Kaspersky has discovered a new fraudulent scheme targeting hotel owners and staff, with fraudsters attempting to steal credentials or infect computers with malware. The fraudulent emails, posing as correspondence from former or potential guests, exploit the hospitality industry’s emphasis on customer service to ensnare victims.
The deceptive emails mimic legitimate inquiries or complaints from guests, sent to hotel’s public email addresses, or appearing as urgent requests from Booking.com to address unattended user comments. However, the emails are actually from attackers aiming to trick hotel employees into divulging credentials or downloading malware.
Fraudsters craft emails with plausible reasons, making them seem like genuine customer requests or complaints, a routine part of a hotel staff’s duties. Given the high value placed on reputation in the hospitality sector, staff are inclined to promptly respond to these emails. This eagerness increases the likelihood of clicking on malicious links or opening harmful attachments, thereby falling into the trap. Attackers use free email services like Gmail, which are commonly used by guests, to send their fraudulent emails. This makes it challenging for hotel staff to distinguish between legitimate messages and messages containing email threats.
The fraudulent emails generally fall into two categories. The first includes complaints from former guests. These emails describe negative experiences, such as rude staff or unclean rooms, sometimes accompanied with references to photos or videos. The aim is to prompt staff to click on links or open attachments containing malware. The second category includes emails that mimic inquiries from potential guests. These emails ask about amenities, prices, or availability, or seek help with trip planning. The objective of the attack apparently is to collect credentials in order to use them in future attack schemes or to sell them on darknet forums.
“Attackers often exploit the most vulnerable aspects of a business to achieve their goals. In the hospitality industry, they prey on the dedication of hotel service employees who strive to excel at customer service. By mimicking guest inquiries or complaints, they manipulate the staff’s commitment to resolving issues quickly, thereby increasing the likelihood of falling victim to fraudulent schemes. To protect against these attacks, businesses should implement robust email filtering systems, provide regular training for employees on recognising malicious attempts, and establish protocols for verifying the authenticity of urgent requests before responding,” comments Anna Lazaricheva, a spam analyst at Kaspersky.
According to Kaspersky’s annual spam and phishing report, email phishing and malware continues to pose a significant cyber threat. Last year, Kaspersky’s Mail Anti-Virus blocked 135,980,457 malicious email attachments, while Anti-Phishing system prevented 709,590,011 attempts to access phishing links. Phishing and malicious emails frequently impersonate trusted entities and use sophisticated social engineering tactics to trick recipients into disclosing sensitive information or engaging with malicious links.
Read more about this email attack campaign on Kaspersky Daily.
To keep your data protected from phishing attacks and leaks, Kaspersky experts recommend:
- Provide your staff with basic cybersecurity hygiene training. Conduct a simulated phishing attack to ensure that your employees know how to distinguish phishing emails.
- Use protection solutions for mail servers with anti-phishing capabilities, to decrease the chance of infection through a phishing email. Kaspersky Security for Mail Server prevents your employees and business from being defrauded by socially engineered scams.
- Use a protection solution such as Kaspersky Next that provides real-time protection, threat visibility, investigation and response capabilities of EDR and XDR for organisations of any size and industry.
- If using Microsoft 365 cloud service, don’t forget to protect it too. Kaspersky Security for Microsoft Office 365 has a dedicated anti-spam and anti-phishing as well as protection for SharePoint, Teams and OneDrive apps for secure business communications.
- Use lightweight and easy-manageable but still effective solutions such as Kaspersky Small Office Security. It helps prevent being locked out of your own computer due to phishing emails or malicious attachments.
