Christmas Phishing: Massive Attacks on Hotels and Travelers

What happened?

According to a TechRadar report cited by TheVortiq, cybercriminals have intensified their phishing campaigns during the holiday season, especially targeting the hotel and travel sector. Hospitality companies now receive over 2,000 phishing attacks each week, while consumers are tricked with fake accommodation websites that mimic legitimate platforms. This phenomenon is not new, but the current scale is unprecedented: during the COVID-19 pandemic, phishing attacks increased by 600% according to WHO data, but the 2023-2024 Christmas campaigns already exceed those levels in the tourism sector. Attackers use more sophisticated social engineering techniques, such as emails that simulate being from Booking.com or Airbnb, with identical logos and designs, and links that redirect to fraudulent pages that steal credit card data.

Why is it important?

Christmas phishing is not new, but the current scale is unprecedented. Attackers take advantage of the increase in bookings and online shopping to send fraudulent emails and messages that appear urgent or irresistible. Consequences include identity theft, financial losses, and reputational damage to the impersonated brands. For hotel companies, each successful attack can lead to guest data breaches and fraudulent charges. A 2023 IBM Security study revealed that the average cost of a data breach in the hotel sector is $3.9 million, 12% higher than the global average. Additionally, 60% of small businesses that suffer a cyberattack close within six months, according to the European Union Agency for Cybersecurity (ENISA). The urgency is even greater because phishing attacks during the holidays often go unnoticed until it's too late.

Consequences for the sector

• Loss of consumer trust in online booking platforms: a 2023 PwC survey indicates that 87% of consumers would stop using a platform if it suffered a data breach.
• Additional cybersecurity costs for businesses: according to Gartner, global spending on IT security will reach $215 billion in 2024, 14% more than the previous year, and the hotel sector is one of the biggest investors.
• Possible fines for non-compliance with data protection regulations (GDPR, etc.): under GDPR, fines can reach 4% of global annual revenue. For example, in 2022, hotel chain Marriott was fined £18.4 million for a breach affecting 339 million guests.
• Long-term reputational damage: once a brand is impersonated, consumers may distrust even its legitimate communications, affecting future sales.

What readers should know

Users should always verify the URL of booking sites, be wary of offers that are too good to be true, and avoid clicking on links in unsolicited emails. Businesses, on the other hand, should implement multi-factor authentication and ongoing employee training. Prevention is key: 90% of cyberattacks begin with a phishing email, according to the 2023 Verizon Data Breach Investigations report. Additionally, generative AI tools are being used both by attackers (to create more convincing emails) and defenders (to detect anomalies in real time). For example, Google launched its Gemini model in November 2023 to help identify fraudulent emails. Hotels should also consider implementing DMARC (Domain-based Message Authentication, Reporting and Conformance) to prevent their domains from being spoofed. Finally, consumers can use virtual credit cards or services like PayPal to add an extra layer of protection to their bookings.

"The holiday season is a fertile ground for phishing, with millions of rushed transactions. Awareness and technology are our best defenses." — TheVortiq