How to Protect Your Vacation Rental from Phishing Attacks

As the hospitality industry has moved online, it has opened up the possibilities of a new danger for both operators and travelers. Vacation rentals are now more at risk than ever of becoming victims of phishing attacks.

For newbies to the vacation rental industry and veterans alike, it’s important to be aware of these types of cybersecurity risks and know how to protect yourself and your business online.

In this article, we’ll explain what phishing is and the steps you can take to ensure your vacation rental business stays safe.

What is “phishing”?

According to, phishing is a “cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords”.

The first phishing lawsuit was filed back in 2004 and it has grown into the number one fraud tactic – as stated by the RSA Quarterly Fraud Report. At present, 41% of all attacks fall into this category.

There are many different phishing techniques which criminals use to obtain personal data. These include spear phishing (targeted attacks on a specific individual or organizaiton), session hijacking (the phisher exploits the web session to steal information), content injection (the phisher changes part of the content on a reliable, trustworthy webpage), email phishing, vishing and smishing (voice and SMS phishing) and link manipulation.

Why are phishing attacks a risk for the hospitality industry?

InfoSec Institute states that in 2017, every major hotel chain was hit with a cyber attack. In fact, in November 2018, Marriott announced a data breach of approximately 500 million guests. For around 327 million guests, the compromised data in question contains their name, address, phone number, email, passport number, date of birth, gender and travel dates.

Hospitality businesses like vacation rentals, B&Bs and hotels process a lot of sensitive data daily – such as credit card numbers and guests’ personal information. By attacking consumer-oriented businesses like yours, cybercriminals can intercept your inquiries and sometimes even get their hands on your guests’ payments.

The risk is even greater for those listing on OTAs and aggregator sites. A recent study by eNett for Edgar, Dunn & Company found that fraud is currently costing online travel agencies up to $11 billion. All it takes is for one booking site to fall victim to a phishing scam and hundreds of thousands of properties and their reservations could be in danger.

How can vacation rental operators avoid phishing and other cyber fraud?

Unfortunately, even tech-savvy owners and managers can fall for vacation rental scams and phishing emails. That’s why it’s essential that you (and your staff) are aware of how to spot fraudulent emails in order to protect your business and your guests’ data.

1. Verify where the email is coming from

For the most part, phishing emails are designed to look like they are from someone you know or a company you trust. Cyber attackers are professionals, and they can easily make their emails look exactly like a service provider you use. There will, however, be something that gives them away.

Looking closely at the email address of the sender can, therefore, help you deduce if it’s fake or not. Is there a letter missing or a random number added into the email address? Or is it complete nonsense and has nothing to do with the “company” it’s supposed to be from?

Either way, it’s always better to be safe than sorry when dealing with these types of emails that claim to be from reputable companies. If the email seems to come from someone you know, you can always contact them via other means before clicking on anything that appears inside.

2. Never click a link from an unknown sender

Hackers and phishers have one goal: to steal your information. While there are many tactics for doing so, encouraging recipients to click on dangerous links is one of the most common methods.

Because of this, you should always double check before you click on any link from an unknown sender.

Ask yourself: would this person normally send you a gibberish link out of the blue? Do you really have an account with that application or tool? Have you requested a password reset for any accounts recently? As well as this, you can hover your mouse over the link and check the web address. If it looks suspicious, take no further action besides deleting the email.

If you want to check on the status of your account after receiving a questionable email, log in to the company’s website directly, or call their customer service line.

3. Take preventative measures

If you’ve ever spoken to anyone who has fallen victim to a phishing email, they’ll probably tell you they can’t believe how “stupid” they were to have clicked that link or to have entered their details on that website.

But it’s not a question of stupidity – rather of education.

One of the most crucial things you can do as a vacation rental owner is to ensure that anybody who uses your company email address understands the risks involved with phishing and train them to recognize the signs of a potential attack. Besides this, teach your staff to be wary of fake login screens (such as a fake “Airbnb login” page), to be careful which sites they are using and what information they input into these sites.

In addition to this, installing anti-virus, anti-spyware and anti-malware tools on your systems can help prevent lapses in cybersecurity. Another key thing to bear in mind is that all your apps should always be up-to-date, especially those which deal with personal guest data.

4. Remember these key things

Phishing attacks are designed to fool. But having your wits about you can deter you from falling for them. Always remember that a legitimate business:

  • Won’t ever ask you to enter personal information on any website that does not require prior login with an existing username and password.
  • Won’t ever pressure you to provide credit card details over the phone.
  • Will be able to answer specific questions about, for example, your account with them. In the case of listing sites and OTAs, they will be able to provide you with information about previous bookings, payouts etc.

As the vacation rental industry becomes more mainstream, phishing attacks will likely begin to rise. You can protect yourself and your business by always being vigilant and not giving any sensitive data away over the internet or phone, training your staff and never clicking on anything that doesn’t seem 100% legit.

What do you think about this article?

4.3/5 - (7 votes)
Show Comments (3)
  1. Thanks for sharing your real experience with us over the vacation rental apartment. We consider these points while managing our apartment for vacation rental.

Your email address will not be published. Required fields are marked *

Ready to take more direct bookings?

No set up fees, no credit card details, no obligation. Try Lodgify free for 7 days.