Skip to main content

How to handle a reported security breach

How to respond when a guest reports a suspicious message sent in your hotel's name: secure your account, report it to Bookboost, and communicate with affected guests.

When a guest tells you they have received a suspicious message that looks like it came from your hotel, such as an unexpected payment request, a phishing link, or a fraudulent email, the priority is to contain it quickly and stop guests acting on it. Fast action protects both your guests and your hotel's reputation. This article covers the three things to do, in order: secure your Bookboost account, report the incident to Bookboost, and communicate clearly with affected guests.

What may have happened

Fraudulent messages sent in a hotel's name usually come from one of three causes: compromised operator credentials, email spoofing, or an external party impersonating your property. It is an unwelcome situation, but it can be contained and addressed with the right steps.

Typical situations where this guide applies:

  • A guest contacts you about an email requesting payment that appears to come from your hotel.

  • Several guests report the same suspicious link or message around their check-in period.

  • A guest has already clicked a link or provided payment details and is worried.

Secure your Bookboost account first

Before anything else, lock down access. Work through these steps as soon as you suspect a breach:

  1. Change the password on every operator account, starting with admin accounts.

  2. Enable Two-Factor Authentication (2FA) on every operator account.

  3. Log out active sessions from any device you do not recognise.

  4. Review who has access under Settings, in the Operators area, and remove any operator that is no longer active or that you do not recognise.

  5. Do not share new credentials by email or any other insecure channel.

Report it to Bookboost, and what to have ready

Contact Bookboost support as soon as you suspect a breach, through the 'Talk to Us' option in the platform or at support@bookboost.io. We will check that everything within your Bookboost account is secure and help you investigate.

To help us move quickly, have the following ready when you get in touch:

  • How many guests were affected.

  • Whether it is limited to one property or multiple.

  • What the affected bookings have in common, for example the booking channel or the dates booked. The more they have in common, the easier it is to find the source.

  • Whether the affected guests were checked in or booked around the same period.

  • Which channel the fraudulent messages were sent through: email, SMS, or WhatsApp.

  • What the message contained: a payment request, a link, or a request for personal data.

  • Examples of the messages guests received. Please share as many as you can.

  • Any recent password or credential changes on your Bookboost account.

  • Which other systems are connected to Bookboost, for example your PMS, channel manager, or booking engine, so they can be reviewed too.

What Bookboost does when you report a breach

When you report a suspected breach, our support team will:

  • Verify the identity of the person reporting before sharing any account information or making any changes, to make sure we are speaking with an authorised admin.

  • Investigate whether any of the messages passed through Bookboost and which guest data, if any, may have been exposed.

  • Help secure the account, including resetting compromised operator credentials, and provide any new password directly and only to the verified admin contact.

  • Keep all communication with you through the verified admin email address.

  • Confirm to you once the account has been secured.

If the evidence suggests the message content could only have come from data held in Bookboost, we escalate to our engineering team for a deeper technical investigation and keep you updated throughout.

Communicate with affected guests

Once the account is secure, use a Bookboost broadcast to tell affected guests what happened. You can filter by check-in date range or booking source to reach the right guests without over-communicating.

Key principles:

  • Be transparent but measured. Do not cause unnecessary alarm.

  • Avoid technical jargon or detail that could confuse guests.

  • Reassure guests that their data within your system is safe.

  • Give clear, actionable next steps.

  • Send only from a verified, official email address.

What to include:

  • A brief, honest note that guests may have received a suspicious email.

  • Confirmation that the email did not come from your hotel.

  • A clear instruction: do not click links, do not provide card details, and do not reply to the suspicious email.

  • Reassurance that you take data security seriously and the issue has been contained.

  • A direct contact for guests who have questions or who have already responded.

Here is an example message you can adapt:


Subject: Important security notice, please read

Dear [Guest Name],

We want to make you aware that some of our guests have recently received fraudulent emails, not sent by us, asking them to confirm their booking and provide payment details. These emails are not from [Hotel Name].

Please do not click any links or provide any card or personal information in response to these emails.

Your reservation is confirmed and your data is safe with us. If you have already responded to one of these emails, we strongly recommend contacting your bank immediately.

If you have any questions or concerns, please reach out to us directly at [hotel contact email or phone number].

We apologise for any concern this may have caused and are taking all necessary steps to ensure it does not happen again.

Warm regards,
[Hotel Name] Team


Configuration and Setup

To reduce the risk of this happening again, make the following standard practice:

  1. Require Two-Factor Authentication (2FA) for every operator account, for all staff.

  2. Review operator access under Settings, in the Operators area, on a regular basis and remove anyone who no longer needs it.

  3. Brief your team on how to spot phishing and spoofed emails.

  4. Make it a rule that your hotel never asks guests for payment details by email, and tell guests the same, so a fraudulent request is easier to recognise.

Known limitations

  • If the breach originated outside Bookboost, for example from a spoofed email address, the fraudulent messages may not be traceable through the platform.

  • Broadcast filtering is based on check-in date range or booking source. If the affected guests span a wide range of dates or channels, you may need to send several targeted broadcasts or use a broader filter.

Support

Please contact us through the 'Talk to Us' option on the left menu in the platform, or through the Bookboost Support email at support@bookboost.io if you have questions or need additional support.

Did this answer your question?