Outsmarting fraud in the hospitality industry

When Geoffrey Palermo worked at a Hilton in downtown San Francisco between 2008 and 2016, he devised a scheme to bilk the famous hotel chain of millions of dollars in potential revenues. As manager, Palermo had the authority to sign off on capital improvements projects with contractors, and he colluded with Adan Roldan, a construction company owner, to inflate invoices for renovation work at the hotel. From 2013 to 2016, Palermo approved more than $8 million in payments to Roldan’s company and another contractor, receiving in turn some $1.9 million in kickbacks, according to the U.S. Attorney’s Office in Northern California.

But Palermo’s schemes didn’t stop there. After leaving the Hilton in 2016, he set up a collision and auto repair business and devised a scheme to obtain about $5 million in Small Business Administration (SBA) loans from a commercial lender by making false statements and omissions in loan applications, according to the U.S. Department of Justice. On April 3, 2020, Palermo was also involved in making false statements in his company’s application for a Paycheck Protection Program loan.

This year, a judge sentenced Palermo to 65 months in prison after he’d pleaded guilty to several counts of wire fraud and tax evasion. (See “Former Hospitality Executive Sentenced To More Than Five Years In Prison For Multiple Fraud Schemes,” U.S. Attorney’s Office, Northern District of California, July 12, 2024 and “Fraudster conned SF Hilton in kickback scheme, gets 5 years in prison,” by Tomoki Chien, The San Francisco Standard, July 12, 2024.)

The hospitality industry is founded on trust — the expectation that hotels, restaurants and other venues will deliver guests a safe, enjoyable and authentic experience. Regrettably, this trust is frequently betrayed, sometimes by career fraudsters who opportunistically pick the industries that best suit their needs, as illustrated in the case above.

After a dramatic drop in occupancy rates following the outbreak of the COVID-19 pandemic, the hospitality sector has once again become a prime target for these criminals as the worst of the health crisis recedes into the past and travel rebounds. (See “The rise of hospitality fraud and how hotels can mitigate it,” by Bala Kumar, SC Media, April 11, 2023.)

And fraudsters are growing increasingly sophisticated as they look beyond the basic schemes carried out by Palermo and use technology to exploit vulnerabilities in the sector. Last year, MGM Resorts and Caesars Entertainment suffered cyberattacks that cost them millions of dollars in lost revenues, and in Caesars’ case, a $15 million payout for a ransom. Scattered Spider, a group of hackers in their teens and early 20s associated with a Russia-based operation called BlackCat, reportedly carried out the attacks by gathering profiles of casino employees and using social engineering to convince the help desk that they were an employee who’d lost their password. Once given access through temporary passwords, the cyberfraudsters were free to cause all kinds of damage. MGM staff had to quickly attend to customers as everything from slot machines to room keys failed to work. Hackers, meanwhile, stole Social Security numbers and driver’s license details of Caesars’ loyalty members. (See “Caesars and MGM grapple with hacks as cybersecurity in Vegas is under scrutiny,” by Sean Lyngaas, CNN, Sept. 14, 2023; “5 Lessons From the MGM and Caesars Casinos Cyberattacks,” by John Funk, Builtin, Oct. 17, 2023; and “What Everyone Got Wrong About the MGM Hack,” by Rachel Sudbeck, Kolide.)

There’s now a thriving underground economy focused on exploiting vulnerabilities in the hospitality and travel industries involving dark web forums and marketplaces, social media platforms, and specialized shops to advertise fraud-enabling services. On these illicit online marketplaces, cyber criminals offer a variety of tools and assets to facilitate fraud schemes against airlines, hotels and other hospitality providers. (See “The Business of Fraud: Travel, Hospitality, and Loyalty Fraud,” by Insikt Group, Recorded Future, May 5, 2022.)

This article will delve into the various types of frauds plaguing the hospitality industry, explore how and why these crimes are committed, and most importantly, uncover proven strategies to counter these malicious schemes effectively. By illuminating this critical issue, we aim to arm hospitality professionals with the knowledge and tools to protect their businesses and maintain the integrity that guests expect.

Unmasking fraudulent schemes in hospitality

Hospitality businesses face an array of fraud threats targeting their customers and guests. These malicious schemes can take many insidious forms, including fraudulent reviews, credit card fraud, overcharging customers (i.e., adding products or services they never bought or inflating the prices of items they bought), demanding bribes from customers in exchange for better services, theft of customers’ money and selling free goods to customers. All these frauds cause significant harm to tourists and the industry’s reputation. (See “Spotlight on fraud risk in hospitality a systematic literature review,” by Rasha Kassem, International Journal of Hospitality Management, Science Direct, January 2024.)

Insider fraud

Unsurprisingly, hospitality fraud is often carried out by insiders, including employees and managers. This insider fraud involves asset theft and abuse, manipulating accounting records and bonuses, tax fraud, and bribery. Employees may steal from guests as they clean the rooms. Stolen items could be jewelry, clothing, electronics or cash. Cash skimming, a type of asset theft, is one of the most common types of fraud in the hospitality industry. It’s also one of the most straightforward. For example, a customer pays for a drink with cash, and the bartender pockets the money instead of ringing it up. Insiders can steal possessions belonging to customers or the hotel from public areas, such as the lobby, restaurants, bars and breakfast rooms. Stolen goods can include bags, briefcases, laptops, pens, toilet paper, towels, cleaning products, or alcohol and cash. [See “The Most Common Types of Fraud in the Hotel Industry & How To Prevent Them,” by Stephen Alemar, Canary Technologies, updated Feb. 13, 2024 and “Employee Theft and the Coastal South Carolina Hospitality Industry: Incidence, Detection, and Response (Survey Results 2000, 2005),” by Gregory L. Krippel, Linda R. Henderson and Kelly Converse, Sage Journals, July 1, 2008.]

Managers have even greater leeway in their ability to commit fraud. They can manipulate the bonuses they earn for meeting key performance indicators. They often do this by inflating efficiency figures such as at the point of customer food orders. (In the restaurant business, the efficiency figure measures how well a food establishment is delivering on its services. Metrics include order fulfilment times, labor productivity and cost management.) They can steal wages using various means, including coercion through under-measurement of hours, nonpayment of holiday entitlements, theft of annual leave pay, charging hidden fees for training, and theft of tips and service charges. (See “The failure of ‘control’ in the hospitality industry,” by Martin Peacock and Martin Kübler, The International Journal of Hospitality Management, Science Direct, December 2001 and “Wage Theft and the Struggle over the Working Day in Hospitality Work: A Typology of Unpaid Labour Time,” by Matthew Cole, Mark Stuart and David Spencer, British Sociological Association, Sage Journals, Oct. 4, 2022.)

Cases of asset abuse include workers taking advantage of all-inclusive customer services or kitchen managers inviting friends or relatives into the hotels free of charge. Other insider fraud methods include hotels intentionally and fraudulently underreporting income from accommodation services to evade taxes and cases of bribes paid to inspectors to manipulate quality inspection scores. (See “The internal control system in the prevention of mistakes and fraud. An application in hospitality management,” by Mehmet Erkan, Ercüment Okutmuş and Ayse Ergül, Sustainability and Management, 2016 and “Logics behind evading overnight taxes: a configurational analysis,” by Pietro Beritelli, Stephan Reinhold and Christian Laesser, International Journal of Contemporary Hospitality Management, Jan. 31, 2020.)

External fraud

External fraud, however, takes the form of asset theft by customers, chargeback fraud, credit card fraud, fraudulent reviews by disgruntled customers or other hospitality businesses, and cyberfraud. A study discovered that cyberfraud cases, particularly where external hackers steal business and customer data in the hospitality industry, are higher than in other sectors. High-profile data breaches have affected renowned hotel chains, leading to the theft of customer information. In a prominent 2022 incident, Marriott suffered a severe data breach when hackers allegedly stole 20 gigabytes of customers’ personally identifiable information and payment data from a BWI Airport Marriott employee in Baltimore, Maryland. (See “Spotlight on fraud risk in hospitality a systematic literature review,” by Rasha Kassem, International Journal of Hospitality Management, January 2024; “Data breaches in hospitality: is the industry different?” by Kholekile Gwebu and Clayton W. Barrows, Journal of Hospitality and Tourism Technology, Aug. 20, 2020; and “Marriott confirms another data breach after hotel got hacked,” by Sergiu Gatlan, Bleeping Computer, July 6, 2022.)

Fraudulent guest bookings with incomplete or misspelled data and front desk lapses in recording guest information enable chargeback or friendly fraud, which involves a customer intentionally disputing a charge for a service or a product they’ve enjoyed in full.

The hospitality industry also suffers disproportionately from credit card fraud. Criminals leverage sophisticated tactics to infiltrate payment systems and steal customer data, resulting in crippling chargebacks, reputational damage and eroded customer trust. According to the American Hotel & Lodging Association, more than half of all credit card fraud incidents occur in the hotel industry. Risk management firm Capcon reports that payment card fraud incidents rose significantly in the hospitality sector in 2023, with criminals using stolen or counterfeit cards for unauthorized transactions at hotels, restaurants and bars. (See “Navigating the Surge: The Rise of Chargebacks and Fraud in the Hotel Industry,” Guest Ban; “The hospitality industry faces significant risks from card fraudsters…but there’s hope,” by Laura Miller, Today’s Hotelier; “Fraud in the UK Hospitality Industry in 2023: Impact and the Role of a Cashless Society,” Capcon; and “How To Protect The Hospitality Industry From The Growing Fraud Threat,” by Charles Aunger, Forbes, May 10, 2023.)

Why have fraud criminals checked into hospitality?

As in any fraud case, key fraud enablers include motives, opportunities, rationalization and integrity issues. Here’s some of the reasoning behind each of those categories that are particular to the hospitality industry.

Motives. The motives for committing fraud in hospitality vary by type of fraud and type of perpetrator (i.e., individual versus organization). Interestingly, a 2016 study found that an adrenaline rush was a key motivator for hotel employees to commit asset misappropriation. Another 2021 academic paper argued that poor working conditions motivated cruise ship employees to act deceptively and manipulate tourists for their financial gain. Revenge and supporting the business of a friend or family members have also galvanized people to post fake reviews online, a trend that’s catching the attention of government regulators. And a study of corruption in the Kenyan hospitality industry showed that people paid bribes to save time, reduce costs, avoid emotional stress and for financial benefits. (See “Theft in the hotel workplace: Exploring frontline employees’ perceptions towards hotel employee theft,” by Edmund Goh and Sandra Kong, Tourism and Hospitality Research, Sage Journals, Dec. 12, 2016; “Dirty work or working dirty? Deceiving cruise tourists,” by Lloyd C. Harris and Andrew Pressey, Annals of Tourism Research, ScienceDirect, May 2021; “Gaming the system: Fake online reviews v. consumer law,” by Kate Mathews Hunt, Computer Law & Security Review, February 2015; and “A Users’ Perspective on Corruption: SMEs in the Hospitality Sector in Kenya,” by Paul van den Berg and Niels Noorderhaven, African Studies, Taylor & Francis, March 11, 2016.)

At an organizational level, competitive pressures also push owners and managers to commit fraud. For example, they may underreport the number of nights a customer stays at a hotel to avoid overnight taxes and lower the cost of the room to gain a competitive edge. Or competition in the restaurant industry could motivate owners and managers to solicit positive fake reviews to improve their online image. (See “Logics behind evading overnight taxes: a configurational analysis,” by Pietro Beritelli, Stephan Reinhold and Christian Laesser, International Journal of Contemporary Hospitality Management, Emerald Insight, Jan. 31, 2020 and “Restaurants’ motivations to solicit fake reviews: A competition perspective,” by Ziqiong Zhang, Yuanshuo Li, Hengyun Li and Zili Zhang, International Journal of Hospitality Management, Science Direct, October 2022.)

A recent class-action lawsuit against major hotel chains, including Choice Hotels, Hilton, Hyatt, InterContinental, Marriott and Wyndham, illustrates the intersection of fraud and competitive practices within the hospitality industry. According to the lawsuit, hotels violated U.S. antitrust laws by sharing sensitive pricing information through CoStar’s Smith Travel Research (STR) platform. The suit alleges that this collaboration allowed the hotels to “fix, raise, stabilize, or maintain” room rates, manipulating the market to their advantage. (See “CoStar, luxury hotels hit with US consumer price-fixing lawsuit,” by Mike Scarcella, Reuters, Feb. 21, 2024.) This case is a window into the financial motivations that can drive unethical behavior in the hospitality industry.

• Hotels might engage in price-fixing to ensure higher profit margins, especially in  competitive markets where consumer choices are abundant.
• By coordinating pricing, hotels can reduce competition, allowing them to maintain higher room rates without the pressure of undercutting from rivals.
• With advanced technology and hotel booking software platforms like Rainmaker, companies can utilize pricing algorithms that, while ostensibly designed to optimize revenue, can inadvertently facilitate collusion.

[See “Is data sharing price-fixing?” at the end of this article.]

Opportunity. Weak controls provide opportunities for fraud to thrive. A 2020 study discovered that the increased fraud risk in the hospitality industry, particularly restaurants, pertains to the lack of anti-fraud controls such as contingency plans, fraud monitoring programs and an understanding of industry guidelines. Understaffing and inadequate training provide a lucrative opportunity for insiders to steal assets. Supervisors’ lack of employee monitoring and tacit tolerance of unethical behavior enable employees to manipulate customers. (See “Feeding fiction: Fraud vulnerability in the food service industry,” by Saskia M. van Ruth, Joris van der Veeken, Pieter Dekker, Pieternel A. Luning and Wim Huisman, Food Research International, Science Direct, July 2020; “Rationales for Employee Theft in Hospitality: Excuses, Excuses,” by Jill Poulston, Journal of Hospitality and Tourism Management, Science Direct, 2008; and “Dirty work or working dirty? Deceiving cruise tourists,” by Lloyd C. Harris and Andrew Pressey, Annals of Tourism Research, ScienceDirect, May 2021.)

Integrity and rationalization. Integrity refers to moral values such as honesty, fairness and trustworthiness. Hospitality ethics transcends legal requirements, cultivating a culture of trust, respect and transparency. It provides a moral compass for those in the hospitality industry, guiding them to uphold the highest standards of integrity and deliver a positive, ethical guest experience. The fraud schemes discussed in this article highlight several ethical issues that the hospitality industry must address. Lack of personal integrity often leads employees to justify fraudulent behavior through various rationalizations. (See “Ethics in Hospitality: Building Trust and Success Through Integrity,” Holistique Training, updated Aug. 16, 2024.)

A 2008 study found that hotels exhibited persistent tolerance of asset theft. Employees frequently justify their misappropriation of hotel assets through flawed reasoning, such as “I didn’t take much,” “They were going to throw it out,” “I used it here, so it’s not theft,” “These don’t cost much,” and “Everyone else is doing it.” This indicates a fundamental misunderstanding of what constitutes theft. Moreover, the author concluded that employee theft is more likely to be overlooked when management is viewed as a supportive resource rather than an adversary. (See “Rationales for Employee Theft in Hospitality: Excuses, Excuses,” by Jill Poulston, Journal of Hospitality and Tourism Management, Science Direct, 2008.)

Without a strong ethical foundation and clear standards of conduct, an “anything goes” mentality can take root, making employees more inclined to engage in fraudulent or unethical behaviors.

Checking out fraud from hospitality

Fighting fraud committed by hospitality customers and businesses requires a multi-pronged approach involving education, technology (including cybersecurity), industry collaboration and stronger controls.

Educating customers and staff. Hospitality businesses are responsible for educating their customers and staff about the pervasive risks of fraud. By launching proactive awareness campaigns, these organizations can empower their stakeholders to recognize and report unethical conduct. For customers, the educational initiatives should focus on informing them about the typical fraud schemes prevalent in the hospitality industry. Crucially, the campaigns should also guide customers on how they can protect themselves against these threats. Equally important is training the hospitality workforce, particularly those in frontline roles, to identify and report instances of insider fraud. Employees should receive comprehensive instruction on recognizing the warning signs of embezzlement, theft of assets and other forms of fraudulent behavior by their colleagues. Clear protocols for escalating suspicions and whistleblowing must be communicated and reinforced.

Technology. Online review platforms have a critical responsibility to monitor and address fraudulent reviews proactively. These sites must take swift, decisive action to identify and remove fake or malicious reviews.

To enhance integrity, platforms should implement features that remind users of their ethical obligations when submitting reviews. This could include pop-up reminders about guidelines and consequences for providing false information. Advanced detection algorithms and specialized data analysis teams can be crucial in identifying suspicious review patterns and user profiles. Review sites can more effectively weed out fraudulent content by leveraging these technological capabilities. Some platforms may also consider adding features like a “fraudulent review filter” that displays potentially compromised reviews at the bottom of a business’s page. This provides transparency while deprioritizing untrustworthy information.

Parallel to these measures, job-listing websites must also enhance their monitoring and vetting procedures. Increasing efforts to prevent fraudulent postings and swiftly addressing any that slip through is essential to maintaining trust in the hiring process.

Safeguarding against external fraud risks, such as data breaches and payment card fraud, is paramount for hospitality businesses. Investing in comprehensive cybersecurity measures is a critical component of this defensive strategy. Hospitality organizations must regularly conduct thorough risk assessments to identify vulnerabilities and evaluate their cyber readiness. This holistic evaluation of risks, threats and existing capabilities allows them to develop targeted, proactive security measures.

Alongside these assessments, providing comprehensive cybersecurity training for all staff is essential. Employees, especially those in customer-facing roles, must have the knowledge and skills to recognize and respond to emerging digital threats. Ensuring that all systems and software are continuously updated and secured against the latest threats is also vital to the cybersecurity framework. Hospitality businesses must remain vigilant and agile in adapting their defenses to keep pace with the ever-evolving landscape of cyberattacks.

Hotel operators have a heightened responsibility to safeguard the sensitive data collected from their guests. In the unfortunate event of a data breach, hoteliers must prioritize proactive notification of affected guests. Transparency and timely communication are crucial to mitigating the potentially devastating impact on brand reputation and consumer trust.

To further strengthen their cybersecurity posture, hospitality businesses should develop comprehensive action plans for cyber-crisis management. These plans should include regular information security assessments, system reliability audits and in-depth vulnerability analyses.

Collaboration. A collaborative, sector-wide approach is essential to effectively address the pervasive challenge of fraud within the hospitality industry. Increased information sharing and joint initiatives among hospitality organizations can significantly strengthen the collective defense against unethical conduct.

Establishing shared databases containing records of previous instances of employee theft, fraud and other unethical behavior can play a crucial role in preventing the spread of criminal activity. By pooling this critical intelligence, hospitality businesses can more readily identify and mitigate the risks posed by individuals with a history of misconduct. Industry associations should take the lead in driving these collaborative anti-fraud efforts. These organizations can play a pivotal role in raising awareness, setting ethical codes of conduct and coordinating comprehensive initiatives to combat fraud across the sector. Furthermore, industry-wide collaboration on shared review verification portals can enhance the credibility and trustworthiness of the hospitality ecosystem. By pooling resources and data, these review platforms can significantly bolster their ability to detect and prevent coordinated fraud schemes, such as manipulating online ratings and testimonials.

Anti-fraud controls. To effectively address the threat of insider fraud, hospitality organizations must establish robust internal controls.

A key component is the implementation of a clear separation of critical functions, such as purchasing, payments and accounting. This segregation of duties helps establish checks and balances, making it more difficult for any single employee to perpetrate and conceal fraudulent activities. Regular financial audits, both internal and external, play a crucial role in uncovering potential instances of employee theft or misuse of company resources. Additionally, establishing anonymous whistleblower hotlines empowers staff to report suspicious behavior without fear of retaliation. Alongside these control measures, hospitality organizations should provide comprehensive ethics training for all employees. This education should focus on the significant impact that theft and fraud can have on the business and the severe consequences for those who engage in such unethical conduct.

Organizations should consider offering employees free or subsidized meals and supplies to discourage insider fraud. This strategy can help reduce the temptation to misappropriate company assets by addressing potential financial motivations. Regular, open communication between managers and employees about ethical behavior is also essential. This ongoing dialogue reinforces the organization’s commitment to integrity and creates an environment where employees feel empowered to uphold the highest standards. Finally, developing and strictly enforcing a clear code of ethics and investing in a secure, anonymous whistleblower hotline demonstrate the hospitality organization’s unwavering dedication to combating fraud from within.

Rasha Kassem, Ph.D., CFE, is an associate professor at Aston University in the U.K. Contact her at r.kassem@aston.ac.uk.

Is data sharing price-fixing?

In February, residents from across the U.S. filed a lawsuit alleging that some of the world’s largest hotel chains shared competitively sensitive information through a system set up by commercial real estate data provider CoStar. The class-action complaint names Choice Hotels, Hilton, Hyatt, InterContinental, Marriott and Wyndham as participants in the alleged scheme. It claims these hospitality industry titans “fixed, raised, stabilized, or maintained” room rates through the exchange of information on CoStar’s system called Smith Travel Research (STR) and hence violated federal antitrust laws. (See “Jeanette Portillo et al v. CoStar Group et al, U.S. District Court for the Western District of Washington, No. 2:24-cv-00229,” Feb. 20, 2024 and “CoStar, luxury hotels hit with US consumer price-fixing lawsuit,” by Mike Scarcella, Reuters, Feb. 21, 2024.)

In May, those hotels denied any wrongdoing and called the claims fanciful. In a court filing, they said that no improper exchange of information took place and that no court has ever taken issue with the benchmarking reports released by STR. (See “Jeanette Portillo et al v. CoStar Group et al, U.S. District Court for the Western District of Washington, No. 2:24-cv-00229,” May 17, 2024 and “CoStar, hotels slam consumers’ ‘fanciful’ room pricing lawsuit,” by Mike Scarcella, Reuters, May 20, 2024.)

Even so, this isn’t the first time that hotels have faced these kinds of lawsuits, and they have become commonplace, especially as technology improves the collection of data that can be shared among a group of competitors. These developments highlight the necessity for transparency and ethical standards in the hospitality sector to protect both consumers and fair market practices.

Caesars Entertainment and other companies involved in the hospitality industry were recently accused of violating antitrust laws by using Rainmaker, a platform that uses pricing algorithms. In May, a U.S. judge dismissed one such case, noting that the lawsuit failed to show that hotels had agreed to conspire on pricing. But the Federal Trade Commission (FTC) and the Justice Department’s Antitrust Division said in a recent statement that the increasing use of algorithms can lead to a form of collusion. (See “FTC and DOJ File Statement of Interest in Hotel Room Algorithmic Price-Fixing Case,” FTC, March 28, 2024; “Price-fixing lawsuit against Strip hotels tossed out,” by McKenna Ross, Las Vegas Review-Journal, May 13, 2024; and “Karen Cornish-Adebiyi vs. Ceasars Entertainment,” U.S. District Court of New Jersey, March 28, 2024.)

“When a small group of algorithm providers can influence a major segment of a market, competitors are better able to use the algorithm provider to facilitate collusion,” the two agencies said in March.

“This risk is even greater as markets have become more concentrated across a wide range of industries. Algorithms that recommend prices to numerous competing hotels make it harder for travelers to comparison-shop for the best rate.”