The hospitality industry is facing polished, personalized impersonations from cyberattackers looking for credentials and data. With AI powering sophisticated phishing and deepfakes, malicious hackers are zeroing in on hotels and booking platforms, according to pros in the field who spoke with IT Brew.
“In an industry that’s built on customer trust, the attackers are targeting the very channels that people rely on: all of the confirmation emails, SMS updates that they get, and mobile apps to deliver all of this malicious content that we’re seeing,” Pam Lindemoen, chief security officer and VP of strategy at the cyberintelligence-sharing group Retail and Hospitality Information Security and Analysis Center (RH-ISAC), said.
Go phish. RH-ISAC shared three examples with IT Brew of recent phishing messages.
- With convincing vacation images and a “Give feedback” button, one notification asks guests to rate their recent stay.
- Another email, featuring familiar, palm-tree graphic design, says, “Your booking is now confirmed” complete with a booking reference and a “Manage my booking” option.
- A third example revealed a replica “Rewards” page.
The phishing attack is not necessarily entirely new, according to Lindemoen; what’s novel, she wrote in a follow-up email, is the increased sophistication with which threat actors are executing these scams. GenAI tools create realistic graphics and copy in a matter of minutes, she noted.
Lindemoen said fraudsters use malicious links and PDFs to infect devices with info-stealing malware, or to send travelers to false travel sites to pull their personal information.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Adversary groups like DarkHotel, as far back as 2014, have specifically targeted luxury hotels and guests, with false software updates on hotel wi-fi networks.
“The hospitality business: They’re kind humans. They want to please you,” Lindemoen said. “They’re preying on the actual thing that makes them trustworthy.”
Storm’s coming. According to a recently published hospitality report from cybersecurity company VikingCloud, 48% of hotel IT and cybersecurity leaders admit they lack confidence in their staff’s ability to detect or respond to AI-driven threats like deepfakes.
Deloitte’s Center for Financial Services predicts that GenAI could lead to $40 billion in fraud losses in the US by 2027.
The stakes are high, according to VikingCloud CPO Kevin Pierce, with 212 million US adults set to travel this summer. The combination of high-value customer data, seasonal surges, and overstretched IT resources creates a “perfect storm,” Pierce wrote to us, adding that cybercriminals can exploit the seasonal pressure and leverage AI-powered tools to launch large-scale attacks.
VikingCloud’s survey of 50 hotel IT and cybersecurity practitioners in North America found that 26% of respondents admitted to “limited” in-house cybersecurity expertise.
Trust exercises. Lindemoen recommends brand-monitoring technologies, tools that use tactics like machine learning and heuristics to catch spoofed domains.
“It’s really difficult to see, it’s really difficult to fight,” she said. “It’s just exploiting brand loyalty, and it’s basically attacking the trust that you’ve built with your customers.”