From advanced phishing attacks to deepfakes, ransomware diversification, bogus booking sites, and more, the future cybersecurity landscape is swarming with newer, more dangerous, AI-powered threats—and hotels are a target.
While organizations are fighting back with sophisticated cybersecurity techniques that also harness the power of AI, threats still loom ahead for hoteliers.
In this piece, we deliver an overview of the top cybersecurity threats on the horizon for 2025 and share strategies hotels can use to better protect themselves and their guests.
Hyper-Realistic Social Engineering
Social engineering attacks, where bad actors psychologically manipulate victims, are nothing new. But modern cyberattackers are giving the old trick a new twist with the integration of deepfake technology.
Deepfakes are artificial images, videos, or audio recordings developed by deep learning, a type of machine learning. When used in social engineering attacks, deepfakes allow bad actors to mimic the voices and even faces of real people with hyperrealism. For example, using either real-time or pre-recorded content, cyberattackers can target hotels’ call centers, posing as authority figures and duping employees into providing access to critical systems or revealing personal, financial, or other critical data to be leveraged for initial access.
Because deepfakes are incredibly real, most people are unable to quickly identify them as fraud, making them powerful tools that cyberattackers can easily weaponize for nefarious purposes.
More Advanced Phishing Attacks
A specific type of social engineering, phishing attacks target unsuspecting victims via SMS or email, posing as their client, boss, or other trustworthy source in order to extract sensitive data. Today, most people are familiar with phishing attacks and know how to identify them; many inboxes even automatically filter these phony messages to the SPAM folder. But modern phishing attacks are something different.
Using AI, these new attacks can intelligently mimic the natural writing style and voice of the assumed sender. For example, if hotel staff receive an email instructing them to reset a password or approve a suspicious payment, the message may very well read in their boss’s natural tone, making it difficult to detect foul play.
Sophisticated Booking Fraud Tactics
No matter the means of entry, cyberattackers continue to target hotels. With thousands of guests’ information passing through hotels’ systems every day, hoteliers are a goldmine of sensitive data, including addresses, emails, credit card numbers, and even passports.
While hotel staff are common targets via social engineering and phishing attacks, cyberattackers also favor another point of entry: booking systems. For example, savvy cybercriminals can create convincing fake booking sites where they entice unassuming victims to book holiday reservations, handing over their personal and payment information in the process. To attract large numbers of victims, scammers sometimes create fake sales or other promotions to encourage consumers to open their wallets and book now. With AI-powered tools at their disposal, bad actors can create bogus sites to conduct fraud with increasing speed and on a greater scale.
Ransomware Diversification
Ransomware has always been a popular means of attack for bad actors—and for good reason. In the last year, the average ransomware payment hit an all-time high at $2M, an astounding 500% increase from 2023. In the next year, executives can only expect to face more sophisticated—and more efficacious—attacks.
One rising trend is ransomware diversification, where ransomware families (i.e., groups of ransomware variants) split. Each variant can then evolve independently, enabling bad actors to simultaneously deploy multiple, diversified attack methods that can adapt to changing cybersecurity defenses to skirt detection. Because each niche, specialized variant can focus on different targets, bad actors can easily amplify their reach—and success rates.
With this new approach to ransomware, hackers are largely abandoning file-locking setup. Rather than encrypting victims’ files and promising to unlock them if a ransom is paid, more criminals are skipping a step to steal data directly and threaten to release it to the public if their demands aren’t met. It’s a lose-lose for popular targets like hotels; cyberattackers get what they want faster, and company leaders face enormous pressure to pay.
5G Network Vulnerabilities
In the coming year, we’ll continue to see growth of IoT devices connected to 5G networks. Some experts predict as many as 40B IoT devices. This is good news for hoteliers who can use the tech to create more sophisticated, streamlined, and elegant guest experiences thanks to faster, better connectivity. Think voice-controlled lighting and temperature, automated check-ins, smoother housekeeping process, etc..
But this IoT explosion is also good news for cyberattackers since engorged 5G networks mean a bigger attack surface and more vulnerabilities to exploit.
Many IoT devices lack encryption, are riddled with firmware vulnerabilities, and rely on weak authentication credentials. Altogether, this creates a landscape of vulnerability, making it easier for bad actors to gain entry and control of hotels’ 5G networks.
Increasing Supply Chain Attacks
As supply chains become more complex and more digitized, they’re also becoming a more vulnerable (and more profitable) target for cyberattackers.
Specifically, a popular point of entry is through third-party vendors. This has been a rising trend as of late because once bad actors have compromised a supplier’s network, they can use it as a foothold to gain access to hotels, whose wealth of guest personal and payment data makes them a lucrative target for data breaches, ransomware, and all manner of cyber activity.
As mentioned, phishing attacks also have their place on the threat watchlist for cybersecurity attacks in 2025—and that extends to hotels’ supply chains. With deepfakes and other AI-powered tech, bad actors can impersonate suppliers and trick hotel staff into making payments, revealing credentials, etc. As more of the supply chain continues to bear a digital footprint, hackers’ opportunities to infiltrate and attack will only grow.
AI-Powered Cyberattacks
Unsurprisingly, AI is poised to intensify hotels’ already precarious cyber landscape. Even the FBI warned of increasing threats to both businesses and individuals at this year’s RSA Conference.
Beyond more sophisticated phishing attacks, social engineering tactics, ransomware, etc., AI may also enable new, more advanced malware. Specifically, executives should be on the lookout for bad actors who use AI to automate malware creation. In other words, new AI-powered malware will be able to self-correct, adapting and evolving in the middle of attacks to refine its approach and better avoid detection.
Widespread Zero Trust Adoption
With mounting cybersecurity threats on the horizon for 2025, hospitality organizations are under pressure to pivot their cybersecurity defenses—and quickly. In recent years, zero trust security has taken center stage as the security model best positioned to help organizations detect and deflect cybercriminal activity. By 2025, Gartner predicts 60% of organizations will use zero trust solutions.
For hoteliers, this is something to look forward to. A zero trust security architecture greatly strengthens an organization’s cyber defenses by expanding visibility and shrinking the attack surface. Its founding principle is: Never trust; always verify. In other words, a zero trust security protocol trusts no devices or users by default; instead, verification is required for every device or user requesting access to the network. This helps organizations better shield themselves from bad actors and reduce risks of cyber incidents.
As hotels onboard and optimize zero trust security principles, many will also start to add AI and machine learning to the mix. These integrations can enable greater protection by continuously analyzing user behavior, network traffic, and device activity to detect and classify cyber threats in real time. New zero trust and AI solutions can even take action to halt data breaches, begin remediation efforts, and generate post-incident reports.
For hotels who are under increasing threat from scores of different attacks, widespread zero trust security implementation will be a welcome aid to bolster defenses in 2025 and beyond.
The Future of Cybersecurity Must Be a Joint Effort
With fast-moving progress and increasing AI-powered cyberattacks, it can often feel like cybercriminals are always working one step ahead. But there is strength in numbers. Officials from the Treasury Department, the State Department, and the FBI have jointly declared information-sharing as increasingly important as AI enables so-so hackers to level up.
Hotels encountering a rising wave of cybersecurity threats—along with significant repercussions from attacks—benefit greatly from information sharing to strengthen their security measures. This collaboration enables them to more effectively identify vulnerabilities, thwart potential threats, enhance incident response protocols, and boost overall awareness of risks. Such threat intelligence is crucial for the hospitality sector.
By obtaining detailed, actionable insights, hotel security teams can proactively enhance their cybersecurity initiatives and stay ahead of the evolving tactics employed by cybercriminals.
Reprinted from the Hotel Business Review with permission from www.HotelExecutive.com.
