How OTA Account Takeover Fraud Is Draining Hotel Revenue Through Chargebacks, Fraudulent Refunds, and Loyalty Liability

A person in a dimly lit room wearing headphones and glasses, looking at multiple computer screens displaying lines of code and websites, symbolizing online cyber fraud or account takeover hacking.

by

The Hotel Blueprint

When a guest’s money disappears twice โ€” once to the hotel, once to a fraudster using the hotel’s own booking account โ€” the question the industry has not settled is who owns the loss.

Account takeover fraud targeting OTA hotel accounts is no longer a periodic incident โ€” it is an industrialised revenue drain that sits directly on a property’s P&L through chargebacks, fraudulent refunds, and the accelerating erosion of loyalty program value. In 2025, cybersecurity firm Sekoia documented a coordinated campaign, active since at least April of that year, in which attackers used compromised hotel extranet credentials on Booking.com โ€” and later on Expedia, Airbnb, and Agoda โ€” to contact confirmed guests with payment requests that appeared entirely legitimate, because they were sent using real reservation data from real hotel accounts. Guests paid twice: once to the hotel, once to the criminal. The hotel, which had already delivered the room, received the chargeback.

For a general manager or revenue manager, the commercial logic of this threat is not complicated. The OTA provides volume and visibility; you accept that its commission structure compresses margin. What is less clearly priced in is the separate cost exposure that opens the moment your extranet account becomes the attack vector. The guests are not calling you when they get a payment verification message through Booking.com’s own app. They assume it is real. And when they discover it is not, the dispute comes back to your merchant account, your fraud loss line, and your relationship with a guest you may never recover.

1. The Extranet as the Attack Surface

Booking.com, Expedia, and comparable OTA platforms provide hotel partners with extranet access โ€” a management portal through which properties control rate and inventory, communicate with confirmed guests, and update reservation status. That access is precisely what organised fraud groups spent 2025 acquiring at scale.

Sekoia’s investigation exposed an extensive underground marketplace built around the hospitality sector. Compromised Booking.com credentials โ€” including admin cookies and session tokens โ€” are openly traded on Russian-speaking cybercrime forums such as LolzTeam, Exploit.in, and WWHClub. Prices range from a few dollars for generic logs to several thousand for high-value accounts managing multiple hotels. Some threat actors even operate Telegram bots to buy Booking logs in bulk, offering profit-sharing models to traffers, distributors who specialise in driving infected traffic from social networks and search results.

Sekoia.io assessed with high confidence that clients who fell victim to this fraudulent scheme paid twice for their reservation: once at the hotel and once to the cybercriminal. The adversary infrastructure revealed hundreds of malicious domains active for several months as of October 2025, demonstrating a resilient and likely profitable campaign.

What makes this commercially significant for the hotel is that the attack does not compromise the hotel’s banking system, its PMS, or its own website. It compromises the hotel’s position as a trusted intermediary in the OTA relationship. The hotel’s account becomes the credibility vehicle. The guest trusts the message because it arrives through the channel they used to book, with data only the hotel could have. When the fraud is discovered, the hotel is positioned โ€” in the mind of the guest, and often in the dispute process โ€” as the entity that failed to protect them.

By 2025, the operation had expanded beyond Booking.com: the same actor network began targeting Expedia, Airbnb, and Agoda credentials using the same methods, with Sekoia analysts assessing with high confidence that the modus operandi extends across accommodation booking platforms as criminals broadened targeting to maximise profits.

The commercial consequence is immediate. When a guest disputes a charge after falling victim to a fraudulent payment request made via the hotel’s compromised account, the chargeback lands on the property, not the OTA. The OTA retains the commission on the original booking. The hotel absorbs the chargeback cost, the dispute administration, and โ€” if the guest had already checked in โ€” the full cost of a stay it provided and cannot recover. ATO-related chargeback losses run 76% higher than typical chargebacks, according to Equifax’s analysis of its global data network spanning 65 billion transactions across 16,000 merchants and 75 industries.

What to watch: The fraud market supporting these operations is structured and growing. The threat actor moderator_booking claims their team has earned over $20 million from this fraud model, which has expanded to target Expedia, Airbnb, and Agoda platforms. Sekoia analysts assess with high confidence that this profitable cybercrime ecosystem will continue targeting the hospitality industry through increasingly sophisticated techniques. Hotels operating on high-volume OTA channels โ€” particularly those in gateway cities and peak-season markets where advance reservation data is dense and available for extended periods โ€” represent the most commercially attractive targets.

2. The Chargeback Liability Gap That OTA Bookings Create

The structural tension between OTA distribution and chargeback risk predates the extranet fraud campaigns of 2025 โ€” but the fraud surge has made it acute. When a guest books through an OTA, the platform collects the guest’s payment card data and processes the transaction. What the hotel receives is the minimum information required to fulfil the reservation: typically a name, dates, and a virtual card number. The guest’s verified email, identity documentation, and card details remain with the OTA.

This asymmetry matters when a dispute arises. The hotel is expected to prove the guest stayed โ€” but without documentation, it is left trying to fight a dispute with one hand tied behind its back. OTAs are built for volume. They collect the guest’s credit card information, process the booking, and then send the hotel only what is necessary to fulfil the reservation. They retain the critical data for themselves.

The cost multiplier is material. In hospitality, the total cost of a single chargeback dispute โ€” including lost revenue, processing fees, and administrative overhead โ€” runs approximately 3.75 times the original transaction value. Chargeback penalties per dispute typically range from $15 to $100, independent of the booking value.

There is an additional layer of exposure that emerged directly from the 2025 fraud wave. In the documented “I Paid Twice” campaigns, the guest pays the hotel legitimately and also pays the fraudster. The hotel receives its revenue from the first transaction. But the guest disputes the second, illegitimate transaction with their bank โ€” and the dispute documentation, which references the legitimate booking, can create confusion about which charge is being contested. Properties have reported being drawn into dispute processes for transactions they did not initiate, with no straightforward resolution path.

The P&L exposure sits across at least three lines: direct chargeback losses, dispute processing costs, and the upstream revenue impact if a defrauded guest declines to return or posts attribution reviews. Research from Sift found that three-quarters of consumers say they would stop using a site after experiencing an account takeover, and 87% would share the incident with others โ€” amplifying reputational damage over time. That reputational cost does not appear on any chargeback statement but compounds acquisition costs across subsequent booking windows.

What to watch: The direct booking trend exposes operators to full liability in a specific and underappreciated way. OTA bookings carry a commission cost of 15โ€“25%, but the OTA absorbs most of the chargeback risk as merchant of record. Direct bookings carry zero commission, but 100% of fraud exposure falls on the operator. Hotels accelerating direct booking growth without equivalent investment in payment authentication infrastructure are, in effect, trading commission savings for unhedged fraud liability. The balance sheet calculation is rarely presented that way in direct booking advocacy.

3. Loyalty Programs: An $11 Billion Liability Facing Underprotected Accounts

Hotel loyalty programs represent a concentrated fraud target that sits outside the OTA channel but shares the same underlying vulnerability: account access acquired through compromised credentials.

The scale of the underlying asset makes the exposure commercially significant. Seven of the world’s largest hotel groups collectively owed their loyalty members roughly $11.6 billion in unredeemed points at the end of last year, with Marriott alone owing nearly $4 billion and Hilton owing almost $3 billion, according to a Skift analysis of their most recent financial filings. These are real financial obligations carried as deferred revenue on balance sheets. When a loyalty account is taken over and points are redeemed fraudulently, the hotel group must decide whether to absorb the loss by reinstating the member’s balance or accept the reputational consequence of declining to do so. Hilton’s updated terms from July 2025 make clear the company will restore points only where it determines unauthorised third-party activity caused the reduction โ€” a determination made at Hilton’s sole discretion, with a 12-month reporting window.

One of the persistent vulnerabilities is dormancy. Forty-five percent of loyalty program accounts are inactive or infrequently used โ€” opening the door for fraudsters to take over accounts and redeem points before the legitimate account holder notices. Dormant accounts accumulate points through co-branded credit card spend without generating login activity, producing balances that attract attack precisely because they go unmonitored.

The brand-level response is observable even where the financial cost remains undisclosed. In April 2025, Marriott issued updated internal guidance to properties specifically addressing Bonvoy reservation fraud, directing front-desk teams to verify one-time passcodes for redemption reservations within 48 hours of check-in and to alert the Loyalty Program Risk team for suspicious activity. Hilton updated its Honors terms and conditions in July 2025 to codify account breach liability. Both updates signal that the programmes are managing material volumes of fraud-related claims at a scale that warranted formal policy codification.

The property-level consequence is indirect but real. When a loyalty account is used to book a fraudulent stay โ€” points redeemed without the account holder’s knowledge to secure a reservation for a third party โ€” the property delivers a room it will not ultimately be compensated for once the fraudulent redemption is reversed. For properties operating under franchise or management agreements where loyalty redemption reimbursement is tied to confirmed guest activity, reversed redemptions create reconciliation exposure that does not always surface in standard month-end reporting.

What to watch: Across major hotel loyalty programmes, multi-factor authentication remains inconsistently deployed. Marriott Bonvoy offers optional two-factor authentication via email or phone verification; IHG One Rewards offers no two-factor authentication option; World of Hyatt offers no two-factor authentication option. The security posture of a loyalty programme is, in part, a property-level commercial risk โ€” particularly for franchise operators whose revenue mix includes a meaningful share of award-redemption stays. As unredeemed point liabilities grow with co-branded credit card expansion, the financial incentive for attackers to target those accounts grows in parallel.

4. The Scale of Credential Markets and What It Means for Detection

The fraud operations targeting hotel distribution channels in 2025 are not opportunistic. They are structured businesses with supply chains, quality controls, and margin optimisation that mirror what is observed in financial services fraud markets.

Digital account takeover volume worldwide grew 21% from H1 2024 to H1 2025, and surged 141% from H1 2021 to H1 2025, according to TransUnion’s H2 2025 fraud report, which drew on proprietary data from a global intelligence network and surveys of 1,200 business leaders across six countries. Within that broader trend, the travel and hospitality sector presents characteristics that attract disproportionate targeting: high average transaction values, a delayed gap between booking and service delivery that limits real-time fraud detection, and the structural information asymmetry between OTA platforms and the hotels they serve.

Booking.com extranet credentials and session tokens are openly traded. Prices for premium hotel logs range from $30 to over $5,000, depending on account value and reservation volume. Log-checker tools that validate the authenticity of compromised accounts are available for as little as $40 on cybercrime forums. This secondary market for credential validation means the supply chain is self-correcting โ€” invalid credentials are identified and discarded before they consume operational capacity, improving the efficiency of subsequent attacks.

Booking Holdings’ Q1 2025 earnings filing with the SEC records a provision for expected credit losses and chargebacks of $89 million for the quarter โ€” the platform’s own aggregate provisioning for disputed and fraudulent transactions. This is the OTA’s exposure. The costs that flow downstream to hotel partners โ€” fraudulent chargebacks, dispute processing, loyalty reversals โ€” are not captured in that figure and are not publicly disclosed by any OTA operator in aggregate.

What to watch: Microsoft documented a comparable credential-theft operation targeting booking platform accounts in March 2025, separate from the Sekoia-documented campaign, targeting hospitality organisations across North America, Europe, Oceania, and Asia. Two independent, documented campaigns in a single year, employing different technical approaches against the same target class, is evidence of a market rather than an isolated threat. Distribution teams at properties with high OTA concentration โ€” particularly in markets where advance booking lead times are long and reservation data is therefore accessible in a compromised account for extended periods โ€” face structurally elevated exposure that does not diminish as individual campaigns are disrupted.

5. The Liability Question the Industry Has Not Resolved

The live debate among hotel operators, legal teams, and OTA commercial partners is not primarily about how attacks are conducted. It is about who absorbs the cost when an OTA-issued credential is compromised and used to defraud the hotel’s guests.

OTA partner agreements generally hold the property responsible for the security of its extranet credentials. Under standard terms, a hotel whose login is compromised because a staff member clicked a malicious email is โ€” in the OTA’s framing โ€” the party that failed to maintain account security, and therefore the party responsible for downstream consequences. This position is operationally coherent from the OTA’s perspective. It is commercially uncomfortable for operators who did not design, and cannot independently audit, the extranet’s own security architecture.

The question sharpens when the fraud uses the OTA’s own messaging infrastructure. In the documented 2025 campaigns, attackers did not spoof Booking.com emails from an external domain โ€” they used the hotel’s actual Booking.com account to send messages through the platform’s legitimate communication channels. The guest received the fraudulent payment request via the same in-app messaging interface they had used for every prior interaction with their booking. The trust relationship that the OTA spent years cultivating with consumers was the mechanism of the fraud.

No OTA has publicly revised its partner liability framework in response to the documented campaign scale. No regulatory body has issued formal guidance specific to extranet account fraud in the hospitality sector. The UK’s Action Fraud recorded 532 consumer fraud reports linked to Booking.com-related scams between June 2023 and September 2024, totalling approximately ยฃ370,000 in documented losses โ€” a narrow window into a much larger pattern.

What is observable is that properties are beginning to treat the OTA relationship differently in their fraud risk frameworks. Some operators have implemented internal protocols requiring staff to verify any communication that requests action on a reservation through a secondary channel before responding. Others have restricted extranet access to specific devices with additional authentication controls that the OTA does not mandate. Neither approach eliminates the exposure โ€” but both reflect a commercial recalibration of what OTA dependency actually costs when fraud is included in the calculation.

The question of formal liability allocation is one that will likely require either regulatory intervention or sustained legal challenge to resolve with any finality. Until it is, the cost flows downward to the property โ€” and the revenue manager who books the channel must price that exposure somewhere.

Data Source

Most read

OUR PUBLICATIONS

Also to discover