets through fancy gadgets and laser watches, but the reality of intelligence work is far more boring and far more dangerous. It relies on a single mechanism: trust built through accurate information. If a stranger calls claiming to be your bank, you're skeptical. If that same caller knows your mortgage amount, the last four digits of your card, your travel dates, and your wife's first name, your brain shifts gears entirely. Your defenses lower, and you stop evaluating and start cooperating. That is precisely what sophisticated criminals have figured out.

A follow-up text arrived for Claire moments later. The link looked legitimate, the branding matched the hotel perfectly, and the payment portal appeared completely authentic. She entered her credit card information while sitting on her bedroom floor, surrounded by sundresses and sunscreen. Three hours later, her bank called. Someone in Bucharest had spent $7,400 on electronics, airline tickets, and luxury handbags using her card.

Claire had never spoken to her hotel. She had spoken to a criminal armed with stolen reservation intelligence.

The Breach Is Only the Beginning

There is a hidden game behind reservation hijacking. One most people misread. The danger, in popular imagination, is the hack itself. The breach actually begins with reconnaissance. The real attack comes afterward.

Travel intelligence is especially valuable to criminals because vacations create a particular kind of emotional vulnerability. Trips are expensive, time-sensitive, and emotionally charged. Travelers are distracted, excited, exhausted, and frequently making quick decisions from airports, taxis, and hotel lobbies while running on little sleep and weakened judgment. That is exactly when professional social engineers strike.

If you understand the spy game, you can see that the Booking.com incident exposed what we call targeting intelligence: the raw ingredients criminals need to impersonate hotels and travel companies with frightening accuracy. Your destination, your travel dates, your hotel, your phone number, your email address, even the messages you sent directly to the property.

Intelligence-Driven Crime

Booking.com may only be part of the problem. Microsoft recently warned about phishing campaigns targeting hospitality employees worldwide, in which attackers impersonated Booking.com itself to trick hotel staff into clicking malicious links or installing credential-stealing malware. Once criminals gain access to hotel management systems or reservation portals, they can monitor bookings in real time and contact travelers directly while posing as the hotel.

I’ve long stated that the only difference between espionage and cybercrime is the outcome. Just like spies, vacation cybercriminals conduct reconnaissance, compromise systems, study routines, learn language patterns, and then weaponize familiarity. Spies do this. Investigators do this. Now cybercriminals do it too, and at scale.

In intelligence work, accurate information is deployed specifically to lower resistance and accelerate compliance. If someone knows enough truthful details about your life, your brain stops questioning whether the conversation itself is legitimate. That is exactly why Claire handed over her card number. The criminal didn't need to hack her. He only needed to sound like someone she should trust.

The scale of the exposure is staggering. Booking.com facilitates billions of room nights annually, and every reservation creates a chain of data moving between hotels, airlines, third-party vendors, customer service platforms, loyalty programs, payment processors, and messaging apps. A single weak link anywhere in that ecosystem can expose an extraordinary amount of personal intelligence. Your reservation history tells criminals when your home may be empty, reveals your spending habits, exposes your routines, suggests your income level, identifies who's traveling with you, and even flags when you're likely to be stressed, rushed, and making decisions on autopilot.

In intelligence work, that profile is called targeting intelligence. In cybercrime, it's becoming a business model.

What to Watch for This Summer

Summer travel season is about to supercharge this problem. Families are booking cruises, graduation trips, honeymoons, and beach vacations, and every reservation confirmation sitting in an inbox is another potential breadcrumb criminals can use. The smartest scammers no longer rely primarily on fear: the urgent wire transfer, the suspended account, the frozen card. They rely on familiarity: a polite, knowledgeable caller who sounds like someone you already trust, because they've done their homework.

That is the real warning buried beneath the Booking.com headlines. Not every cyberattack begins with malware. Not every criminal needs your password. And not every scam announces itself with an obvious lie. Sometimes it begins with a phone call from someone who knows exactly where you're going, where you're staying, and how to sound genuinely helpful while stealing from you in real time.

This summer, millions of travelers are vulnerable. Most of us won’t have a clue it's happening.

This summer, a lot of travelers are going to get scammed

Not this community of spy hunters!

The single most important goal of cybersecurity is not reacting during an attack. It is preparing before the attack begins and recognizing deception when it appears. Knowledge is power.

Reservation hijacking scams work because the criminals often know real details about your trip.

The key is to remember that accurate information does not equal legitimacy.

If someone contacts you claiming there is a problem with your reservation, slow down immediately. Never provide payment information, passwords, or verification codes over the phone, text, email, or messaging apps. Instead, independently contact the hotel or travel company using the official number or app you already have.

A few simple rules can dramatically reduce your risk:

Spy hunters learn one critical lesson early: The attack usually begins long before the victim realizes they are under attack.

The travelers who avoid scams this summer will not necessarily be smarter than everyone else. They will simply recognize the setup before the trap closes.

Please Leave a 5-star review on Amazon or on Goodreads.

🎤  I’m on the road doing speaking events. If your company or organization is interested in bringing me to a stage in 2026, book me to speak at your next event.

If you’ve ever paused at an email, login alert, or message and thought, “Could this happen to me?”—my Linkedin Learning course is for you! Login and start learning here.

Ever watch the TV drama House, starring Hugh Laurie as the brilliant but deeply curmudgeonly Dr. Gregory House? The entire show revolved around impossible diagnoses, where one tiny overlooked clue could mean the difference between life and death. In one memorable episode, House becomes convinced a young girl is suffering from a fast-moving flesh-eating bacterial infection and prepares to amputate her arm to save her life. At the last moment, another physician intervenes and correctly determines the child actually suffers from a rare sensitivity to fluorescent lighting. The arm is saved. That episode stuck with me because it perfectly captures the terrifying reality of medicine: a diagnosis is not just an opinion. It is often the dividing line between catastrophe and survival.

Turns out AI may become surprisingly good at helping doctors make those calls.

A Harvard-led study published in Science found that OpenAI’s “o1” reasoning model diagnosed emergency room cases as well as — and in some situations better than — experienced physicians. In one particularly chilling real-world case, the AI correctly identified a dangerous flesh-eating infection that the treating doctor initially missed. Across multiple emergency room scenarios, researchers found the AI included the correct diagnosis roughly 80% of the time as additional clinical information became available. Researchers stressed that AI is not intended to replace physicians, but rather to act as a powerful assistant and second set of eyes during diagnosis.

This is one of those moments where the future quietly arrives before society fully processes what just happened. AI systems do not get tired during a twelve-hour shift. They do not suffer from stress, distraction, or ego. They can instantly compare symptoms against millions of medical datapoints in seconds. The real story is not that AI will replace doctors. The real story is that hospitals may soon deploy AI as a tireless diagnostic partner sitting beside every physician in America. And frankly, if a machine catches the flesh-eating infection before the human does, most patients are not going to care which one gets the credit.

I joined Michael Waite on Brain Shaman to discuss how cybercriminals exploit our psychology, the evolving landscape of scams and cyberattacks, and practical ways to protect yourself online.

Please support my sponsors. It only takes a click - no purchase necessary!

WeAreDevelopers World Congress comes to San José, CA — September 23–25, 2026. 10,000+ developers, 500+ speakers, and the full software development lifecycle under one roof, in the heart of Silicon Valley.

Kelsey Hightower. Thomas Dohmke (fmr. CEO, GitHub). Christine Yen (CEO, Honeycomb). Mathias Biilmann (CEO, Netlify). Olivier Pomel (CEO, Datadog). The people actually building the tools you use every day — all on one stage.

AI, cloud, DevOps, security, architecture, and everything real builders ship with. Workshops, masterclasses, and the official congress party.

Tickets from $599. Use code GITPUSH26 for 10% off.

Secure Your Pass

Don’t miss a newsletter! Subscribe to Spies, Lies & Cybercrime for our top espionage, cybercrime and security stories delivered right to your inbox. Always weekly, never intrusive, totally secure.

Stay safe out there!

~ Eric