Hospitality leaders know the industry thrives on delivering seamless experiences and building guest loyalty. Unfortunately, the very systems that create positive guest experiences have also become prime targets for sophisticated cybercriminals.
Recent threats, such as the Scattered Spider attacks, have exposed vulnerabilities that can disrupt entire hospitality operations. As the sector becomes more digitally connected, protecting these systems is no longer just an IT mandate: It is a business continuity imperative. In today’s competitive environment, a single breach can cause more than financial losses; it can damage guest trust, strain partnerships and force costly operational shutdowns during peak travel seasons.
In this article, we will examine how loyalty reward programs, guest services call centers and remote access to property systems by external vendors can be easily exploited by cybercriminals and how to tackle these threats.
Loyalty programs: The new banks
Loyalty reward programs have evolved into valuable currencies, redeemable for rooms, flights and retail perks. That value makes them a magnet for fraud, from account takeovers to synthetic account creation. Weak verification processes at sign-up or redemption allow attackers to slip through undetected, creating losses that spread across brands and partner networks.
Some travel and hospitality companies describe it as “death by a thousand paper cuts,” as small fraud amounts quickly add up to millions each year. Left unchecked, these schemes can persist for months, giving threat actors time to test and refine their tactics while targeting multiple properties across a chain.
MFA isn’t the cure-all
Multi-factor authentication (MFA) has become standard security control, but in hospitality it can create a false sense of protection. Attackers often bypass MFA through SIM-swapping or by compromising devices.
Guest services call centers are especially vulnerable, since service teams naturally prioritize speed and customer satisfaction over strict verification. In this setting, social engineering can be highly effective, particularly when agents are under pressure to resolve requests quickly. Groups like Scattered Spider exploit this weakness by using native English speakers to blend in with legitimate users and by applying insider-level knowledge of workflows to gain access. Too often, these intrusions happen silently, without triggering alerts, which allows fraud to escalate before leaders realize systems have been compromised.
The hidden attack vector
Property management systems and other operational platforms are only as secure as their least-protected user. Hotels often grant access to outside vendors—housekeeping, IT contractors and marketing partners—without continuously verifying their credentials. Attackers exploit remote access channels or outdated account controls to gain undetected entry.
Continuous, risk-based verification for both employees and third parties is essential to reduce these risks. This practice is especially important for resorts and multi-property operators, where dozens of vendors and contractors may access sensitive systems every day.
Hospitality can take valuable cues from aviation and financial services. Airlines that saw loyalty account fraud surge have adopted phishing-resistant MFA and identity checks at redemption to protect against fraudulent bookings and transfers. Financial institutions, long accustomed to regulatory oversight and constant threats, routinely validate device health and user risk profiles before granting access. This approach can be adapted to hotel systems without compromising the guest experience.
What’s next?
- The “Zero Trust” model is coming. It depends on continuously validating users and devices, not just at account creation or guest login.
- Call center reform is needed. Hospitality call centers must move beyond knowledge-based verification, such as date of birth and adopt adaptive identity verification. This should be layered into agent workflows as part of the organization’s best practices.
- Vendor governance must mature. Routine re-verification of third-party credentials and tighter integration of access policies across organizations should be standard practice and deployed alongside other operational workflows.
As loyalty becomes a global currency, hotels must coordinate identity assurance with their partners, similar to how banks share fraud intelligence today. The benefits of identity-related threat detection and risk mitigation include secure digital access, improved customer experience, stronger, longer-term trust and protection of brand and revenue. For decision-makers, adopting these measures as part of augmented workflows also positions their brand as a leader in guest safety and operational resilience—key differentiators in an increasingly security-conscious market.
The time to mature is now. Hospitality now stands where finance was two decades ago: valuable, interconnected and vulnerable. The three examples we have reviewed, along with many others not covered here, show that these risks are real. Guest trust, brand reputation and partner relationships all depend on securing identity and access. By adapting proven models from other industries and investing in continuous identity verification, hotels can strengthen their resilience without sacrificing the service excellence that defines them. Acting now allows hotel executives to align digital innovation with strong security, ensuring technology enhances rather than undermines the guest experience.
Story contributed by David Coxe, CEO & co-founder, ID Dataweb, which offers practical identity threat detection and risk mitigation solutions based on the National Strategy for Trusted Identities in Cyberspace (NSTIC).