Phishing Email Detection: A Guide for Hotel Staff

A phishing email is a deceptive electronic message sent by appearing as a legitimate sender to direct users to share their sensitive information, click on a malicious link, or open a harmful attachment. According to a study conducted in hotel businesses in Turkey in 2024, 74% of cybersecurity breaches started with an employee clicking on a phishing email. This rate places the hospitality sector among the most critical targets of phishing attacks.

The reasons why attackers prefer hotel personnel are clear: employees receive hundreds of reservation and customer emails, an urgent request is considered normal, and they have access to critical systems (PMS, payment terminals, guest database). The combination of these three factors makes hotel personnel a perfect target for phishing attacks.

Phishing is a form of social engineering attack in which attackers try to trick the victim by appearing as a legitimate organization or person, carried out through the email channel. The most common types of phishing in the hospitality sector are: fake notifications mimicking reservation platforms (Booking.com, Expedia), fake invoice and payment requests, OTA (Online Travel Agency) contract renewal notifications, and fake messages with 'guest complaint' content.

According to APWG's 2024 Phishing Activity Trends Report, more than 1 million phishing sites were detected globally in a quarter; this figure is the record level recorded in three-month periods.

Scenario 1: Fake Booking.com Reservation Notification An email titled "New booking confirmation" or "booking cancellation" perfectly copies the real Booking interface. However, the links direct to a fake login page and steal the employee's OTA credentials.

Scenario 2: Fake Invoice and IBAN Fraud An email with the content "Payment overdue" or "update bank details" comes from a sender address that looks like a real supplier. The attachment contains a fake invoice with an altered IBAN number.

Scenario 3: HR and Employee Data Hunting Messages targeting human resources employees collect usernames/passwords under the pretext of "salary update" or "payroll system login."

Scenario 4: Malicious Attachment Disguised as a Guest Complaint In an email with the content "I want to share my negative experiences regarding my stay last week," there is a PDF or Word file that runs ransomware when opened.

1. Check the domain, not the sender name. An email that appears as "Booking.com Customer Service" may actually come from an irrelevant domain like [email protected]. Be sure of the domain name to the right of the @ sign, not the sender name.

2. Hover over URLs without clicking. When you hover the mouse over the link, the real URL appears in the lower-left corner of the browser. If this URL does not match the official address of the brand, do not click.

3. Notice language containing urgency and threats. Phrases like "Your account will be deleted in 24 hours," "Act now" are used to create pressure. Legitimate companies rarely use this language.

4. Be suspicious if the greeting is general. Emails addressed to your name instead of "Dear Member" or "Dear Customer" are more reliable; however, in spear-phishing attacks, attackers may also use your name knowing it.

5. Question attachments before opening them. Unexpected attachments—especially files with .exe, .js, .docm, .xlsm extensions—carry great risk. PDF and Word files can also contain macros.

6. Notice spelling and grammar mistakes. A common mistake in Turkish: missing Turkish characters (s instead of ş, g instead of ğ). Legitimate emails from professional institutions usually do not contain these errors.

7. Check the same content directly from the platform. If you received a Booking notification, instead of clicking the link in the email, log in by typing booking.com into your browser and check the notifications panel there.

8. Query the sender domain with WHOIS. Query a suspicious domain name with a tool like whois.domaintools.com. A domain that is not older than a week is a strong sign for phishing.

9. Test for the presence of two-factor authentication. Legitimate platforms ask for a 2FA code when logging in. Fake login pages may skip this step or simulate it.

10. Verify with the sender by phone when in doubt. If you received an email requesting a large payment or account change, verify by calling a number you already know instead of replying to the same email.

Case A — A 5-Star Hotel in Istanbul: An email with the content "supplier bank information updated" arrived at the accounting department. The sender name was the same as the real supplier, but the domain name contained a single letter difference (e.g., examplelcleaning.com instead of examplecleaning.com). The employee transferred 28,000 TL to the wrong IBAN. The error was noticed after a phone call with the supplier following the transfer; however, the money could not be refunded.

Case B — A Holiday Village in Antalya: A front office employee received an email titled "guest complaint." There was a Word file named "complaint_20240315.docm" in the attachment. When the file was opened, ransomware ran and 3 months of reservation data in the PMS system was encrypted. The 12-hour system outage and data recovery cost the business approximately 85,000 TL.

An effective hotel phishing training program should have 4 components:

1. Basic awareness training (twice a year, 1 hour): Teach which signs point to danger through real case analyses.

2. Simulation tests (every 3 months): Free tools like the Google phishing quiz or corporate platforms like KnowBe4 and Proofpoint can be used. Employees who click should be directed to training immediately, never punished.

3. Creating a reporting culture: Appreciate the employee who reports a suspicious email. The "I'm not sure but I reported it" behavior should be spread.

4. Department-specific scenarios: Training should be provided specifically for invoice fraud for accounting personnel, malicious attachments in the guise of guest complaints for front office employees, and payroll/salary-themed attacks for HR personnel.

You can find additional measures that can be taken against this threat in our case analyses where hotel personnel accounts are hacked and hotel website security checklist contents.

Immediate steps to follow when an employee realizes they have clicked on a phishing email or shared their information:

1. Disconnect the device from the network immediately. Disconnect Wi-Fi and wired network connections.
2. Call the IT/informatics manager. Use the phone, not email.
3. Change the password of the compromised account. From a different, secure device.
4. Reset 2FA codes.
5. Inform the manager. Phishing can affect the entire organization.
6. Report to BTK and [USOM](https://www.usom.gov.tr) if necessary.

In our comprehensive guide on what is a fake hotel site, you can find broader information about the general structure of digital attacks.

No. Fear of punishment prevents employees from reporting a real attack. Direct the employee who clicks to training, report on a department basis by anonymizing the results.

Yes. On mobile screens, the sender address is not fully visible, URL preview doesn't work, and the difference between lowercase letters is not noticed. Therefore, corporate emails should be opened on desktop devices if possible.

Use the "Report Phishing" option in Gmail and the "Report as Phishing" option in Outlook. Also, inform USOM's reporting form and your corporate IT department.

Phishing attacks are becoming more advanced every year; however, basic detection methods do not change. Checking the sender domain, examining the URL before clicking on links, and creating the culture of reporting suspicious situations—these three habits form the most effective shield of hotel personnel against phishing attacks. For a comprehensive digital protection, we also recommend reviewing our guide to cybersecurity threats in the hotel sector.