With the widespread digitalisation of hospitality comes a host of cybersecurity risks. Businesses is the sector face a host of potential threats, but one stands out as the most significant for hotels: phishing.

This is according to Adam Blake, CEO at ThreatSpike Labs, who highlighted the dangers at the International Hotels Technology Forum (IHTF) on Tuesday (18 April).

Speaking to industry professionals, he said: “The number of phishing attacks hotels are facing is unbelievable. Some of the hotel groups that we provide email protection for are quarantining 35% of their emails every day. This is a lot if you think that a single phishing email can cause a mailbox breach, malware, or even ransomware. This is a huge threat.”

The reason for the attacks is usually financial – an attacker could make tens of thousands of dollars from a single attack. In his talk, Blake offered the example of Booking.com, which fell prey to an attack last year through emails containing links to a fake website that were sent to reception staff. By clicking the link, staff would unknowingly download Vidar Infostealer – malware used by scammers who went on to target customers.

AI: a tool that favours the malicious

The problem is already bad, but it is set to get worse. Hotel Management Network spoke to Blake to find out how artificial intelligence (AI) will shape the changing face of digital security, and whether it will be a help or a hindrance to those looking to protect themselves against bad actors.

“In the past, phishing was a manual thing,” he explained. “If somebody was coming to phish you, they would have to write an email and they would have to either engage with you and take some time – which slows down what they can do and how many people they can target – or they’d have to make one really amazing phishing email which will get you first time and then send it out to 1,000 people.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

“With AI, they can make really amazing phishing emails and send it out to thousands of people. Everybody will start to get really convincing phishing emails which are customised to them, and, based on the way that they respond, they’ll get different responses.”

However, there is the potential for AI to be used for good too. Running a hotel’s emails through AI can spot likely phishing attacks and prevent staff from receiving them, but it’s not cheap.

“The cost of using AI is extravagant,” said Blake. “If you imagine that they are going to create an email, it’s going to cost them let’s say, 4 cents or something. But imagine you have to run every single email through AI – that’s going to cost you more like $4m. Unfortunately, it’s still in the favour of the attacker.”

Big companies and small independents at risk

Cybersecurity is not cheap, and small brands and independent hoteliers can find that full protection is out of budget. They might cut corners and rely on hotel staff to spot phishing attacks, as Blake explained: “The independents have to do everything themselves. They are completely on the hook for every single bit of their security.”

It often results in haphazard protection – an ill-fitting jigsaw of cybersecurity through which attackers can slip through the gaps.

“Usually, buying security is like buying parts for a car,” said Blake. “Imagine you buy a car, but you buy it in parts. You get to customize it as much as you want, but you pick really nice tires, a really nice engine and then you run out of money. That’s kind of like security. Companies basically buy as much as they can afford and then they have massive gaps because they haven’t been able to cover everything.”

The attack on MGM Resorts by ransomware group ALPHV/BlackCat in September 2023 was a reminder that no company is safe, and even the largest hoteliers are at risk. In fact, although larger brands have the budget to invest in the best cybersecurity systems, they are also the most attractive targets to bad actors. There are more points of access to attack, and there is more money to be made.

Of these challenges, Bake commented: “The bigger you are, the more stuff you’ve got; the more systems you have, the slower it is to migrate to new tech. You’re also at higher risk of causing big outages if you get it wrong, so you tend to find that, when it comes to the biggest risks, it’s a combination – it’s with the independents and the really big groups who struggle to embrace anything new.”

Cybersecurity advice to hoteliers

Blake described cybersecurity as “getting a bit bumpier and scarier for hospitality,” adding: “Last year was just one attack, after another attack, after another attack in different ways. [Cybercriminals] are methodically working their way through different approaches to try and get maximum profit out of it.”

Considering the best course of action for hoteliers in the industry he noted that more attack surface areas equates to higher vulnerability. “The less surface area you have, the fewer places that you can possibly be attacked,” he advised. “It makes sense. Always keep things simple, basically.”

He suggests using cloud-based services rather VPNs and recommends stripping links and attachments from emails before staff even receive them. 

Of hospitality’s approach to cybersecurity, he concluded: “If they weren’t taking it seriously before, it needs to be top of the concern list now.”