Booking.com has admitted that it has had to compensate as many at 10,000 customers whose personal details have been stolen, according to a BBC report.
Guests booking hotel rooms with the online travel agent unwittingly handed over money to criminals.
By accessing Booking.com reservations, the thieves have been able to obtain contact details to send customers demands for prepayment.
Booking.com, which is based in Holland, said customers from the UK, US, France, Italy and Portugal had been affected. It confirmed it had refunded those who lost money, but declined to reveal the total amount.
Chief security officer Peter Kornelisse said the firm was on top of the problem: “We estimate around 10,000 people are affected. We are protecting our customers, hotels and Booking.com continuously.
“We have a battle against organised crime. We’ve made technical improvements in several areas.
“We do inform customers to a certain extent. We can warn today about a specific scenario that takes place and the next moment we have a different scenario.
“We contacted all the guests who are affected by the phishing attacks and we took the burden of our guests.”
The company said its dedicated security teams were also working to contact and support accommodation partners who may have been affected by the situation.
Jackie Grech, legal and policy director at the British Hospitality Association, warned customers to be “extremely cautious” after booking online.
She told the Telegraph: “We know so far that the scam seems to be limited to a few customer bookings across a number of four and five star hotels in London. We have contacted the online booking agent and alerted hotels across the capital.
“The important message is for customers of online travel agents who need to be vigilant and if they are contacted by anyone asking them to pre-pay their hotel room, they should be extremely cautious about doing so. It’s best to call the hotel directly to check.”
Claire Coldwell from West Yorkshire used Booking.com to book hotel rooms for her and her colleagues who were attending a trade fair in London.
She expected to pay at the end of her stay, but then she received emails and calls that said something different.
Coldwell told the BBC: “I got an email supposedly from Booking.com saying that, because of the unusually high demand for those dates, the Hilton had taken the decision to ask for prepayment in full for the whole week.”
That would have meant paying £3,000 in advance.
She then got an email supposedly from the Hilton requesting the same thing: “They had everything like the reservation number, names of guests and the logos looked accurate.”
She was suspicious, not least because the email referred to an airport transfer and her group were going to London by train.
So she phoned Booking.com and was told to ignore the emails because the company never asked for payment up front.
A Hilton Worldwide spokesman said: “Our initial investigation has found this incident is not the result of a breach of Hilton systems or websites.
“We have asked Booking.com to ensure their investigation is thorough and appropriate action is taken. Guests who have received suspicious emails should contact their booking provider immediately and not respond to these emails.”
Since the fraud, Booking.com has made changes so data can only be accessed from a computer linked to the hotel’s server.
Its teams have also worked to “take down” dozens of phishing sites, as well as working with some banks to freeze the money mule bank accounts.