Home > News & Insights > Cyber-attacks: How can you keep your hotel and your customers safe?

Cyber-attacks: How can you keep your hotel and your customers safe?

Last updated: 2 days ago | 15 min read time

Agoda treats the security of partner and customer data with the utmost seriousness. We value the trust and loyalty of our hotel partners and customers and are committed to safeguarding their data and privacy. As such, Agoda leverages industry-leading technology to monitor, detect, and block potentially suspicious activity.

We have observed the use of targeted phishing emails and malware attacks against some of our hotel partners. While the security breach was not on Agoda’s platform and our backend systems and infrastructure have not been compromised, some of our hotel partners have been affected. As cyber-attacks are increasingly sophisticated, following some simple best practices can help to reduce the risk of falling victim to online frauds and scams that target hospitality platforms.

In the following article, you will learn how you can protect your hotel and your customers from cyber-attacks by ‘threat actors’ (those who exploit vulnerabilities in computer systems via phishing, ransomware, or malware attacks).

What is one of the current scams impacting the travel industry and beyond?
How are threat actors conducting the cyber-attack?
How can you protect your hotel and your customers’ information?
How should you respond if you are impacted by this scam/cyber-theft?
What if I notice that my VCC/UPC Card has been used?
FAQs
Contact us

Read this article on other languages:

What is the current scam impacting the travel industry and beyond?

The latest cyber-attack compromises a hotel’s IT infrastructure by installing spyware. The threat actors then steal the hotel’s credentials to access other platforms and masquerade as the hotel to defraud their customers by sending phishing links to extort money.

How are threat actors conducting the cyber-attack?

A hotel receives a fake booking from the threat actor (via a trusted partner or as a direct booking).
Using this fake booking as a cover, the threat actors contact the hotel, sending a message containing a malicious link.
If the hotel clicks on this link, malware is then automatically downloaded onto the hotel’s IT system. This malware is a spy software that records and steals the hotel’s credentials, including the credentials to access Agoda’s (or any other third party’s) messaging platform and YCS system.
Using the stolen credentials, the threat actors access the third party’s (for example Agoda’s) messaging platform and, acting as the hotel, reach out to customers who have booked with that hotel.
The threat actors use the third party’s messaging platform to send a message to the customers with bookings, asking them to click on a malicious link and to provide their payment information, often threatening to cancel the booking if they do not make the payment using the malicious link.
When the customers click on the malicious link, they land on a fake website imitating Agoda’s or a third party’s website.
If the customers provide their payment information through these malicious links, the threat actors then have access to this information and use it to carry out fraudulent transactions, deceiving the customers.
Please note that as a hotelier, you are unlikely to be aware that this is happening. As these transactions are not conducted on Agoda’s platform, we do not have visibility either. We are only aware that this has occurred when a customer reaches out to our customer support team.

How can you protect your hotel and your customers’ information?

Be vigilant and educate your team members about this scam/cyber-threat to help protect your business.
Deploy and run the latest anti-virus scanning software on your IT systems.
Enable YCS multi-factor authentication (MFA) on your phone instead of your computer. If the threat actors control your computer, they will also be able to retrieve the OTP (confirmation password) sent to your email inbox. However, if the OTP is sent to your phone, the threat actors will not be able to access the OTP, further blocking them from accessing the YCS platform.
If you receive a message or email that seems suspicious, do not click on any links or download any attachments. Some of the recent themed topics of phishing messages include:
- Customers complaining about allergies in the hotels
- Customers threatening a lawsuit because of alleged discrimination
- Customers claiming discrimination against wheelchair users
- Customers seeking help to find the actual location of the hotel, claiming to need assistance because they are old. While these could be also message topics from legitimate customers, the major difference is that after explaining their case, the “guest” will ask the hotel to download and open a .zip or .rar file from a common cloud provider like Google Drive, Mega Dot NZ, Dropbox, etc.
If you suspect your hotel has received fraudulent messages, please contact your Agoda account manager directly.

How should you respond if you are impacted by this scam/cyber-theft?

We strongly urge you to take all relevant measures to protect your Agoda account information. However, if your account is compromised, we recommend you to:

Notify Agoda via your Agoda account manager
Reset both your email password and Agoda account password
Avoid using the same password for multiple accounts
Perform a virus/malware scan on your systems
Ensure that phishing and/or spam messages are not being sent from your accounts

If we have detected abnormal patterns in your login attempts and/or usage of our messaging platform, as a precautionary measure we will reset your password and temporarily disable your access to YCS platform. We will restore your access upon receiving your confirmation.

What If I notice that my VCC/UPC Card has been used?

As detailed in the section “How are threat actors conducting the cyber-attack?”, once the threat actors manage to access the hotel’s YCS account, they might use the VCC/UPC Cards from these accounts to make payments to fraudulent merchants.
Consequently, when the hotel attempts to charge the VCC/UPC Card, the transaction will be unsuccessful due to a lack of funds.
If you notice that your VCC/UPC Card has been used, please follow the steps listed in the section “How should you respond if you are impacted by this scam/cyber-theft?” and contact your account manager.

FAQs

1. Should you notify your customers if your hotel’s account has been compromised?

Yes, you should notify your customers.

In line with relevant data privacy laws, and per your contractual obligations with Agoda (refer to the latest Data Protection Addendum), the responsibility to manage PII (Personal Identifiable Information) incidents (to the extent that the security incident arises from, or is related to you, or your software or business partners, subcontractors, or agents’ processing of PII, and/or use of or access to Agoda’s systems in breach of the Agoda’s terms and conditions,) lies with you.

As such, we rely on you to fulfill your obligations as an independent data controller in this case with respect to applicable privacy laws.

2. Why is the chargeback process taking so long? Can Agoda expedite the process?

When Agoda discovers unauthorized charges to our partner’s UPC, Agoda will try to initiate a chargeback to reverse the transactions under the UPC. Agoda is required to follow the process and timeline defined under Mastercard’s rules in respect of every chargeback filed – we have no control over the timing. After a chargeback is filed, the merchants (who are the cyber-attackers in this case) may dispute the chargeback and provide their own supporting documents, which adds further complexity and possible delays to the process. If Agoda wins the chargeback at the first stage, the chargeback process concludes within 45 days. If Agoda loses the chargeback at the first stage, then depending on the evidence filed by the merchants, Agoda may decide to file a pre-arbitration with Mastercard – this takes us to the second stage of the chargeback process which will take up to 120 days before we know the chargeback outcome. Therefore, while we are trying our very best to help our partners recover the charges made under their UPC, the chargeback process is complex and largely outside Agoda’s control.

3. Can Agoda provide more details on the chargeback process?

See answer for question 2.

4. What happens if Agoda doesn’t win the chargeback? Am I going to lose my money?

While we are trying our very best to help our partners recover the charges under their UPC, the chargeback outcome is not guaranteed because the merchants (who are the cyber-attackers in this case) may dispute the chargeback, which adds complexity and possible delay to the chargeback process and impacts the chargeback outcome. As our partners are responsible for all use of their UPC, including unauthorized charges, our partners will unfortunately have to bear the loss in connection with the unauthorized charges under their UPC.

5. Why can’t Agoda file a chargeback for the transaction made under my UPC?

Under the Mastercard rules, Agoda is prevented from successfully filing a chargeback for our partners whose UPC was charged by merchants who have enabled 3D Secure authentication, which is the case here.

6. Is it possible that my UPC has been charged by my hotel staff?

There is always a possibility of internal hotel employee fraud. When Agoda detects suspicious transactions made under our partner’s UPC, Agoda will investigate the transaction data and look for likely indicators of fraud. If Agoda finds any indicators of fraud by hotel employees or external actors alike, Agoda will inform the partners. We can confirm that the recent cases detected by Agoda and hotels were all related to external actors and not internal hotel fraud. As such, we ask that you remain vigilant and only give access to UPC details to a limited pool of employees to minimize the risk of internal fraud. Please refer to this article for more information on how to keep your YCS and UPC safe.

7. Are the cyber-attackers targeting properties on Agoda’s platform? How did the cyber-attackers obtain properties’ contact information?

We are observing an increasing use of targeted phishing emails and malware attacks against our industry. We believe that some of our partners are being targeted and through our continuous security monitoring system we have learned that some of our partners were sent phishing emails by the cyber-attackers with the criminal intent of taking over local computer systems with malware. In some cases, this has allowed these ‘bad actors’ to fraudulently impersonate our partners and communicate with their guests via email or other communications channels. Through these cyber-attacks, the attackers also gained access to our partners’ YCS and charged their UPC.

8. How does Agoda know that attackers gained access to my YCS and UPC through malware and phishing attacks?

See answer for question 7.

9. What can Agoda do to prevent malware and phishing attacks?

Unfortunately, Agoda can’t stop the malware and phishing attacks that happen on the partner side. However, Agoda is exploring ways to enhance the security of UPC and YCS – more details will be announced soon. In the meantime, we recommend increasing your online security awareness and taking the steps highlighted in this article to protect your and your customers’ information.

10. How can I be sure that this wasn’t Agoda’s internal fraud or that the malware and phishing attacks were not orchestrated by Agoda?

Agoda treats the security of our partner and customer data with the utmost seriousness. Above all, integrity is key to how we conduct our business. Agoda will not do anything that compromises our relationship with partners and customers.

11. I ran a malware and virus scan on my computer system and didn’t find any malware. Why did Agoda say that the root causes were malware and phishing attacks? How does Agoda explain this?

We recommend running an up-to-date malware and virus scan on all computers that are being used to log into your YCS account. Where there is more than one YCS user, it is possible that one of the users may have clicked on a malicious link which led to partner’s YCS credentials being stolen.