Lockdown Hotel Bookings at Risk Due to DMARC Fail

Some of the UK’s biggest hotel brands may be exposing themselves and their customers to the risk of phishing attacks due to a lack of adequate messaging security, according to Proofpoint.

The security vendor took a look at the primary corporate domains associated with the 60 most popular listed hospitality companies in the country, as ranked by YouGov.

It found that half (50%) have no published DMARC (Domain-based Message Authentication, Reporting & Conformance) record. The protocol is important in the fight against scam emails as it is meant to ensure that only authorized senders can send messages from registered domains.

Only 12% of those hotel brands assessed by Proofpoint implemented the strictest level of the protocol (p=reject), which ensures spoofed messages never reach their intended destination.

The other levels are p=none, which means mail is treated the same as non-DMARC validated messages, and p=quarantine, where emails are delivered but into the users’ spam folder.

This means 88% of big-brand hotels in the UK could be exposing their customers to potential email fraud, Proofpoint claimed.

The news comes as cyber-criminals look to capitalize on the huge demand in “staycation” bookings, as the UK comes out of lockdown but foreign travel remains restricted.

Proofpoint cybersecurity strategist, international, Adenike Cosgrove, urged consumers to be vigilant when checking their emails.

“Organizations in all sectors should deploy authentication protocols, such as DMARC, to shore up their email fraud defences,” she added. “Cyber-criminals are paying attention to the increased demand to book last minute travel and will drive targeted attacks using social engineering techniques such as impersonation, and hotel brands are no exception to this.”

Proofpoint recommended consumers  avoid using unprotected Wi-Fi, use strong passwords and do not click on links in unsolicited emails.