Kaspersky warns of new hotel email scams targeting staff with fake guest complaints and inquiries to steal credentials or infect systems.
Kaspersky has discovered a new fraudulent scheme targeting hotel owners and staff. Fraudsters are attempting to steal credentials or infect computers with malware. The fraudulent emails, posing as correspondence from former or potential guests, exploit the hospitality industry’s emphasis on customer service to ensnare victims.
The deceptive emails mimic legitimate inquiries or complaints from guests, are sent to the hotel’s public email addresses, or appear as urgent requests from Booking.com to address unattended user comments. However, the emails are from attackers aiming to trick hotel employees into divulging credentials or downloading malware.
Fraudsters craft emails with plausible reasons, making them seem like genuine customer requests or complaints, a routine part of a hotel staff’s duties. Given the high value placed on reputation in the hospitality sector, staff are inclined to respond to these emails promptly. This eagerness increases the likelihood of clicking on malicious links or opening harmful attachments, thereby falling into the trap. Attackers use free email services like Gmail, commonly used by guests, to send fraudulent emails. This makes it challenging for hotel staff to distinguish between legitimate messages and messages containing email threats.
Fraudulent emails generally fall into two categories. The first includes complaints from former guests. These emails describe negative experiences, such as rude staff or unclean rooms, sometimes accompanied by references to photos or videos. The aim is to prompt staff to click on links or open attachments containing malware. The second category includes emails that mimic inquiries from potential guests. These emails ask about amenities, prices, or availability or seek help with trip planning. The objective of the attack is to collect credentials to use them in future attack schemes or to sell them on darknet forums.
“Attackers often exploit the most vulnerable aspects of a business to achieve their goals. In the hospitality industry, they prey on the dedication of hotel service employees who strive to excel at customer service. By mimicking guest inquiries or complaints, they manipulate the staff’s commitment to resolving issues quickly, thereby increasing the likelihood of falling victim to fraudulent schemes. To protect against these attacks, businesses should implement robust email filtering systems, provide regular training for employees on recognizing malicious attempts, and establish protocols for verifying the authenticity of urgent requests before responding,” comments Anna Lazaricheva, a spam analyst at Kaspersky.
According to Kaspersky’s annual spam and phishing report, email phishing and malware continue to pose a significant cyber threat. Last year, Kaspersky’s Mail Anti-Virus blocked 135,980,457 malicious email attachments, while the Anti-Phishing system prevented 709,590,011 attempts to access phishing links. Phishing and malicious emails frequently impersonate trusted entities and use sophisticated social engineering tactics to trick recipients into disclosing sensitive information or engaging with malicious links.
Read more about this email attack campaign on Kaspersky Daily.
Also Read: Sudhakar Ramakrishna on Innovation, Adaptation, and Future Vision
To keep your data protected from phishing attacks and leaks, Kaspersky experts recommend:
- Provide your staff with basic cybersecurity hygiene training. Conduct a simulated phishing attack to ensure your employees know how to distinguish phishing emails.
- Use mail server protection solutions with anti-phishing capabilities to decrease the chance of infection through phishing emails. Kaspersky Security for Mail Server prevents your employees and business from being defrauded by socially engineered scams.
- Use a protection solution such as Kaspersky Next that provides real-time protection, threat visibility, investigation, and response capabilities of EDR and XDR for organizations of any size and industry.
- If you use Microsoft 365 cloud service, remember to protect it, too. Kaspersky Security for Microsoft Office 365 has dedicated anti-spam and anti-phishing protection for SharePoint, Teams, and OneDrive apps for secure business communications.
- Use lightweight, easy-manageable, but still effective solutions such as Kaspersky Small Office Security. It helps prevent being locked out of your computer due to phishing emails or malicious attachments.
