Hotel website Booking.com is offering customers compensation after their personal details were stolen and used in a phishing scam.
Scammers accessed reservations made through the website and obtained customer contact details which they used to send demands for prepayment.
Customer Claire Coldwell, from West Yorkshire, said she booked hotel rooms for her and her colleagues who were attending a trade fair in London.
Speaking to the BBC, she said she expected to pay at the end of her stay but received emails asking for £3,000 before their arrival.
"I got an email supposedly from Booking.com saying that, because of the unusually high demand for those dates, the Hilton had taken the decision to ask for prepayment in full for the whole week," she said.
She then received another email, supposedly from the hotel, with the same request.
"They had everything like the reservation number, names of guests and the logos looked accurate."
Claire called Booking.com and was told that the company never asks for payment up front.
The company said it was committed to countering fraud and has since made changes to data so it can only be accessed from a computer linked to the hotel's server.
Top ten holiday rip-offs and how to avoid them
Barcelona named worst city for holiday scams and pickpocketing
Elderly couple 'win' holiday to Canada - and unwittingly become drug mules