A whistle-blower has revealed how stolen personal data was used to con thousands of customers of one of the world's biggest hotel booking websites.
He says he was part of a fake call centre operation which had access to personal details of customers from around the world.
"Tom" - not his real name - was recruited via an international freelance telesales website.
Booking.com says it is working with the police to tackle the problem.
BBC Radio 4's Money Box was contacted by "Tom" after reporting on the fraud last month. He told us he was offered $12 an hour for the work and spent around 12 days in the job, sitting at his home computer.
"Tom", who asked not to be identified, said he was supplied with long lists of Booking.com customers and could manage to call around 250 in a working day.
Many were foreign visitors coming to London from countries including Bangladesh, Israel, South Africa, China, Japan and India,
"We were told to call up people and tell them that they'll receive an email… and if they have any questions they should get in touch with us," Tom told Money Box.
"We had to say that we were calling from [the hotel into which the customer had booked] and we would send an email and it would appear that the hotel was sending them an email."
The subsequent e-mail would ask for advance payment for the hotel booking with bank details which have no connection to the hotel.
Customers who queried the payment demand were directed to a fraudulent phone line, where the criminals had installed staff who posed as Booking.com employees, insisting that the hotels had changed their payment policies.
Some Money Box listeners sent a payment, only to find their hotel had no record of it when they checked in. Although they have received refunds for the double payment, the episode represents a major security breach.
Booking.com has estimated that about 10,000 people were affected.
"Tom" claims he was unaware that he was involved in criminal activity and agreed to speak to Money Box because he was angry at having becoming accidentally involved.
Although his script involved claiming he was phoning from a hotel, he says the message to expect an e-mail seemed harmless enough.
However, when he read the Money Box article, it confirmed suspicions that had been prompted by the elusiveness of the man who recruited him.
"This guy never spoke and he was a big secret," said "Tom", "Nobody's seen him, nobody's spoken to him, and even the agents were not allowed to talk to each other.
"It is pretty much like dealing with a ghost. I tried to look him up on LinkedIn and Facebook just to understand the company better. There's no picture of him on any website, no trace on the internet."
'Claire' from West Yorkshire received one of the phone calls after booking rooms at a London hotel for a trade fair in November.
She avoided being conned by phoning the hotel directly and establishing that they had not demanded advance payment.
Nevertheless she wants Booking.com to announce publicly that customer details are now safe.
"I want to know how this scamming company are finding out the reservation numbers, the dates, the contact details, there's a lot of private information there," she said.
A spokesperson for Booking.com told Money Box the firm is working with police on how to prevent future phishing attacks. They declined to be interviewed.