Have you ever wondered why the number of reported scams and frauds is increasingly alarming? Yes, those criminals are not going anywhere, and they are becoming more sophisticated, particularly with the involvement of Artificial Intelligence (AI) and deepfakes. Even the most trained eyes still struggle to pinpoint these new types of cyber threats.
Read more:Cybersecurity Threats Loom Large for Vietnam’s Financial Sector
Speaking of vulnerabilities, hospitality is one of the industries that suffers most from being the prime target for these cyberattacks. Why are these businesses in such a devastating predicament? How can hotels defend themselves against phishing?
The alarming surge in cybersecurity phishing attacks
In the latter half of 2024 alone, businesses across the globe saw a staggering 202% increase in overall phishing messages. Even more concerning, SlashNext‘s 2024 Phishing Intelligence Report revealed a disastrous 703% surge in credential phishing attacks during the same period. [1]
According to Cybersecurity Ventures‘ 2025 annual report, it is estimated that the global cybercrime cost will reach$10.5 trillion USD this year. If this value were to be measured as a country’s GDP, it would make the world’s third-largest economy. Even more alarming is that the growth of these threats will not stop at any rate; they will experience a steady increase at 2.5 per cent through 2031, equal to$12.2 trillion annually. [2]
What is phishing? Stay informed and educate yourself to detect early signs of phishing with these articles:
Deepfake CFOs” – Your CFO’s Voice, But Not Their Words
Spear-phishing vs Phishing – What Are They & How to Avoid Them?
Phishing – What It Is and What You Need to Know About It
How about the hospitality industry? What does the number look like?
60% of cyber threats in hospitality originate from vulnerabilities within connected devices, including essential point-of-sale (POS) terminals and Internet of Things (IoT) devices [3]. Despite the convenience and operational efficiency brought by the interconnectedness of these digital solutions, they also expose hotel businesses to even more threats and attacks in cyberspace.
Nearly one-third of hotel businesses have reported a breach in their data security, costing them on average $3.4 million (Trustware, 4). Some of the most high-profile incidents in the sector are:
– MGM Resorts International, Las Vegas: A cyberattack left MGM with a system paralysis that lasted two weeks and estimated losses of $100 million. [5]
– Motel One Group, Munich: This breach resulted in the theft of nearly 25 million files, including sensitive guest booking confirmations spanning three years. [6]
Or the most recent one – the Booking incident.
The Booking.com incident
Microsoft Threat Intelligence, a global network of security experts, recently identified a phishing campaign targeting hotels by impersonating Booking.com [7]. These scammers sent various emails, with content ranging from negative guest reviews to account verifications, deceiving hotel staff into believing the emails were from a legitimate source and then unknowingly clicking the provided link to install harmful malware.
According to Microsoft, the phishing campaign reached hotel businesses from a wide range of geolocations, from North America to Oceania, Asia, and Europe. The scam emails specifically target hotel staff at these locations, who are likely to work with Booking.
Below are some phishing email examples hotels examples:
Image 1: A phishing email pretending to be a potential guest. Image credit: Microsoft
Image 2: A phishing email pretending to be aBooking agent asking hotel staff to resolve negative feedback left by guests. Image credit: Microsoft
Read more: CrowdStrike Incident: What Went Wrong and Lessons Learned
Why hotels are targets for phishing?
At the end of the day, scams exploit our human nature: our tendency to be hospitable and curious. Hotel staff, for instance, are specifically trained to prioritise guests and answer all their queries in a timely manner. So, when staff receive an email that sounds like a valid, urgent concern, they would naturally try to provide a solution instead of verifying or questioning the authenticity of the sender.
There is a name for this phishing tactic: social engineering, which manipulates human psychology, or in other words, takes advantage of hotel employees’ helpfulness for financial gain.
Nonetheless, technology still plays a crucial role in the whole ordeal, both as a protector and as the vehicle for these attacks to happen. The alarming rate of hotel phishing attacks is primarily due to weak cybersecurity practices, namely:
– Hotel Wi-Fi networks are often open to the public or weakly encrypted, thus providing an easy entry point for hackers.
– Outdated IT, POS, or property management systems, which lack the latest security patches against today’s sophisticated cyberattacks.
– The proliferation of IoT devices (e.g., smart locks or climate control systems) in hotels introduces numerous new vulnerabilities, as many are integrated without robust security protocols.
Read more:Zero Trust Architecture: A Non-Negotiable in SaaS Security?
Not just stopping there. Other reasons why phishing scams in hotels are still prevalent:
– High turnover rate and frequent personnel changes lead to inconsistent knowledge transfer and training
– The reliance on email as the main communication channel with guests, suppliers, vendors, etc., can increase the risk of being hacked
– Security breaches happen on the vendors’, partners’, or third-party service providers’ side. The intricate web of integrations between hotel systems and external suppliers presents a critical weak point and can quickly cascade, compromising the entire network.
The fact that hotels continue to be the gold mine for cyberattackers will not change because the industry will continue to prioritise its guest experience and convenience. However, businesses can level up their defences to protect their clientele and assets from danger by eliminating the weakest links and providing proper employee phishing awareness training.
How hotels can defend against phishing
The path to effective defence begins with awareness. “You can’t protect what you don’t know you have,” be it your hotel’s assets, software landscape, servers, or data locations. Being in the know of what you have on hand and their priorities, are the cornerstones of any robust cybersecurity program.
Educate staff to recognise early warning signs
Not just leaders that need to stay aware, but also the staff, the frontline of defence that often encounter phishing scams first and foremost. To be able to detect scams from the rest, hotels need a well-informed and vigilant team.
1. Regular and ongoing cybersecurity trainingprograms are essential to educate staff (either existing or new) on the latest phishing tactics and how to identify common red flags.
2. Conduct periodic simulations to test employee awareness and reinforce training. Hotels can incorporate typical red flags, like fake urgency, suspicious links, or attachments.
3. Phishing attempts are inevitable; the key is how staff respond. Hotels need a simple, documented reporting process to guide employees when they suspect a threat.
– Designate a clear point of contact (e.g., IT dept. or management) for reporting
– Create a dedicated reporting channel, such as a specific email address or an internal messaging system
– Report immediately, even if the staff is uncertain about the legitimacy of a message
Build your fortress to prevent intruders
Avoid data breaches originating from vulnerabilities in legacy, outdated Property Management Systems (PMS) and POS systems, which might even struggle to adapt to the latest reporting compliance and privacy regulations. Hotels cannot rely on these systems to be capable of alerting the front desk to a potential attack.
Many PMS and POS solutions available today can offer built-in privacy and security features, including GDPR- and USALI-compliant anonymisation of personal information, thus keeping hotels and guests’ identities confidential.
Additionally, migrating to the cloud presents a strategic and secure approach for hotels seeking to bolster their cybersecurity measures. They can leverage experts from the trusted cloud provider and “borrow” their sophisticated, well-developed hotel IT security solutions and disaster recovery plans. However, be sure that hotels exercise due diligence when selecting a trusted partner.
Nevertheless, at the end of the day, having the right technology in place is not enough. Human error remains a significant vulnerability. Empowering employees to be the first line of defence through continuous education and awareness is critical to reducing susceptibility to social engineering.
Finally, while protecting internal systems, hotels must also educate their guests on best practices for digital security, reinforcing a shared responsibility for a secure digital environment.
TRG International is committed to providing solutions and expertise that protect both our clients, ensure a more secure future for the hospitality industry. If you are interested in potential cloud solutions to transform your operations, please don’t hesitate to contact us!
Sources:
1. https://www.infosecurity-magazine.com/news/2024-phishing-attacks-double/
2. https://cybersecurityventures.com/official-cybercrime-report-2025/
3. https://discover.hotelbeds.com/resources/insight/cybersecurity-hotels
4. https://cybermagazine.com/articles/trustwave-report-on-hospitality-industry-security-threats
5. https://www.nbcnews.com/business/business-news/cyberattack-cost-mgm-resorts-100-million-las-vegas-company-says-rcna119138
6. https://www.motel-one.com/en/services/faqs-hacker-attack-motel-one-group/
7. https://www.microsoft.com/en-us/security/blog/2025/03/13/phishing-campaign-impersonates-booking-com-delivers-a-suite-of-credential-stealing-malware/
