Threat Management

The rise of hospitality fraud and how hotels can mitigate it

Keeping hotels secure

Hotels are in a unique category when it comes to fraudulent activity. They are not the typical targets of fraud since there’s generally not much one can do based on an individual reservation. Fraudsters have traditionally focused their efforts on industries such as the public sector, healthcare, or financial services, but now that the pandemic has receded, criminals have shifted their attention toward hotels and their respective rewards programs.

These criminals have historically targeted the airline industry in a similar manner, breaking into the accounts of air travelers and commandeering their miles. Once they have taken over an account, they can keep the points for personal use, sell the points for a profit, or otherwise toy with unsuspecting customer profiles. 

As hotels embark on their digital transformation journeys, and hospitality fraud continues to pose a threat, they should consider layered security as part of the mix. Let’s explore how cybercriminals are zeroing in on the hospitality industry and outline what hotels should do in order to protect themselves and their guests.

Origins of attack

At the onset of the pandemic in 2020, the world of travel took an unprecedented hit. Luckily for the hospitality industry, both business and leisure travel have enjoyed significant rebounds since dealing with record-breaking lows in 2020.

While guests have regained their desire to hit the road and return to the skies over the past two years, cybercriminals have matched their excitement as new windows of opportunity have emerged. As a result, fraudulent attacks have been wreaking havoc on the travel and hospitality sectors, hitting airlines, car rentals, and hotels along the way.

Attackers have made them the target of information and account theft, payment and loyalty fraud, and credential stuffing. In one of the more well-known attacks of 2022, hotel empire Marriott fell victim to a severe data breach. When the dust settled, hackers had compromised more than 20 gigabytes of sensitive customer data, including credit card information.

And the point goes to…

Of the various players in the hospitality industry, hotels have become one of the primary targets amid this surge in fraud. Many of them have felt pressure to innovate and prioritize digital transformation projects as guests expect an increasingly digital experience, headlined by features such as keyless room entry and virtual check-ins.

Among a slew of competing considerations in recent years, security posture has fallen to the backburner for some hotels, leaving them vulnerable by way of a dangerously broad attack surface for cybercriminals — a surface that only grows as travel returns to its previous heights.

So, how are fraudsters able to do it?

If an attacker can take over an account — either through a data breach, account theft, phishing, or other means — any rewards sitting in an individual user’s account are potentially stolen or sold. It’s a reality that’s particularly tough on guests, who have worked for months, or even years, to accumulate loyalty points and status through regular visits. Conversely, customers that are less frequent travelers may not notice the disappearance of points for an extended period of time. Nevertheless, both scenarios present a major headache for the hotel in consideration when those guests attempt to book a room.

Identify yourself

Hotels need to recommit to security basics to combat growing hospitality fraud. Identity verification has become central to a strong security posture. Some hotel chains have even begun to integrate identity verification technology into their mobile apps.

Added security measures such as biometric verification can help protect guests by making sure that registered accounts are only accessed by authorized users. Compared to the likes of passwords, security codes, and two-factor authentication, biometrics are a stronger option. Additionally, biometric verification eliminates the commonly employed tactic of credential stuffing.

Today’s verification tools are even intelligent enough to detect the authenticity of a user request. To give an example, if a malicious actor were to create a second account from a mobile phone that was already registered, they are redirected to additional security checks while a user performing a legitimate sign-on attempt could bypass those extra steps. These technologies let hotels establish security without degrading the overall customer experience.

Plan ahead

It has been three years since the pandemic began and it’s safe to say that travel has made a full return. So long as the travel and hospitality industries continue their recovery efforts, fraudsters will search for ways to get their share. Identity verification can help secure customer accounts, streamline reservation and check-in processes, and ensure that hard-earned rewards are going to their deserving owners. By prioritizing security, especially as hotels undergo their various digital transformation projects, guests can stay protected and feel empowered to book return visits.

Bala Kumar, chief product officer, Jumio

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.