By Fran Worrall
Hospitality Upgrade recently experienced a domain spoofing attack in which a bad actor used a fake email account to impersonate the company’s accounting department, sending fraudulent payment due notices to its advertisers. In response, the company quickly alerted its partners and filed reports with the proper authorities, including an FTC criminal report. Luckily, no one fell victim to the fraud, in large part due to the cybersecurity measures that savvy advertisers had implemented.
It’s hardly an isolated incident. According to a recent FBI Internet Crimes Report, phishing attacks have increased more than 110 percent in the last five years, resulting in losses totaling billions of dollars. Using social engineering, fraudsters target consumers—including company employees—by sending emails that appear to be from well-known sources with the goal of gaining sensitive information or money. Attackers also might install malware on victims’ computers. In domain impersonation scams, a letter is often added or a symbol inserted into the domain name. In the case of Hospitality Upgrade, an ‘s’ was added to the end of the name (hospitalityupgrades.com instead of hospitalityupgrade.com).
David Durko, chief executive officer at Security Validation, a data security compliance company serving the hospitality industry, predicts these kinds of attacks will double in 2024. “Although the level of sophistication ranges widely, you don’t have to be a skilled hacker to achieve a fairly high level of return,” he said. “So, it’s not going to stop any time soon.”
According to Doug Landoll, chief executive officer at security compliance company Lantego, the motive is usually financial. “Although bad actors sometimes attack a company because of a grievance, that’s not the norm,” he said. “There’s money to be made, even if only a few people fall victim to the fraud.”
The hospitality industry is especially vulnerable to phishing attacks as well as to larger data breaches, says Jason Arabian, chief strategy officer at CMIT Solutions, an IT support and technology services company. “Hotels collect an enormous amount of customer data, yet they often don’t have the strongest or latest security measures in place.”
What’s more, staff turnover is high, workers are often transient, and employees are expected to hit the ground running. “It’s a prescription for disaster.”
Indeed, IBM’s recent Cost of a Data Breach Report reveals that the average cost of a data breach in the hospitality industry increased substantially over the past year—from $2.94 million in 2022 to $3.36 million in 2023. Additionally, phishing was the initial attack route in more than 15 percent of breaches, making it the single most common tactic leading to a successful breach.
“Email has morphed into a huge target, and the threat landscape has evolved in the last year,” Arabian said. “The protocols we had for security going into 2022 included strong passwords and multi-factor authentication, but phishing emails have gotten much more sophisticated.”
Durko agrees. “When Microsoft enforced multifactor authentication, many people thought it was the end-all and be-all, but bad actors can easily get around that.”
Fortunately, the industry can take a number of steps to prevent phishing attacks, beginning with staff training. “The number one way to protect against phishing is to strengthen your human firewall,” said Josh Bergen, chief executive officer at CyberTek, a managed security service provider to the hospitality industry. “It takes education, practice simulations, and tracking and rewarding good behavior. Cybersecurity isn’t just an IT problem. It requires vigilance on the part of every employee.”
Arabian advises hotels to provide monthly courses as well as a mandatory cybersecurity training course as a part of onboarding. “The weakest link in every network is the end user, which makes training the most important piece of the security puzzle,” he said.
Consistency and frequency are key. “Education is critical, but we don’t do it frequently enough,” Durko said. “Often, as soon as associates complete training, they forget half of it. Plus, turnover is high in hospitality, making regular sessions all the more important.”
Users also need to understand the threats, Landoll advises. “Show them what’s wrong in the email.” A clue might be a sense of urgency or poor spelling, although the latter is usually corrected now via artificial intelligence. Often, an email is signed in a way that’s out of the ordinary; for example, ‘James’ instead of ‘Jim.’
As for the avenues of education, there’s everything from interactive videos to classroom sessions. Some large companies develop their own training programs. Regardless of the approach, there are costs. But the bigger expense comes from not providing adequate training, Arabian said. “You either pay up front in a way that protects your business and your brand, or you’ll pay on the back end for forensic audits, lost funds, higher insurance premiums and damage to your reputation.”
Another critical step in the fight against phishing is leveraging security. The newest firewalls check every domain and alert users to newly created ones. There are also security packages that protect staff who aren’t on the corporate network.
Additionally, hotels should consider impersonation protection, which performs real-time scanning of inbound emails to identify irregularities—everything from domain similarity to suspicious email content—and block those emails that are deemed suspicious.
Similarly, threat reputation services can detect and block potentially harmful activity. These automated interfaces provide client systems with a machine-readable score that describes the perceived trustworthiness of an object based on an identifier or indicator. Vendors conduct frequent threat assessments against websites, files and domain names to categorize how often they have been associated with malicious activity and assign a reputation score. The resulting scores are then used by security devices to prevent malicious activity.
Other safeguards include the creation of strong passwords and solid reset processes, third-party spam filtering, external email tagging, digital signing and email encryption.
And more, the Payment Card Industry Security Standards Council (PCI SSC) has announced that as of March 2025, anti-phishing mechanisms to protect users against phishing attacks will become a requirement during a PCI DSS assessment. “The data shows this practice helps reduce the access of bad actors and attackers,” Bergen said.
Yet, even with strong protections in place, someone must oversee all the activity. “The typical managed service provider isn’t set up to be a 24/7 watchdog,” Arabian said. “You need a well-trained security operations center in the mix to parse the information and act accordingly, whether that’s to shut things down or contact the hotel and provide recommendations.”
At the end of the day, there’s no single solution. “It’s layered practices, policies and services,” he said. Security is also evolving, which means the protections that work today may not work tomorrow.
To get a handle on the hotel’s potential exposures, Landoll suggests hiring a security expert to perform a risk audit, which will determine security weaknesses and their impact on the organization. “Companies are sometimes aware of certain risks but they don’t fully understand how much harm they can cause,” he said. “A risk assessment can point out the vulnerabilities and make suggestions for improvement.”
Finally, and most importantly, make security a priority. “Hotels that want to move into the future without incident must build a culture around security and allocate the money necessary to maintain it,” Durko concluded. “Budgets may be tight, but it’s shortsighted to do anything less.”