Booking.com has urged its partner hotels to install two-factor authentication after a rise in phishing emails in recent months.
It comes after American cybersecurity company Secureworks warned that some hotels on Booking.com had been targeted by malware that is initiated by an email to a member of the hotel's operational staff.
Secureworks revealed that the email sender often pretends to be a former guest of the hotel claiming they have left identification documents at the property.
Once they strike a conversation with a representative from the hotel, they send over a Google drive URL that is able to steal the hotel's Booking.com credentials once it is downloaded.
Some hotels reported receiving complaints from other customers about money being stolen from their accounts after the malware was executed.
A spokesperson for Booking.com said: "We are aware that some of our accommodation partners have unfortunately been targeted by phishing emails in recent months that are deployed by criminals using a host of known cyber fraud tactics, which ultimately encourage them to click on links or download attachments outside of our system that enable malware to load on their machines and, in some cases, lead to unauthorised access to their Booking.com account.
"While this breach was not on Booking.com, we understand the seriousness for those impacted, which is why our teams work diligently to support our partners in securing their systems as quickly as possible and helping any potentially impacted customers accordingly, including with recovering any lost funds."
Booking.com has urged hotel partners to set up two-factor authentication and take guidance from the booking platform's face-to-face workshops and dedicated cybersecurity advice hubs.
It also stressed that customers should be vigilant and reach out to Booking.com should "a property or host appear to be asking for payment outside of what's listed on their confirmation".
"No legitimate transaction will ever require a customer to provide their credit card details by phone, email or text message (including WhatsApp)," they said.
Booking.com added: "While there is no silver bullet to eradicate all fraud on the internet, our dedicated account security team is always monitoring and stopping new threats, as well as implementing new measures to assure the account security of both our customers and partners.
"This includes new security features to lock or block inactive partner extranet accounts, which is where we have seen fraudulent activity take place once scammers get unauthorised access to the hotel's Booking.com account, after they have clicked on phishing links and downloaded malware onto their own computer systems."
"Furthermore, if we detect suspicious activity on a hotel's account then we take swift action, including immediately disabling the ability for links to be shared via messages on our platform, to help stop fraudulent requests for payments."