Hackers exploit booking data in phishing scam

Inbound tour operators are being targeted with fake booking emails containing genuine reservation data to steal passwords and, ultimately, their money.

The emails impersonate hotels and lodges where operators have bookings, urging them to confirm a booking through a link that harvests passwords or plants malware.

Tourism Update has seen examples of the emails. Unlike typical phishing attempts, they include accurate guest names, travel dates and accommodation details.

Real booking data raises concerns

Cape Town tour operator Claire Oertle from All About Africa was one of the recipients of these emails. She said she started receiving them on July 6, sometimes more than a dozen a day.

“The booking details were disturbingly accurate. Guest names, travel dates and lodge names matched real reservations I was holding with the supplier. These were not generic phishing attempts; they referenced actual travellers.”

Oertle said the level of detail suggests the attackers obtain genuine reservation data. “Phishing emails don’t normally contain real guest information pulled straight from legitimate bookings. These did, which means someone had access to reservation information.”

The messages could be the start of something worse, she warned. “The risk is that this could escalate into payment diversion attempts if the attackers continue to refine their approach.” 

Oertle was not a victim but only because she knew what to look for. “I was not caught as I don’t ever receive confirmation from my suppliers in such a way and I immediately noticed the ‘from’ email address was fishy.” 

In the cases she saw, the affected bookings had been processed through platforms linked to Semper, a South African provider of property management and reservation software. Semper did not respond to Tourism Update’s request for comment.

SATSA has also warned members about the phishing emails.

Broader cyber threat

While it is not known whether the phishing campaign is linked to a specific data breach, it comes against the backdrop of a broader Cybernews investigation into cyberattacks targeting the global accommodation industry.

Cybernews has uncovered evidence that a threat actor used AI tools to automate attacks against accommodation businesses, gaining access to guest reservation data from multiple companies worldwide. It puts the number of people exposed across several companies worldwide at more than two million.

The investigation has identified NebulaPMS, a property management system developed by South African company Hospitality Technology International (HTI), among the affected platforms.

Cybernews warns that stolen booking data is especially dangerous because it makes scams so hard to spot. “Phishing is especially effective when attackers know the victims’ exact names, travel dates and reservation numbers. Users are likely to comply with requests that appear to come from a hotel to avoid losing their booking, which makes data from accommodation companies a gold mine for hackers.”

HTI not linked to current campaign

HTI Managing Director Rory Montgomery told Tourism Update the company has suffered a breach but little data was taken and there is no evidence linking that incident to the phishing emails currently targeting inbound tour operators.

“Some guest data from NebulaPMS only, none of our other products, may have been accessed. Thankfully, this was limited to stay details, first name, last name and some email addresses,” he said.

The breach took place in February at around the same time that Booking.com and another of HTI’s technology partners reported their own breaches, Montgomery pointed out.

“There are strong indicators that our industry is constantly under attack,” he said.

According to Montgomery, the company acted as soon as it learned of the incident. “Earlier this year, we notified all clients as well as the Information Regulator of the incident and we have subsequently assessed all possible vulnerabilities within NebulaPMS as part of our ongoing security scans and penetration testing.” 

Montgomery rejected any suggestion that the emails now hitting operators come from the NebulaPMS breach. “We did not see any phone numbers in the breach, and these took place mainly via WhatsApp, so these could have come from any other source.” 

HTI has since launched a new product, NebulaONE, which combines booking and property management functions to reduce the risk of data being intercepted.

“Security and data integrity is of utmost importance these days and it has certainly become one of the major pillars of focus and investment within our business,” Montgomery said.

Industry urges vigilance

FEDHASA National Chairperson Brett Tungay said the organisation is aware of reports of sophisticated phishing attempts targeting tourism businesses although it cannot comment on the source of any specific incident.

“Cybercrime remains an increasing risk for the hospitality industry, particularly where criminals use legitimate booking information to make fraudulent communications appear authentic,” he said.

Tungay is urging businesses to verify requests involving payments, booking amendments or sensitive guest information through trusted communication channels before taking action.

He is also encouraging operators to implement multi-factor authentication where possible, keep reservation systems up to date and regularly train staff to recognise phishing attempts.

© Now Media. This content is protected by copyright and may not be adapted or republished. If you would like to discuss cooperation opportunities, please contact: editor@tourismupdate.com.