The hospitality industry remains a key target for cybercriminals, highlighted by the fact that a staggering 88% of the most popular hotel brands among UK consumers fail to actively block fraudulent emails from reaching customers. Proofpoint offers some top tips for remaining safe online when booking a hotel stay.
Proofpoint, a leading cybersecurity and compliance company, has released research identifying that only 12% of the most popular hotel brands among UK consumers have implemented the recommended and strictest level of DMARC (Domain-based Message Authentication, Reporting & Conformance) protection, which prevents cybercriminals from spoofing their identity and reduces the risk of email fraud. Worryingly, this leaves the UK public open to email fraud from 88% of the most popular hotel brands.
Previous speculation around non-essential international travel potentially resuming, according to travel companies, caused a surge in holiday bookings, both in the UK and abroad. This heightened demand provides a prime opportunity for cybercriminals to capitalise on the potential increase in email communication from hotels to try and trick the general public with phishing emails.
“Our research has shown that the most popular hotel brands used by UK consumers may be exposing their customers to cybercriminals on the hunt for personal and financial data by not implementing simple, yet effective email authentication best practices,” said Adenike Cosgrove, Cybersecurity Strategist, International, Proofpoint. “Email continues to be the vector of choice for cybercriminals and the hospitality industry remains a key target.”
Cybercriminals regularly use the method of domain spoofing to pose as well-known brands by sending an email from a supposedly legitimate sender address. These emails are designed to trick people into clicking on links or sharing personal details which can then be used to steal money or identities.
It can be almost impossible for an ordinary Internet user to identify a fake sender from a real one. By implementing the strictest level of DMARC – ‘Reject’ – organisations can actively block fraudulent emails from reaching their intended targets, protecting their employees, customers and partners from cybercriminals looking to impersonate their brand.
Key findings from the research include:
- Half of the hotel brands analysed have taken initial steps to protect their customers from email fraud, with 50% publishing DMARC record. This means 50% of the most popular hotel brands have no published DMARC record at all, leaving themselves wide open to impersonation attacks.
- Only 12% have implemented the recommended and strictest level of DMARC protection (reject), which actually blocks fraudulent emails from reaching their intended targets, meaning 88% are leaving British consumers open to email fraud.
- Of the 60 hotel brands analysed, 30 had no DMARC record, including a UK resort chain, several luxury and prestigious UK hotels and well-known worldwide hotel groups.
“Organisations in all sectors should deploy authentication protocols, such as DMARC, to shore up their email fraud defences. Cybercriminals are paying attention to the increased demand to book last minute travel and will drive targeted attacks using social engineering techniques such as impersonation, and hotel brands are no exception to this. As the government’s plans on travel solidify, the UK public must be vigilant in checking the validity of all emails, especially as anticipation to book travel abroad is high and criminals will be looking to capitalise on this,” said Cosgrove.
Proofpoint recommends consumers follow the below top tips to remain safe online while booking their next hotel stay:
- Use strong passwords: Do not reuse the same password twice. Consider using a password manager to make your online experience seamless, whilst staying safe. Use Multi-Factor Authentication (MFA) for an added layer of security.
- Avoid unprotected Wi-Fi: Free/open-access Wi-Fi is not secure: cybercriminals can intercept data transferred over unprotected Wi-Fi, including credit card numbers, passwords, account information and more.
- Watch out for ‘lookalike’ sites: Attackers create ‘lookalike’ sites imitating familiar brands. These fraudulent sites may pose as a credible establishment, be infected with malware, or steal money or credentials.
- Dodge potential phishing and smishing attacks: Phishing emails lead to unsafe websites that gather personal data, like credentials and credit card data. Watch out for SMS phishing too — aka ‘smishing’ — or messages through social media.
- Don’t click on links: If receiving a discount rate or other promotion from a hotel over email, go directly to the source of the advertised deal by typing a known website address directly into your browser. For special offer codes, enter them at the checkout to see if they are legitimate.
- Verify before you buy: Fraudulent ads, websites and mobile apps can be difficult to spot. When downloading a new app or visiting an unfamiliar site, take time to read online reviews and any customer complaints.