The average cost of a data breach in hospitality is $3.4 million*. And given that 31% of hospitality organizations reported a data incident in 2023*, that’s a huge amount of financial and reputational damage across our industry. 

Phishing attacks are becoming increasingly sophisticated, but so is the technology to prevent them. However, as long as there are human users, there is inherent risk. Ultimately, there is only so much a technology partner can do to prevent phishing attempts, and there is a shared responsibility with all users to ensure that best practices are followed. 

And the more proactive you are, the more secure you’ll be. There are several straight-forward measures that hoteliers can take to protect themselves, their businesses and their guests – let’s explore them. 

* 2023 Hospitality Sector Threat Landscape by Trustwave 

Table of contents

What are phishing attacks? 

Phishing is a type of cybercrime that involves tricking people into giving away sensitive data or installing malware. Attackers use fraudulent emails, messages, phone calls or webpages to trick victims into clicking on malicious links. The links can lead to websites that steal personal information, download malware, or corrupt a system.  

It's a form of social engineering where attackers impersonate a trusted entity (such a hotel, a technology partner, or a CEO) to gain the victim's trust. Email is the most common channel for phishing in hospitality, but we also increasingly see search engines being used to advertise fraudulent websites. 

Why the hospitality industry is a target 

First of all, let’s clarify why hackers want to gain access to your system. The answer is a simple one: data. And, ultimately, financial gain. 

Hotels (and hostels, aparthotels and the rest) hold or process a huge amount of personal and financial data, including information like names, addresses and credit card details. This data has real-world value and is often sold on to other criminal groups who then exploit the data and use it for other malicious intent. 

One common approach is to send emails to future guests that pretend to be from the hotel, requesting payment for the stay. The unaware guest makes the payment, and the money goes straight to the scammers. It’s a double blow of a financial loss for the customer (and likely the hotel) and a reputational loss which means they’re unlikely to return to the property. 

10 ways to protect your property from phishing attacks 

The good news is, there are simple, concrete steps that hospitality staff can take to defend themselves against bad actors.  

1. Never use search engines to access your login pages 

Fraudulently duplicating login pages is one of the most common approaches for a phishing attack, and using search engines as a shortcut to access your software leaves you vulnerable. 

Let’s say you use hotelpms.com to log in to your property management system. Cyber criminals can easily create duplicate login pages that look identical but are hosted on their own URL. They’ll choose a URL that looks like the one you normally use – something like hotellpms.com or hotel-pms.com and pay for their webpage to rank at the top of the search. 

When you log in through their fake portal, they capture your real login details so they can access your data. 

2. Bookmark your key login pages 

It’s good practice to save all your login URLs to your bookmarks bar. This way you’ll always go direct to the legitimate software login page. It’s also much faster than searching for the right link in a search engine. 

Make sure you have an up-to-date list of all your hotel software and the correct URLs for their login pages. Store this information on an internal team workspace platform so that any of your team can easily access it should they need it. 

3. Use strong, unique passwords 

We’ve all heard stories about people using ‘1234’ as passwords, or other guessable options like pet’s names or kid’s birthdays. The reality is that the simpler your password, the easier it is for hackers to guess and acquire it.  

Using a unique password is equally important. If you use the same password for multiple logins, it means that one security lapse can affect multiple accounts and software. For instance, if someone gains access to your personal email address, they’ll find it easy to log in to your PMS, your RMS, your CRM... 

You no doubt already know how to create a secure password, but as a reminder: 

  • Make it unique to prevent password contamination. 
  • Never share passwords, even within your team and especially never via email. 
  • Use a mix of characters, combining upper- and lower-case letters, numbers and symbols. 
  • Don’t reuse passwords across multiple applications 

4. Use a password manager 

If your team has to remember lots of logins and passwords, password managers like 1Password or LastPass can help generate and securely store complex, unique passwords for every site your staff will access. 

It means you only need to remember one master password, which is not only more secure but will save time by reducing the number of forgotten password resets. Password managers can also generate complex passwords for you that are much more difficult to guess. 

5. Enable Two-Factor Authentication (2FA)  

Two-Factor Authentication (2FA) adds an extra layer of security to your account beyond your password, requiring a unique code sent to your phone or other device via apps like Microsoft Authenticator or Authy. You can also receive a login link via email (sometimes called a ‘magic link’) rather than a code. Magic links and 2FA are vital to protect your login details.  

The big benefit of 2FA is that even if someone has your password, they can’t log in to your account without the code. This means that even if you accidentally give away your password, hackers still can’t access any sensitive information. 

This approach is now standard across many industries, and it’s something we use at Mews to keep our own systems more secure. Many people already have 2FA set up for personal use with their email or social media accounts, so verification will feel like second nature and a normal part of the login process. 

Read more about why 2FA is a must-have for every hospitality business. 

6. Set up new login alerts 

Depending on the size of your organization, it may or may not be possible to manually track suspicious log-ins. However, like most things in the world of security, it’s better to automate it. 

Set up suspicious log-in alerts for all your key software. You’ll get notified when someone logs in from a new device, which is often a giveaway for a cyberattack. It’s already happened to most of us. Ever received an email saying: ‘Someone tried to log in to your email account from [strange location]. Was this you?’ 

More advanced technologies will also give you the ability to easily control access, empowering you to approve or deny suspicious logins. So if your hotel is in Amsterdam and someone is trying to log into your PMS from India, it will raise a red flag that you can handle immediately. 

7. Check email addresses carefully 

Some phishing emails are very easy to spot. Others are much harder and mask the sender email address with a familiar name such as a software provider or someone from your business. Always be sure to double check the actual sender address – your email provider will often filter out the most obvious attempts, but some will still get through. 

And by the way, this also includes the log-in alerts we just mentioned. These kinds of emails can also be phishing attempts. 

Things to look out for: 

  • Poor spelling and grammar 
  • Attachments and links 
  • Requests for personal or business information 
  • Language that asks you to act urgently 

8. Create a clear plan for reporting suspicious activity 

If one of your front desk workers suspected a phishing attack, what would they do? Make sure you come up with a clear plan and document it somewhere easily accessible so that all staff know what to do if they need to report suspicious activity. 

Speed is of the essence when it comes to protecting yourself against cyberattacks. The faster you can act, the better you’ll minimize any potential harm.  

9. Use Single-Sign-On (SSO) 

Single-Sign-On (SSO) is a really powerful cybersecurity tool. It means your staff log in just once and can then access everything they need without remembering multiple passwords. 

It’s simple, secure and will ultimately save you time. It’s also easier for IT teams to manage access and enforce security policies, giving your business better control. 

10. Train your team 

You’re already educating yourself by reading this article, but you need your entire team to be vigilant and making smart choices. This is particularly important in hospitality, where staff turnover is so regular. 

Host regular best practice training sessions so that your team can recognize threats, from phishing emails to suspicious log-in activity. Cyber attackers continually evolve their methods, so it’s important to stay on top of phishing trends and new approaches. 

If it does happen that one of your team falls for a phishing attack, they need to feel comfortable reporting it quickly. It’s not shameful to be a victim, especially as hackers can be incredibly cunning. If your staff feel too embarrassed to report it, the problem will worsen fast. 

Create an environment of empathy where people feel accountable for their actions, confident enough to come forward without being made to feel bad. Fraudsters target people because they’re easier to manipulate than technology – ensuring your entire team are aware of the risks is one of the most important things you can do. 

Stay vigilant to stay secure 

Phishing and cyberattacks are an unfortunate reality of the twenty-first century and our connected lifestyle – and that includes hospitality. You can’t stop the attempts, but you can stop them from being successful. 

Being proactive and vigilant is the all-important first step in your line of defense. Then, follow these eleven tips and you’ll go a long way to protecting your property and your guests from any future cyberattacks.  

Want to see why Mews is best-in-class when it comes to PMS security? Here's how we keep your guest and property data secure, from personal information to payment details.