As the summer travel season heats up, so does cybercrime. With nearly half of Americans planning a leisure trip this summer, and business travel holding steady, hospitality companies face an impending surge in both bookings and in fraud. Behind the scenes, cybercriminals are operating within sophisticated, cooperative networks, targeting everything from guest Wi-Fi networks to property management systems.
Recent research shows that these threat actors are no longer just focused on stealing credit card numbers. They’re professionalizing operations, exchanging detailed playbooks, and building underground economies that treat hotel networks, guest data, and loyalty programs as commodities. With travel and tourism contributing trillions to the global economy, the incentives for threat actors, and the consequences for organizations, have never been higher.
A Closer Look at Hospitality’s Fraud Landscape
One of the clearest indicators of how sophisticated cybercrime has become is the rise of fraud-as-a-service ecosystems on the dark web. Trustwave SpiderLabs has observed a surge in organized criminal groups—“dark web travel agents”—offering deep discounts on luxury hotel stays, international flights, and travel perks by exploiting stolen payment data, loyalty program credentials, and administrative system access. Here are a few examples of hospitality fraud:
- Fraud-Groups Mimic Legitimate Hospitality Organizations: Fraud groups targeting the hospitality industry increasingly operate like legitimate businesses, complete with customer service chat channels on Telegram, referral bonuses, and limited-time “sales” designed to drive urgency. Their operations are structured and deceptive, making fraudulent transactions appear legitimate to both travelers and properties—at least until chargebacks emerge or loyalty accounts are drained.
- Booking System Exploits and Reservation Resale Schemes: A key focus of these fraud groups is hotel booking systems. Trustwave has observed fraud rings sharing step-by-step guides for bypassing identity verification, injecting stolen card details, and exploiting weaknesses in manual review processes. One common tactic targets “pay at property” models, where fraudsters impersonate hotel staff to confirm bookings and then resell the reservations through third-party sites, often at 50–70% off and complete with legitimate confirmation numbers.
- Cybercriminals Identify Fraud Window, Exploit Booking Timelines: Attackers carefully time bookings to pass payment validation checks, often reserving 3–8 days before check-in to avoid triggering fraud detection or cancellation windows. This strategy is highly effective and difficult to catch without more advanced fraud analytics. This leads to hotels unwittingly hosting cybercriminals, suffering revenue losses, and skewed internal reporting.
- Phishing Campaigns Target Hospitality Staff: Beyond booking fraud, hospitality staff are increasingly targeted by phishing campaigns disguised as HR communications, IT updates, or QR code-based mobile access links. In one notable case investigated by our team—dubbed “Five Star Hotels”—attackers gained high-level Microsoft 365 access through a phishing campaign that used HR-themed lures and malicious QR codes. Once inside, they bypassed authentication protocols and embedded themselves into email systems, inbox rules, and cloud storage. From there, they didn’t just siphon data—they manipulated refunds, inserted ghost employees into payroll, and even staged fraudulent guest interactions through remote desktop tools like AnyDesk.
Rethinking Hospitality Defenses
Cybercriminals are adapting faster than most hospitality security programs. They’re learning from each other, sharing resources, and operating with a level of scale and agility that mirrors real businesses.
For CISOs, CTOs, and digital leaders in hospitality, this summer marks a critical moment. To protect guest experiences and business operations alike, the industry must shift from reactive responses to proactive defense, embracing threat hunting, scenario planning, and information sharing as standard practice. Here are some examples of how to combat these threats:
- Real-Time Threat Intelligence Sharing Across the Ecosystem: Fraud tactics spread rapidly across sectors and geographies, underscoring the need for real-time intelligence sharing, especially among third-party vendors and hospitality platforms. A siloed approach leaves vulnerabilities open to exploitation.
- Behavioral Analytics and Human-Led Threat Hunting: Advanced behavioral analytics can identify subtle deviations from normal user behavior, enabling earlier fraud detection. However, tools alone are insufficient; success also depends on leveraging skilled human threat hunters capable of interpreting anomalies and acting before damage escalates.
- Layered Verification to Minimize Guest Disruption: Secondary verification techniques such as geolocation checks and confirmation prompts help deter fraud while maintaining a smooth guest experience. These methods are particularly effective in identifying suspicious booking activity without adding friction for legitimate users.
- Mobile-Specific Fraud Awareness and Controls: Security strategies must address phishing and fraud attempts delivered through mobile channels, including QR codes. Employee training should reflect these tactics, preparing staff to recognize and respond to mobile-first threats.
- Foundational Security Practices, Not Optional Add-ons: Robust security requires integrating identity management, endpoint monitoring, and regular audits of privileged accounts into daily operations. These defenses must be standard practice, not reactive measures, to effectively protect the expanding digital footprint of hospitality brands.
Securing the Future of Bookings
Only by weaving together intelligence, automation, human expertise, and mobile-first protections can the industry outpace evolving threats and safeguard both revenue and reputation.
Above all, cybersecurity must be a shared priority, from IT teams to front desk managers and third-party vendors. The hospitality industry has a chance to lead with smart, cooperative security practices, and to close the door on fraud before it makes another booking.
ABOUT THE AUTHOR
Kory Daniels is the Chief Information Security Officer for Trustwave. Kory is an innovator and leader in cyber threat detection program transformation. Over the last 15 years, Kory has overseen and supported the evolving requirements in helping organizations define, measure, and accelerate achieving their security maturity targets with fast-growing midmarket firms to F500 global enterprises.
