The hospitality industry is being urged to strengthen cybersecurity practices due to a significant increase in phishing attacks within the industry.
Cybercriminals are actively targeting hotel property management systems and booking channels to harvest credentials, gain unauthorized access and ultimately exploit guest and business data.
In response, part of hosttech giant Guestline Visit receptionMews, HotelTime and Planet share an overview of the current industry landscape and how businesses can protect themselves.
Phishing attacks on the rise in hospitality industry
Hostech giants including Access Hospitality, Mews, Hotel Time and Planet have revealed their thoughts on the current state of the industry.
Nicola Longfield, general manager of accommodation at Access Hospitality, said: “Cybercriminals are actively targeting hotel property management systems (PMS), email systems and booking channels. They are sending emails that appear to come from legitimate sources, including OTA platforms or internal systems, designed to trick employees into entering login information or downloading malware.”
“They start by tricking employees who manage hotel reservations into logging into fake systems. They do this by creating nearly identical copies of system login pages and even purchasing similar domain names to lure unsuspecting users. The threat actors are using Google ads to bring their sites to the top of the page.
“Once access is gained through stolen credentials, attackers can send fake booking confirmations or phishing emails to your guests, thereby destroying trust and exposing sensitive guest information“.
Hotel Time CEO Jan Hejny also joined the conversation, saying: “Across the hospitality industry, phishing attacks are becoming increasingly targeted and contextual. Fraudsters are increasingly impersonating trusted brands such as hotels, booking platforms or technology providers, often mimicking real payment or booking scenarios.
“The use of emergencies, such as payment failure or imminent cancellation, is a common tactic to force the recipient to take action before the request can be verified.”
When asked about the current situation and how the industry is responding, Planet Chief Information Security Officer Richard Johnson commented: “We work with hotel teams to manage and mitigate risk. Planet actively works with our security partners and authorities to identify, disrupt and combat fraudulent activity, including websites posing as legitimate businesses.
“Fraud is a full-time activity for criminals looking for a quick win. By quickly sharing intelligence and raising collective awareness, we continue to make it harder for them to do so.”
What businesses can do to protect their business
Ian Trzoska, security analyst at Access Hospitality, commented: “These If not recognized and mitigated quickly, attacks can result in compromised hotel accounts, fraudulent communications to guests, and severe reputational or financial damage. “
Access Hospitality reveals the steps hospitality venues should take immediately to protect hotel systems and data.
Upgrade to Anti-Phishing MFA (Key)
Ian commented: “We strongly recommend upgrading to Key-based multi-factor authentication (MFA)which we consider to be the gold standard in security protection. Unlike traditional one-time password codes, Master Keys provide phishing-proof authentication, making it nearly impossible for attackers to compromise your account, even with sophisticated phishing attempts. Even if you already have standard MFA, you are still vulnerable and need anti-phishing key-based MFA. “
“Master Key provides excellent protection:
- They create a unique encrypted link between your account and the official login website. For example, for Guestline users, they will only work on the real Guestline login page and will not respond to fake or similar websites created by attackers – protecting you even if you accidentally click on a phishing link.
- Since there are no passwords or one-time codes to enter, employees can't accidentally share anything in a phishing email, chat, or phone call. The secret part of the key never leaves your device, meaning an attacker can't copy it even if they see your screen.
- Keys are more secure than traditional MFA methods and are generally faster to use. You simply touch a physical security key (such as a YubiKey) or use your device's biometric sensor, fingerprint, or PIN to confirm your identity.
“Flexible key options include physical security keys such as YubiKey, Google Titan Security Keys, or SoloKeys. You can also store keys on your mobile device or laptop, whether it's an Android or iOS device.
Encourage employees to bookmark login pages and provide training
“Be sure to bookmark the official login page rather than navigating through search engines as this may expose you to similar phishing sites.
“In addition, employers should train all employees to identify suspicious emails. Employees are encouraged to be on the lookout for unusual sender addresses, urgent language, unexpected attachments, or requests to share credentials.
“Finally, encourage a culture of immediate reporting so that even uncertain suspicions are escalated and analyzed immediately.”
Use strong, unique passwords and avoid reuse
“We recommend using long, unique passwords and avoiding reusing them across multiple accounts or systems. Additionally, disable shared logins (e.g. [email protected]) for critical services. Instead, assign individual accounts to employees with role-based access. “
Keep software and systems up to date
“Keep software and systems current with the latest updates and security patches; outdated software can significantly increase vulnerabilities.
“In addition, deploy reputable antivirus software, malware protection and firewalls to detect and block malicious activity, and finally, regularly back up critical data and test recovery procedures. If your system is compromised, backups allow you to recover quickly.”
