Week 9: Hotels and guests targeted by cybercriminals

Languages

Service navigation

Search

Navigation

Week 9: Hotels and guests targeted by cybercriminals

04.03.2025 - In several of our weekly reviews we have reported on cyberattacks on hotels and their guests. In the last few days we have received a number of fraud reports from hotel guests. In most cases, the cyberattackers had gained access to a hotel's reservation information.

The cases reported to us of hotel guests receiving targeted phishing emails can only lead to one conclusion: hotels have been the victims of cyberattacks and scammers have gained access to sensitive reservation data. This poses a serious threat to hotels and their guests. Most of the fraudulent emails and text messages sent to hotel guests claim that something has gone wrong with their booking and that they need to log in again and re-enter their credit card details. A similar scam asks guests to pay more than CHF 2,000 to a foreign bank account and to send a receipt to prove that the payment was made. In this weekly review, we will use recent examples to show how these types of scams target both hotels and their guests.

Cyberattacks on hotels

The attackers pose as guests and use a variety of stories to trick hotel staff into installing malware. In one case, the supposed guest claims to have experienced problems during their stay that have not yet been resolved. They tell the hotel that they can read more about the complaint on booking.com and provide a link. In another case, the attackers claim that they have paid for their room but that their payment has somehow been deleted. They need the hotel staff to help resolve the incident immediately. Again, the attackers provide a link to booking.com. However, clicking on the link does not take the hotel staff to the real booking.com site, but to a completely different site created by the scammers.

Scam email from a fake guest.
Scam email from a fake guest.

When you click on the link, the page does not open immediately. Instead, a CAPTCHA appears. CAPTCHAs are a protective feature used by many websites to confirm that visitors are real people and not robots. They usually involve solving a simple maths problem or matching objects. In the scams reported to us, however, victims are instead asked to press the Windows key and the R key, then press the Ctrl and V keys together and confirm with the Enter key.

Fake CAPTCHA designed to install malware on your computer.
Fake CAPTCHA designed to install malware on your computer.

If you follow the fake CAPTCHA instructions, your computer will most likely be infected with malware. The Lumma Stealer malware used the same trick; we described the process in Weekly Review 45 last year. As the page loads, malicious code is automatically copied to your computer’s clipboard. When you press the key combination described above, your computer executes this malicious code. It is now infected with malware. If your computer has access to the hotel booking system, the attacker now has all the information they need to attack your guests.

Cyberattacks on hotel guests

Over the past few weeks we have seen several types of phishing attacks targeting hotel guests. In one type of scam, the attackers send a short text message with the victim's real name, a link and a message asking them to read important information from the hotel. The link leads to a fraudulent hotel booking page where the victim is asked to enter their credit card details.

Scam text message that uses the target’s real name and contains a link.
Scam text message that uses the target’s real name and contains a link.

In another type of scam, the victim receives an email from the hotel with a link to a fraudulent booking portal that has been made to look like the official booking.com website. On the fake website, the victim is asked to confirm their booking by transferring CHF 2,000 to bank account , and then upload the payment receipt to the website. In addition to the unusual payment method, the fact that the bank account is foreign is also suspicious. The cybercriminals also put the victim under pressure by giving them only 48 hours to transfer the money or their reservation will be cancelled. This is a typical trick used by cybercriminals: putting victims under time pressure gives them less time to question what is happening.

A fraudulent booking website that looks like booking.com.
A fraudulent booking website that looks like booking.com.

How hotels can protect themselves

  • Hotels, in particular, receive many documents from their guests. Make sure you never open executable files under any circumstances.
  • Be careful when installing programs. Only download programs from secure and trusted sources.
  • Be suspicious of unusual CAPTCHAs.
  • If you suspect that you have been infected with malware, disconnect the computer from your network immediately. Change your passwords for all online logins from other, uninfected computers. Contact a computer expert.
  • Regular backups will make it easier to restore your data.
  • Keep your systems up to date.
  • Consider using separate computers for guest communications that are not connected to your network.

How guests can protect themselves

  • As a general rule, do not enter passwords or credit card details on websites that you visit via a link in an email or text message.
  • No bank, credit card company or hotel will ever ask you to change your password or verify your credit card details by email.
  • If you receive a phishing email, notify the hotel and booking platform immediately.
  • Be suspicious of emails that ask you to click on a link or open an attachment.
  • Remember that email and text message senders are easily spoofed.
  • Where possible, set up two-factor authentication. This adds an extra layer of protection to prevent your account from being hacked.

Last modification 04.03.2025

Top of page

https://www.ncsc.admin.ch/content/ncsc/en/home/aktuell/im-fokus/2025/wochenrueckblick_9.html