Web users risk having personal data swiped by a virus attached to emails that purport to come from hotel reservations agency booking.com.
Non-users and clients of the site have reported rogue emails apparently sent by booking.com's customer service team, in some cases appearing to confirm bookings.
The emails include booking reference numbers, ID codes and hotel reference numbers and inform recipients that full details are in an attached zip file. This contains a virus designed to swipe card and other personal data.
Booking.com acknowledged the problem this week, saying it was aware of "thousands" of recipients of the emails over "a matter of weeks".
A spokesman said: "We have a dedicated team addressing the problem. It is causing widespread confusion. We are treating it very seriously."
He denied the phishing emails are linked to details of booking.com clients.
The spokesman said: "The fake emails are being sent to random email addresses and we are doing everything we can to eradicate this."
A member of booking.com's legal team at the company's base in Amsterdam said: "We can confirm there has been no data breach in our system. We have not had a hack or a leak.
"These phishing emails don't originate with us. They are sent out to random email addresses, phishing for data.
"We don't have a clue who is sending them. We are as frustrated as anyone."
He added: "People should be careful with email. We don't send attachments."
Booking.com is the European arm of giant US discount travel retailer Priceline. It claims to be the world's biggest hotel reservations agency.
Priceline had a market value of $33.5 billion (£21.6 billion) this week.
Specialists in digital recruitment featuring a wide range of jobs.