5 Ways Cybercriminals are Attacking Hotels

  |   fraud, Hospitality, pci compliance, security, Sertifi

Before jumping into our tips on how to avoid breaches at your hotel, we wanted to first touch on a growing trend – phishing scams related to the COVID-19 crisis. In the weeks since the virus became a worldwide pandemic, we’ve seen a sharp rise in the number of scammers attempting to capitalize on the uncertainty we’re all facing.  


According to a report by email-security firm GreatHorn, Coronavirus-related email threats increased by more than 50% between February and March. Overall, there were 15 times as many phishing attacks during the first two weeks of March than the entire month of January, making up more than 1.5% of all emails 


Criminals will never miss an opportunity to exploit public fears and use them to their advantage, and this is no exception. 


To help combat this, we’ve compiled some tips and best practices when dealing with potential phishing attacks. Here are some simple things to look out for: 


  • Emails from the CDC 
  • Emails giving health advice 
  • Emails offering you financial relief 
  • Emails informing you of new workplace policies 


Photo by: Courtesy Graphic

As with all phishing scamscriminals will use the email to try to get you to click a dangerous link or give them your personal information which can then be used to commit fraud or identity theft. 


Typically, these types of emails will have commonalities you can use to determine their legitimacy, and there are things you can do on your end to protect yourself: 


1. Never give out your Social Security number or other personal data to anyone claiming to be a government agency. Legitimate government emails won’t ask for that information. 

2. Avoid “urgent” emails telling you to act now. Delete the message. 

3. Watch out for spelling and grammatical errors, generic greetings and sketchy email addresses or website URLs. 


As always, be alert for those looking to take advantage of you, and especially now, those who would look to profit from this crisis. 




Where are Hotels Vulnerable to Breaches?


Hotels are more vulnerable to security breaches than many other industriesAccording to a report by Trustwave10% of data breaches occurred in the hospitality industry, making them the third largest share of all incidents. Hackers looking for potential weaknesses to exploit are finding hotels to be riddled with them. 


Many factors go into this including the multiple points of entry at hotelsunsecured WiFi networks creating an easy target for cybercriminals, and widespread access to payment information for millions of guests. 


It’s important to know where your hotel is vulnerable to attack and keep a watchful eye out for criminals trying to take advantage othese entry points.  






Five areas hotels are prone to attack: 


1. PointofSale 


Pointof-sale (POS) attacks have historically been the number one cause for concern among hoteliers and pose an enormous threat to the hospitality industry. These kinds of attacks use malware to target third party vendors by exploiting weaknesses in the hotel’s system. When cybercriminals discover this error, they can steal credit card data from millions of guests.  


POS malware usually targets systems that handle credit card data, and by using techniques such as memory scraping/dumping and keystroke-logging functionality, they can capture large quantities of card data. 


Web applications and mobile applications used in POS transactions are easily accessed by hackers, making them a huge target. Breaches are especially prevalent in hotels who don’t have security plans and best practices firmly establishedIt’s also important to hire employees with a strong technical background to keep you apprised of security and technology trends.  


Some quick stats: 


  • POS systems comprised 28% of breaches. 
  • 60% of these were phishing scams. 
  • 43% targeted card track data. 


2. Corporate/Internal Networks 


Another common method cybercriminals use to gain access to guests’ information is the hotel’s WiFi network. Hotel guests are particularly vulnerable to hackers when they utilize the hotel’s WiFi. Logging on to an open network immediately puts them at risk for getting hacked, and once a device is breached, hackers can install spyware to view all their activity. This includes any financial information they may have on their device. This data can then be used as part of a phishing campaign against the individual.  


In addition to an open WiFi network, hackers can also create their own WIFI networks in order to trick guestsA traveler can easily fall victim to this scam and login to a false network without ever realizing it 


Cybercriminals can also upload malicious malware to a hotel’s server enabling them to target specific guests and trick them into downloading infected software. In recent years, these types of attacks have become more advanced and usually target those in a position of authority, taking over their email and sending fake emails to colleagues. These attacks generally seek a financial gain.


As a precaution, you should implement separate WiFi networks for social and professional use. 


Some quick stats: 


  • Corporate and internal networks made up 29% of attacks. 
  • 45% of all inbound emails contained spam. 


3. eCommerce 


eCommerce is a huge target for cybercriminals due to the large volume of credit card data and personal information being entered, and stored, on hotels websites. Any web server that’s used for processing payment information or personally identifiable information (PII) is at risk for attack.


Criminals have certain tools and techniques at their disposal to infiltrate sites that deal with eCommerce transactions. Using malicious scripts, they’re able to skim and capture payment information from unaware guests 


Web applications serve as a powerful tool to connect consumers with services, allowing for more transactions to be completed online than in-person. In turn, this makes them a target for attackers who are looking for a way to steal credit card information. Once card data has been stolen, it’s highly likely that it will be sold on a dark web marketplace and used by criminals on other eCommerce sites. 


It’s important to pay attention to where your specific vulnerabilities are and how you can work to mitigate the threat. 


 Some quick stats: 


  • eCommerce made up 29% of attacks. 
  • 25% of incidents targeted card-not-present (CNP) data.  
  • 32% of targeted financial information or user credentials. 


4. Physical Attacks 


Keep in mind that not all security threats are cyber related. You should never underestimate what a criminal can do in person if you let your guard down. 


Physical security breaches can be the most simple and straightforward method of attack, but often overlooked. Just by being in the vicinity of a hotel, criminals can easily access a hotel’s servers, computers, and terminals.  


One of the easiest things you can do is train your employees on what to look out for in terms of suspicious behavior. Engaging guests during check-in also goes a long way in not only creating a welcoming atmosphere, but also in determining who might be a potential threat. If you notice someone exhibiting behaviors that are different than your typical guest, you may want to pay more attention to their actions 


You can also install video surveillance systems to keep an eye on the things that your employees can’t.  


Some quick stats: 


  • 25% of hospitality companies don’t provide any security training. 
  • 18of hospitality companies only train their employees once during their employment. 
  • 31% of hotels don’t have a policy in place for storing and disposing confidential information. 


5. Data Sharing Between Interconnected Systems 


The world is getting smaller thanks to the ability to share information instantaneously, and your guests expect hotels to have accessible WiFi networks, mobile apps, and other hi-tech systems during their stay.  


Hotels are also feeling the pressure to share their data between organizations such as travel management companies in order to make processes easier. 


While this makes doing business exceptionally more efficient, it also makes hotels even more vulnerable to breaches. Each piece of technology a hotel uses increases their risk of a breach


Even tools designed to protect you can be turned into a weapon. Hackers can target a wide variety of common devices and everyday systemsThings as simple as security cameras are vulnerable to attack. If these are breached, it can cause a chain reaction and bring down entire computer systems.  


Having a firewall in place is critical in keeping your systems protected from attack.  


Some quick stats: 


  • 67% of hotels’ websites leaked booking codes to third-party partners. 
  • 29% of sites senemails containing unencrypted confirmation links, meaning hackers could intercept the data. 


*Smart Hotels: A New Trend  


Everything is digital now, and some “smart hotels have started integrating advanced features to enhance the guest experienceIn many cases, guests never even have to interact with an individual during the whole checkin process. They’ll simply receive text when their room is ready and can even unlock the door with their mobile phone. 


But be aware, smart phone key cards present a real risk for guests. According to Reader’s Digest, smart keys can be intercepted from up to 15 feet away. This technology has yet to be perfected and is being exploited more and more frequently. You can be hacked anywhere at any time, so you must remain alert 


This kind of breach is also worrisome because it enables a criminal to gain direct access to a victim’s hotel room. It becomes just as much a physical safety concern as a cyber safety concern. 


Additionally, many hotels are now starting to implement voice-controlled systems into their hotel rooms. Guests can utilize a voice-controlled assistant that does everything from ordering room service to turning on the TV. While many things about this are great, it comes with downsides as well.  


By nature, interconnected devices are generally more vulnerable to security breaches on a larger scale. And with a voice-controlled system, you run the risk of people listening in, something Amazon recently admitted to with its employees, and all-around easier access to personal information. 


Unfortunately, with every advance in technology comes a new way for criminals to infiltrate your security systems. The hotels who are embracing new and innovative technology are also the ones who are at higher risk. And yet, guests demand this kind of tech savvy experience during their visit.  


Each aspect of your business needs to be carefully monitored and you need to have a technology team to keep you apprised of security trends and help you stay ahead of the criminals. Remember, don’t implement technology for the sake of technology without being aware of the potential risks associated with it.  


At the end of the day, the most important thing is to be aware of your surroundings, monitor what points of entry criminals can access within your hotel, and devise security plans for how to prevent attacks, as well as for what to do in case of a breach. 



Up Next: Read PCI Compliance and the Guest Experience

About the Author 

As the Content Marketing Specialist at Sertifi, Kelli loves writing and the power of words to tell stories. She assists the team with content creation and occasionally dabbles in design. Outside the office, you can find her reading, traveling (mostly to Michigan), and buying too much stuff on Amazon.