Kaspersky has discovered a new fraudulent scheme targeting hotel owners and staff with fraudsters attempting to steal credentials or infect computers with malware. The fraudulent emails, posing as correspondence from former or potential guests, exploit the hospitality industry’s emphasis on customer service to ensnare victims.

The deceptive emails mimic legitimate inquiries or complaints from guests, sent to hotels’ public email addresses or appearing as urgent requests from Booking.com to address unattended user comments. However, the emails are actually from attackers aiming to trick hotel employees into divulging credentials or downloading malware.

Fraudsters craft emails with plausible reasons making them seem like genuine customer requests or complaints – a routine part of a hotel staff’s duties. Given the high value placed on reputation in the hospitality sector, staff are inclined to promptly respond to these emails. This eagerness increases the likelihood of clicking on malicious links or opening harmful attachments thereby falling into the trap.

Attackers use free email services like Gmail, which are commonly used by guests, to send their fraudulent emails. This makes it challenging for hotel staff to distinguish between legitimate messages and messages containing email threats.

The fraudulent emails generally fall into two categories. The first includes complaints from former guests. These emails describe negative experiences such as rude staff or unclean rooms, sometimes accompanied with references to photos or videos. The aim is to prompt staff to click on links or open attachments containing malware.

The second category includes emails that mimic inquiries from potential guests. These emails ask about amenities, prices, or availability or seek help with trip planning. The objective of the attack apparently is to collect credentials in order to use them in future attack schemes or to sell them on dark net forums.

“Attackers often exploit the most vulnerable aspects of a business to achieve their goals,” says Anna Lazaricheva, a spam analyst at Kaspersky. “In the hospitality industry, they prey on the dedication of hotel service employees who strive to excel at customer service. By mimicking guest inquiries or complaints, they manipulate the staff’s commitment to resolving issues quickly, thereby increasing the likelihood of falling victim to fraudulent schemes.

“To protect against these attacks, businesses should implement robust email filtering systems, provide regular training for employees on recognising malicious attempts, and establish protocols for verifying the authenticity of urgent requests before responding,” Lazaricheva adds.