Highlights

*Phishing and vishing attacks are top social engineering threat vectors for hospitality.

*Phishing scams mimicking Booking.com continue to evolve.

*Vishing attacks represent nearly 40% of reported incidents to VENZA experts. 

Introduction

As cybersecurity infrastructures strengthen, cybercriminals are turning to social engineering tactics to exploit human vulnerabilities. Instead of traditional hacking, this approach manipulates employees into giving up access to sensitive data and systems.

As highlighted in last week’s feature of the VENZA Echo, hospitality is particularly vulnerable against this threat. High turnover, 24/7 operations, and a “guest service” mindset make staff susceptible to the psychological manipulation tactics used by criminals.

This week’s feature of the VENZA Echo continues our three-part series providing a deep dive into phishing and vishing—the top two social engineering threats facing hoteliers today.

Stay tuned for next week’s final installment, where we’ll discuss protection, taking a hard look at the challenges hoteliers face when mounting a multi-pronged defense.

Phishing

Threat landscape

Despite being one of the oldest forms of cybercrime, phishing emails are one of the most common and costly threats to hoteliers and businesses worldwide. In the last year, 71% of organisations experienced at least one phishing attack, and those that fell victim saw a 144% spike in associated financial costs.

These email scams frequently impersonate trusted companies or individuals, tricking victims into transferring money or downloading malware. However, their primary goal is often to steal credentials, such as usernames and passwords, to gain access to critical systems or applications.

Emerging Risks

As global security measures and employee training improve, hackers have evolved and created more sophisticated and convincing scams. Out of 24 million phishing reports made between 2023 and 2024,  nearly 2 million unique phishing threats were identified.

Emerging scams now exploit multiple communication channels, such as Telephone-Oriented Attack Delivery (TOAD), or leverage phishing-as-a-service kits to bypass multi-factor authentication (MFA). However, the most widespread and rapidly growing threat is Business Email Compromise (BEC), responsible for nearly a quarter of financially motivated attacks over the last two years.

Using research from social media, attackers impersonate trusted vendors or authority figures, often spoofing executive emails to trick employees. Scammers also pose as legitimate vendors, sending convincing fake invoices to steal payments or data. Hackers have seen significant financial success with this tactic, as the U.S. Federal Bureau of Investigations reports over $55 billion has been stolen through Business Email Compromise (BEC) attacks globally.

A rising trend that adds an additional level of complexity is the use of artificial intelligence (AI). This technology is rapidly increasing the scale and sophistication of phishing emails. Large language models are driving automated scam email creation, reducing costs and effort by up to 95%. This is evident in the 4,000% surge in advanced phishing attacks seen since ChatGPT’s launch in November 2022.

Phishing Threats in Hospitality

Phishing attacks in hospitality are increasingly role specific. While corporate and upper management staff may encounter scam emails common to typical business environments, hotel operation employees, especially those in guest services, are being targeted for their credentials to critical booking and reservation platforms.

Chief among these threats are the prolific attacks leveraged against Booking.com’s hotel partners recently. These attacks trick employees into surrendering credentials for the administrative partner portal. Once inside, attackers freely send messages to guests guised as the hotel, often requesting credit card verification which they in turn steal.

The first ‘prototypes’ of this attack appeared in 2023, with hackers booking hotel rooms and responding to confirmation emails with suspicious attachments. By August and September, the attacks surged, accounting for nearly 60% of reported phishing in hospitality. Employees were targeted by emails that contained malicious links and attachments designed to install malware and keyloggers, ultimately stealing their credentials for Booking.com’s partner portal.

As more preventive measures like multi-factor authentication (MFA) were introduced to Booking.com’s partner portal, attackers’ tactics evolved. By June 2024, they shifted from using malware to deploying a sophisticated phishing kit that mimicked official Booking.com communications. Hotel staff were tricked into clicking a link to review a guest complaint, leading to a nearly identical Booking.com site that requested an MFA token. Once access was gained, the attackers continued to target hotel guests for credit card details.

While the second wave of this phishing campaign was well-documented, the threat has gone largely undetected because of its use of redirects and legitimate website proxies which filter out unwanted traffic. These techniques, combined with subtle changes to the copy in the phishing emails, allow the campaign to bypass spam filters and detection systems, making the true scale of this threat challenging to determine.

Vishing & Pretexting

Threat landscape

Vishing, or phone-based phishing, is rapidly growing as a major risk for individuals and companies alike. In 2023, the U.S. Federal Trade Commission reported that phone calls became the second most common method of fraud(just behind emails), causing over $1.2 billion in annual losses.

Vishing is especially dangerous when combined with a social engineering tactic called “pretexting,” where attackers fabricate a believable story to gain the target’s trust. This strategy enhances the scam’s credibility as the attacker uses the phone conversation to reinforce their false narrative. This is evidenced by the exponential increase in hybrid vishing attacks, which surged by 554% in 2023.

Emerging Risks

Like phishing, AI is rapidly propelling the vishing threat, with attackers now capable of mimicking the voice of loved ones or trusted individuals using widely available voice cloning or “deep fake” technologies.

A recent McAfee study found that 1 in 10 individuals had already been targeted by this threat, with 77% of victims losing money as a direct result. This threat affects not only individuals but also businesses, as over half of companies in the U.S. and UK reported being targeted by financial scams using these deepfake technologies.

Vishing & Pretexting Threats in Hospitality

In the last year, hoteliers have seen a rise in cyberattacks using vishing and pretexting tactics.

As highlighted in our first installment in the series, both MGM Resorts International and Caesars Entertainment were hit by multimillion-dollar cyber-attacks in late 2023 . These attacks used vishing and pretexting to manipulate employees and gain access to the national hotel giants’ systems, resulting in significant financial and operational disruptions.

Since 2022, VENZA has observed a sharp increase in vishing attacks, which now make up nearly 40% of reported incidents—the majority of which occurred in 2024 alone.

These scams primarily target the night shift with attackers posing as IT support or Property Management System (PMS) representatives who ask employees to download malicious files or grant remote access for fake system updates.

Conclusion

As cyber defenses become more robust, social engineering tactics like phishing and vishing are rapidly evolving to successfully exploit human vulnerabilities. To stay ahead, hoteliers must establish a comprehensive, multi-layered defense.

Join us next week for the last feature in this VENZA Echo series, where we’ll focus on these defensive strategies, highlighting the key challenges hoteliers must overcome to effectively protect against social engineering attacks.

Feeling overwhelmed? Don’t worry. As the leading experts in hospitality data protection, VENZA offers tailored training and simulated social engineering attacks to assess and strengthen your defenses, providing 360-degree protection for your hotel.

Ready to get started? Contact Sales to discuss signing up for our programs or adding new solutions to your contract.

***

Take VENZA’s free Phishing Test to assess gaps in your human firewall today!

Training your personnel to recognize and report phishing attempts is essential to protecting your guests and their data. Get started by determining your risk and readiness level using this free tool.

***

Want to stay informed? Subscribe to the free VENZA Echo now. You’ll receive a monthly digest with the highlights of our weekly article series and important product updates and news from VENZA.