In recent months, several distribution channels have reported increased phishing activity targeting both hotel staff and guests. These attacks are becoming more sophisticated, often impersonating trusted platforms or partners to gain access to sensitive systems and data.
What is phishing and why it matters
Phishing is a type of cyberattack where criminals send deceptive messages, often via email, WhatsApp, or SMS, designed to trick recipients into clicking malicious links. These links lead to fake login pages that capture credentials for systems such as your Property Management System (PMS), Central Reservation System (CRS), or other connected platforms.
Once inside, attackers use legitimate account privileges to extract sensitive information, including guest reservation details. In some cases, they even launch a second wave of phishing, targeting guests directly and requesting duplicate payments or personal data.
Recent trends affecting the hospitality sector
- Spoofed emails that appear to come from Booking.com or other trusted partners
- Fake login pages mimicking hotel systems
- WhatsApp messages targeting front-desk staff with urgent requests
- Guest-targeted scams asking for payment confirmations or card details
How to protect your hotel and guests
- Always use the correct login page
Before entering credentials, double-check the URL. Phishing sites often look identical to legitimate ones but may have small differences in the web address. Bookmark the official login pages for your PMS, CRS, and partner systems, and avoid clicking login links in emails or messages unless you are certain of the source.
- Verify email senders
- Phishing emails often use spoofed addresses that appear legitimate.
- Check the sender’s domain carefully (e.g., @booking.com vs @book1ng.com).
- Hover over links before clicking to see the actual destination URL.
- Look for spelling errors or unusual formatting.
- Be cautious of urgent requests for credentials or payments.
If in doubt, contact the sender through a verified channel such as your account manager or official support portal.
- Enable multi-factor authentication (MFA)
Activate MFA for all staff accessing sensitive systems. Avoid SMS-based MFA where possible, as it can be more easily compromised. - Train your team
Regularly educate all employees, especially front-line and seasonal staff, on how to identify phishing attempts and what to do if they suspect a breach. - Limit access privileges
Use “least privilege” access principles to ensure that, if an account is compromised, the attacker’s reach is minimal. - Encourage reporting
Promote a “see something, say something” culture. Make it easy and safe for staff to report suspicious messages or activity. - Share suspicious emails safely
If you receive a phishing email, log a case via the Customer Portal and attach the original message. Alternatively, send a screenshot or forward the email separately to avoid filters that might block it.
Cybercriminals are becoming more organised and commercialised, turning stolen credentials and booking data into big business. While we can’t stop them from trying, we can make it much harder for them to succeed. By staying vigilant, educating your teams, and implementing layered security measures, you can protect your hotel, your guests, and the reputation of your brand.
<iframe style=”border: 0;” src=”https://www2.hotelrez.com/l/76062/2019-06-24/4zbjzl” width=”100%” height=”500″ frameborder=”0″></iframe>
