The hotel industry, which relies heavily on technology to manage guest services and operations, has become a prime target for cybercriminals.

Phishing – where attackers pose as legitimate entities to trick individuals into divulging confidential information – has become the method of choice for these criminals.

These attacks aim to steal user credentials and sensitive guest information, such as payment details, potentially leading to significant financial and reputational damage.

Steven Pieterse, CEO at IT and hotel technology specialist firm Metisware, warns that “in the wake of rising cyber-attacks on the hospitality industry, hotel operators and property managers must be on high alert for a surge in phishing scams.”

Criminals use sophisticated techniques, including fake Google ads and counterfeit websites, to trick hotel staff into entering their login details. Once these credentials are compromised, cybercriminals gain access to sensitive guest information, including payment data, booking records, and personal details, putting the hotel and its guests at risk.

“Cybercriminals are targeting large hotel chains and small and medium-sized establishments,” warns Pieterse.  Hoteliers must understand the seriousness of this situation and take the necessary steps to protect themselves, their business, and their guests.

As phishing scams become more sophisticated, hoteliers must stay ahead of the curve by implementing stringent security measures. Metisware urges all hoteliers to implement the following precautionary steps to safeguard their systems:

 

Change passwords regularly

This may sound like a stuck record, but hoteliers should ensure that all user passwords are updated frequently. The bottom line is, regular password changes will reduce the chances of unauthorised access.

Passwords must be complex, incorporating a combination of letters, numbers, and special characters. Reusing passwords across different sites should be strictly avoided.

Additionally, passwords should never be written down or shared with colleagues.

“Although it may seem a tedious task, the importance of password management cannot be overstated,” says Pieterse. “A weak or reused password is often the weakest link in a hotel’s security chain. Implement and enforce strong password policies to significantly reduce the risk of credential theft.”

 

Beware of fake login pages and URL scams 

Cybercriminals are increasingly placing fake Google ads that direct users to counterfeit login pages. Clicking on these fraudulent ads can lead staff members to fake websites where their login details are stolen.

Hoteliers are strongly advised not to use search engines to locate login pages. Instead, they should bookmark official URLs to ensure they only access legitimate websites.

Another tactic involves criminals making subtle changes to the URL, tricking users into thinking the site is legitimate. These minor alterations can easily go unnoticed, increasing the risk of users being misled and falling victim to the scam.

 

Be wary of suspicious emails 

Cybercriminals frequently use email phishing schemes to gain access to systems. Hoteliers should train staff to be vigilant when opening emails, especially those containing attachments or links. Verifying the sender’s email address and contacting them directly if there are any doubts is a critical step in preventing phishing attacks.

 

Monitor outbound email activity

Unauthorised reservation confirmation emails sent from the hotel’s PMS can be a sign of a phishing attack. Hoteliers should regularly monitor outbound emails for suspicious activity. If unscheduled emails are sent without your knowledge, it is crucial to alert the security team immediately.

 

Use firewalls and antivirus software

Not only should you be employing reputable firewalls and anti-malware software to detect and prevent malicious activity, but these systems should be updated regularly to keep up with the latest threats. Ensuring that only authorised users have access to the PMS is also a vital measure. Regular audits should be conducted to remove access for staff members who have left the company.

 

The hospitality industry has already experienced the detrimental effects of cyber-attacks where hackers compromised the personal data of millions of guests, including payment information. The financial and reputational consequences of these breaches are severe, highlighting the importance of immediate action.

“We’ve seen time and again that cybercriminals don’t discriminate based on hotel size or location,” says Pieterse. “Whether you’re a boutique hotel or part of a global chain, you’re a target. Being proactive is your best defence.”