Highlights

*Due to staffing shortages, holidays are prime targets.

*Top holiday threats for hospitality: social engineering, ransomware, bots, and fraud.

*Training, adequate staffing, and advanced tech mitigate risks.

Overview

As hospitality gears up for the holiday rush, cybercriminals are doing the same.

Studies show that 86% of successful ransomware attacks occur during weekends or holidays. Why? These are the times when security staffing is nearly cut in half.

In this week’s feature of the VENZA Echo, we’re exploring the top cyber threats targeting hospitality during the 2024 holiday season, providing actionable strategies to ensure a secure and worry-free festive period.

Top Threats

In its annual Holiday Season Cyber Threat Trends report, the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) highlights four key cyber threats that hoteliers should anticipate this Christmas season:

1. Social Engineering
Heading into the holidays, social engineering remains a top concern for hoteliers. This year has seen a rise in both the prevalence and sophistication of these manipulative tactics that hackers are increasingly leveraging against staff for theft.

Phishing email scams are—as always—a prominent threat, driven by a rise in look-alike websites, executive impersonation, and targeted efforts to harvest credentials and bypass Multifactor Authentication (MFA). Vishing phone scams, already a major concern for hospitality, have surged in sophistication and frequency.

Another looming threat vector for hoteliers: seasonal job scams, which increased by 545% last holiday season. Scammers are exploiting seasonal job seekers by posting fake listings and stealing their personal information once they’re “hired,”
Rounding out the threat landscape is a surge in denial of service (DoS) attacks, showcasing the diverse and evolving risks expected this holiday season.

2. Ransomware
A review of cyber trends from the 2023 season shows ransomware incidents more than doubled, accounting for 26% of all reported cases. For the first time, the now frequently used data extortion method overtook traditional threats like credential harvesting and phishing, establishing itself as the primary cyber risk to businesses.

This increase in ransomware activity mirrors global trends, with attacks nearly doubling in the latter half of 2023.

3. Bots
Over the past two years, cybercriminals have increasingly relied on bots—automated software programs—to carry out malicious schemes.
This holiday season, bots are expected to scrape pricing information and employ tactics like credential stuffing to rapidly guess passwords and gain unauthorized access to systems.

Beyond these direct attacks, bots can also strain systems to the point of causing DDoS-like disruptions, impacting online booking platform performance.

Automated threats are particularly insidious during the holiday rush, as they can blend seamlessly into increased traffic, making it difficult to distinguish between legitimate and malicious behavior.

4. Fraud
Gift cards remain a favorite tool for fraudsters, but tighter controls have made their methods more complex.

Hoteliers should stay vigilant against scam merchants—fraudsters creating fake websites or spoofing well-known brands to lure holiday shoppers with heavily discounted luxury items or reservations.

In the past four months, fake and spoofed merchant websites surged by 284%, with scammers using these sites to steal payment data and personal information. This trend is expected to escalate during the holiday season as online shopping increases, with fraudsters using search engine optimization (SEO) tactics to rank higher than legitimate sites.

Defense

To counter the holiday season’s heightened risks, hoteliers can take proactive steps to fortify their defenses.

*Training: In addition to educating staff on the array of threats facing them, employees must be trained in how to respond effectively to security incidents. This includes prompt reporting to designated or ‘on call’ contacts and following established protocols to quickly contain breaches.

*Staffing: As staffing plays a critical role in the frequency of successful attacks during the holidays, coverage is essential. Ensure trained personnel are available to manage incidents effectively, supported by backup contacts and communication protocols.
Additionally, with security teams, corporate offices, and stakeholders potentially out of office during the holidays, establish contingency plans to coordinate incident response throughout the season.

*Technology: Automated security solutions can enhance coverage while staff is reduced. Implement advanced Endpoint Detection and Response tools for real-time threat detection and containment. Enhance transaction monitoring with analytics to detect unusual patterns and strengthen identity verification (like MFA) to prevent account takeovers. Deploy bot management solutions to counter credential stuffing and scraping while ensuring clear differentiation between legitimate and automated traffic.

Conclusion

By remaining vigilant and prioritizing robust cybersecurity measures, hoteliers can safeguard their operations and guests, ensuring the holiday season remains a time of celebration, not compromise.

Feeling overwhelmed? Don’t worry. As the leading experts in hospitality data protection, VENZA offers tailored training and simulated social engineering attacks to assess and strengthen your defenses, providing 360-degree protection for your hotel.

***

Take VENZA’s free Phishing Test to assess gaps in your human firewall today!

Training your personnel to recognize and report phishing attempts is essential to protecting your guests and their data. Get started by determining your risk and readiness level using this free tool.

***

Want to stay informed? Subscribe to the free VENZA Echo now. You’ll receive a monthly digest with the highlights of our weekly article series and important product updates and news from VENZA.