A phishing campaign targeting Booking.com partners has been running since April 2025, and it's so profitable that attackers are selling access to compromised accounts on Russian forums. They've stolen guest payment data, orchestrated elaborate social engineering schemes, and—get this—some victims paid twice: once to the hotel, once to the crooks. The hospitality industry is now a target-rich environment for cybercriminals.