This holiday season, you may want to proceed with caution when booking hotels online. One of the biggest online travel agencies, Booking.com, has come under fire by users who allege that the company isn’t doing enough to protect them from becoming victims of cyberattacks on its app, which has resulted in a massive hit to their wallets.

Users claim that cybercriminals have infiltrated the administration portals of hotels on the Booking.com app, which allows them to send messages to customers, while posing as hotel staff, to trick them into sending them their payment information.

Related: Dollar Tree cyberattack steals personal data from millions, here’s who is affected

Hackers are able to breach these systems by first emailing hotel staff while pretending to be a former guest who left their passport in their room. They include a Google Drive link into the email that they claim contains an image of their passport, but it’s actually a malicious link that downloads software onto the staff member’s computer that automatically searches for access to Booking.com.

Once the hacker is able to find access, they can then see customers who have reservations at the hotel and are able to contact and trick them into sending their payment information, according to cybersecurity company Secureworks.

The issue has been prevalent since March, and has affected users in the U.S., U.K., Greece, Indonesia, Portugal, Singapore, Italy, and the Netherlands.

More Travel:

A new travel term is taking over the internet (and reaching airlines and hotels)The 10 best airline stocks to buy nowAirlines see a new kind of traveler at the front of the plane

Booking.com has not responded to TheStreet’s request for comment in time for publication.

Cyberattacks across the country have reached a record high so far this year, and the hospitality industry has become a hot target for cybercriminals as it is a breeding ground for personal data.

For example, hotels harbor sensitive information such as customer names, street and email addresses, payment information, dates of birth and phone numbers, all of which are information hackers can easily make a profit off of on the dark web or use for other nefarious reasons.

A report by Cornell University and FreedomPay found that about 31% of hospitality organizations have reported a data breach in their company’s history, and 89% have been affected more than once in a year.

A high turnover rate of users and employees, vulnerable Wi-Fi networks and easier accessibility to company hardware by guests are some of the factors “that make the hospitality industry’s cybersecurity threat profile especially unique,” according to a new report by software company Trustwave.

“With unique considerations, such as the adoption of contactless technology and the steady turnover of customers and employees, the hospitality industry faces a complex security landscape with distinct challenges,” said Trustwave Chief Information Security Officer Kory Daniels in a press release

Simplify the pulse of the market landscape with bite-sized intel from the masters. Real Money Pro is your dynamic financial ally, transforming market insights into strategic moves. Start your membership to elevate your portfolio.