A new report by Wired states that customer data from “more than 350 hotels around the world may have been accessed as part of realistic reservation-hijacking scams.” According to the report, travelers’ information and booking data may have been stolen from the hotels and are being used by threat actors to launch social engineered phishing schemes.
These scams are effective because they exploit trusted brands and impersonate legitimate guest relations professionals. Victims are contacted about travel they have booked—or plan to book—through messages that appear to come from a hotel, reservation platform or guest services team. These messages often include accurate booking details to build credibility and redirect the victim to a fake guest portal or payment verification page. The victim is told there is an issue with payment and that the booking will be cancelled in the next 24-48 hours if it is not resolved. Once redirected to the fake guest portal or payment verification page, the victim is prompted to enter their credit card information which is transmitted directly to the threat actor. In many cases, victims do not realize they have been targeted until weeks or months later.
Here is a great summary of how the scam works if you want more information.
Tips to prevent becoming a victim include:
- Do not respond directly to unsolicited emails, phone calls, texts, or instant messages. If you’ve received a request for additional payment or payment information, reach out to the company you booked through directly via information on their website or in your booking confirmation.
- Watch out for pressure tactics. Legitimate businesses do not call or send text messages pressuring you to act immediately. They also will not demand payment with a different payment method from the one you used to book your reservation.
- Secure your accounts after a breach. If you receive a notice that you were impacted by a data breach, take the time to change your passwords and check for suspicious activity, like unauthorized payments or logins. Setting up two-factor authentication can also help to better protect your accounts.
