People making reservations via Booking.com are being targeted by fraudsters using the platform’s own mail system, British paper the Observer reported.

Prospective holiday makers who had already made reservations were sent phishing mails via the platform requesting payment or the reservation would be void, or a repeat of a payment for verification via a link. The money was then transferred into a fraudulent account.

The Dutch travel platform, which is currently facing problems paying outstanding bills to accommodation owners, said its site had not been hacked and that the e-mail systems of the participating hotels had been compromised.

Criminals are sending the e-mails to the Booking.com app message box, which is how owners communicate with the clients, it said.

Booking.com’s version of events has been called a likely scenario by security company Heimdal, which analysed the phishing campaign.

“Some of our accommodation partners have, unfortunately, been targeted by very convincing and sophisticated phishing tactics, encouraging them to click on links, or download attachments outside of our system, that enable malware to load on their machines and, in some cases, led to unauthorised access to their Booking.com account,” Booking.com said in a statement to the paper.

It also said it would be “reaching out to the customers in these cases directly to ensure they are fully supported.”

The scam has so far hit people making reservations in Britain, France and Singapore.