Recently, hotels have been increasingly bombarded by phishing, where malicious messages in the form of e-mails literally fish for sensitive information about company and customer. The best way to defend against this is a culture of prevention. All staff who come into contact with communication tools should learn how to recognise and report such messages.
Phishing is a phenomenon that can cause great damage not only to hotels, but also to customers. Email phishing has been around for almost 30 years, but the explosive growth we are currently experiencing is mainly due to the emergence of artificial intelligence (AI), which now allows fake messages to be sent quickly and in an automated manner. Usually with a fairly credible structure and presentation.
Digital scammers have discovered that the hospitable nature of the hotel industry is a rather vulnerable element that they can cleverly exploit. On the one hand, smaller hotels are particularly targeted. These are often relatively unprotected due to the lower presence of expensive security systems for their computers. Moreover, they have a rather limited and often changing workforce that is not so familiar with phishing. On the other hand, large hotel groups are also attractive prey because their bulky and complex structures make them less able to react to changes quickly. But big or small: no one is safe from phishing.
In the past, forged messages could be recognised relatively quickly via poor spelling and structure, or suspicious mail addresses. But with today's AI, these e-mails increasingly look more credible and realistic. Moreover, scammers are also getting more creative, including through 'social engineering' applied. This is when a trust is established in several steps. Attempts to steal information are then more likely to happen during the second or third message. Or they have e-mails preceded by a phone call.
A fine example of this is a message following room booking, where a fake customer tells a hotel staff member that he wants a surprise for his wife. In the second message, he then refers to an attachment containing detailed instructions on how to create a special atmosphere in the room. Once the staff member clicks open that attachment, the scammer is given opportunities to steal sensitive information from the hotel.
A notable feature of phishing emails is their urgent nature, usually requesting additional information urgently or requiring payment very quickly. Actually, this should automatically trigger a powerful brake in the recipients of such messages.
Often, information, such as passwords, is requested through a link in the e-mail that leads to a forged website. Another means is an attachment in the mail, say a file that, when opened, installs a malicious programme on the hotel's computer network. Thus, all kinds of sensitive information of both the company and customers can be stolen via malware, spyware... A link in the mail can also contain software with a stealing programme or infostealer.
Once digital scammers have looted enough information, they then contact hotel customers to try to extort information or money by misleadingly posing as the real hotel. Phishing is thus increasingly targeting hotel staff. The scammers mainly aim to help their customers as quickly as possible by answering their queries almost instantaneously.
Just about all specialists are in full agreement that the best way for a hotel to guard against phishing is a genuine culture of prevention. Under the motto 'education is the key', staff should be trained on an ongoing basis to recognise phishing. They then learn not only that they should never respond directly to urgent requests for sensitive information, but also that clicking on links or attachments in e-mails is and remains out of the question. Moreover, during these training moments, the latest trends of phishing can be demonstrated, for instance through simulations.
In any case, it is therefore hugely important that hotel staff learn to recognise suspicious messages. Following on from this, it is equally crucial that they are made actively aware that these suspected fraud attempts should also be reported to (nearby) colleagues and hotel management as soon as possible. In addition to creating a prevention culture, it is therefore about installing a warning culture. Companies offer training programmes to support hotels in this.