Spencer Mott, ex. Group CSO of Booking Holdings and Booking.com discusses the impact of Account Takeover Fraud (ATO) on the Travel and Hospitality Sector.
I’ve been working with criminals for over forty years—always on the right side of the law—first as a Detective at Scotland Yard and then for some of the world’s largest corporations. Times have changed; fraud and theft online now offer far greater rewards for criminals than physical crimes. Technology itself facilitates many crimes, from encrypted communications and bitcoin money laundering to ransomware attacks. Today’s detectives must be tech-savvy and able to leverage a global network of investigators.
One key lesson is that hackers and fraudsters primarily seek financial gain and choose the path of least resistance. Throughout my career, I have observed their shifting focus from financial services to healthcare and now to travel and hospitality. As one industry strengthens its cyber defenses, criminals often pivot to softer targets. Currently, the travel and hospitality sector is highly vulnerable, and it’s easy to understand why.
For the past five years, I served as the Global CSO at Booking Holdings and Booking.com, overseeing cybersecurity, fraud prevention, and customer safety. With a diverse portfolio of travel and hospitality brands, including Agoda and Priceline, we were attractive targets for potential attacks.
Travel companies store sensitive data, including travellers’ personal information, payment card details, and customer preferences. Upon joining the company in 2019, I was astonished by the sheer volume of threats facing our industry. I once again found myself pursuing organized crime groups and hackers while combating severe crimes like human trafficking and drug-running. It was a profound, albeit exhilarating, awakening.
One prominent area of cybercrime that surged in the last two years is Account Takeover (ATO) fraud. Attackers steal hotel credentials using phishing emails, scams, or fake reservations. With these stolen credentials, they gain access to valuable data to commit fraud by targeting hotel reservation systems and third-party online travel agencies (OTAs). The attacker impersonates both the hotel and the traveller, playing them off against each other to extract money through advance payments or credit card fraud.
Online fraud affects an estimated 22% of customers and businesses globally. Although the industry has seen record revenues post-COVID, the rise in cyber incidents has caused significant disruptions, leading to blocked inventory and financial losses for hotels. Alarmingly, ATO fraud is growing faster than legitimate online transactions, and fraudsters are selling kits on the dark web, causing these crimes to increase exponentially. This trend must be reversed.
The travel and hospitality industry is particularly vulnerable to ATO fraud for several reasons.
Many hotels have underinvested in IT and rely on outdated systems often accessed by employees using shared accounts, which may not have robust security measures in place. Additionally, the sector’s reliance on seasonal workers, who may be less vigilant and more susceptible to phishing attacks, further exacerbates these vulnerabilities. In smaller establishments, these risks are even more pronounced, with ATO attacks being 70% more successful.
What can be done? During my time at Booking.com, I recognised that we needed to better protect our hotel partners and traveling customers from online scams. The issue generated negative press highlighting how fraud ruined holidays and caused financial losses for hotels.
To develop a comprehensive solution that addresses the entire value chain—not just the needs of OTAs—I identified three critical steps: step back from my role at Booking, find an innovative technology partner, and collaborate with a service-oriented company to create an effective solution for the hotel sector.
In March 2024, I left to fully commit to this task, aiming to shift the advantage from attackers back to the industry. In 2013, while working in biotechnology, I co-invented an “isolated web browser solution” to address a similar issue. While the concept may sound technical, it is straightforward: instead of using commercial browsers (like Chrome or Firefox), utilise a dedicated enterprise-grade browser for sensitive transactions. A browser should protect the gateway between the vulnerable end-user device (laptop, desktop, tablet, or smartphone) and the risky Internet, embedding essential security features, including robust identity credentials.
Since 2013, browser technology has advanced, providing enhanced capabilities. For example, the enterprise browser can alert users to seemingly legitimate but fraudulent websites and assess user devices to ensure they meet necessary cybersecurity standards. This functionality is crucial in the hospitality industry, where many employees use unmanaged devices. The browser also thoroughly scans web content for malware, protecting against external threats like keystroke loggers.
Integrating these security controls into a single application offers substantial benefits for data protection, access control, and productivity while delivering an excellent user experience. All web interactions are rigorously protected through a combination of file reputation checks, threat intelligence, categorisation, and static code analysis.
However, having a technology solution is just part of the equation. The fast-paced hotel sector requires partners that make technology easy to deploy and manage, ensuring solutions are neither oversold nor underutilized. This led me to connect with a renowned UK-based security company experienced in providing cybersecurity and risk services to major players in travel and hospitality.
In summary, coupling advanced technology with specialised services and implementing a straightforward approach to a complex problem will help address the challenges posed by ATO attacks and other cyber threats. This allows hotel owners to focus on their guests, reducing concerns about losses and the impact of fraud and cybercrime.
Resolving ATO fraud will provide the foundation needed to prepare for the next wave of technologies that criminals will likely exploit, including Generative AI and Quantum Computing.
About the author
Spencer Mott has served as a front line CISO for some of the world’s largest corporations for the last 20 years. He recently retired as Group Chief Security Officer (CSO) at Booking Holdings and Booking.com. Prior to Booking, he worked internationally and held the top positions in security and technology at Electronic Arts, Amgen, Mckesson. Earlier in his career, he served in the Metropolitan Police in London as a detective in the serious and organized crime group and Flying Squad.
Since March 2024, Spencer has undertaken consulting assignments specialising in a broad range of cybersecurity services including coaching, building high performing teams and capabilities, technology, innovation, organisational transformation and strategy. More recently he has been working with GSA Global heading up the ATO Fraud division and he currently lives in Sweden with his family.