CINCINNATI - The phone rings in your hotel room late in the evening. It's the front desk calling.
The hotel computers are down and the clerk needs your credit card information again. No need to come down to the front desk, they can take your number over the phone.
But it's not the hotel clerk. It's a scam artist.
"They're calling up and asking for random room numbers," said Steve Carlson, manager of a hotel in Florence, Ky.
Carlson's hotel has received about a dozen such late night calls. The calls come after 10 p.m. when most guests are in for the night. The thief chooses the late hour hoping the night manager will patch him through without asking for the guest's name.
"No matter the time of day or night, if someone calls you saying they're from the front desk, and want your information, hang up and either call the front desk or walk up to the front desk," Carlson suggested.
The scammers are probably not local. The I-Team found several cases scattered across the country in places like Dallas, Anchorage, Jacksonville and Cincinnati. It could be a sophisticated ring of scam artists who call a hotel in one state before moving on to another hotel in a different state.
Local police departments would not see a trend of such thefts if the scammers are indeed spreading their targets among hundreds of hotels across the nation.
Or they might be in the next room.
Most hotels require outside callers to provide both the room number and guest's name before connecting them to the room. But a thief who rents a room inside the hotel can bypass that security feature by directly dialing room to room and pretending to be calling from the front desk.
That's Carlson's biggest fear as a hotel manager, and he admitted there's nothing he could do to stop it.
As part of our investigation, the I-Team rented a room at the Marriott River Center Hotel in Covington, Ky., which appears to have a new method to stop such scammers. We were not able to dial room to room. In order to reach another guest, we had to call the front desk and provide the room number and guest name, just as outside callers would be required to do.
Even more devious than the front desk scam is the hotel Wi-Fi scam.
The thief sets up his own Internet hotspot on a laptop inside a hotel room, the lobby, or even outside on the street. Computers allow you to give your hotspot any SSID label you want, and thieves either mimic the hotel's own name or use a generic label like "Hotel Wi-Fi."
Apolonio Garcia, a security expert with Health Guard IT Security , set up a demonstration for us inside a Tri-State hotel room.
"If you're in an airport, you can make it an airport hotspot," Garcia said. "If you're in a coffee shop, you can make it the name of the coffee shop. In this case we're in a hotel, so we made it 'Hotel Wi-Fi.'"
Garcia bought a high gain Wi-Fi USB device for $40 and downloaded a free program from the Internet designed for capturing usernames and passwords.
"As soon as someone accesses that, and starts using the Internet, we're able to see and capture everything they're doing," Garcia said.
We're not giving the bad guys ideas. They're already doing this. There are even "how to" videos posted online.
Within minutes, Garcia's fake hotspot was up and running in Room 515. His high-gain antenna provided the strongest Wi-Fi signal to lure more potential victims.
In this case, he denied access to all users but the I-Team. We agreed to be the target, connecting into "Hotel Wi-Fi" and visiting an online shopping web page.
Garcia had his laptop connected to the Internet through his smartphone, so we were shown the real login page for the shopping site. An unsuspecting victim would have no idea that they were connected through the thief's laptop.
As soon as I typed my username and password into the shopping page, it showed up immediately on Garcia's laptop.
Thanks to the illicit program, the laptop was "looking for usernames and passwords, for log-ins, and when it sees them it actually logs them for us to use later," Garcia said.
Credit card numbers could be captured the same way, or the login credentials could be used to order products delivered to any location the thief designates.
Garcia moved his laptop to the lobby bar. While everyone assumed he was a business man working on his laptop, Garcia was running the closest and most powerful hotspot in the middle of the hotel.
A thief could even duplicate the hotel's real login page by simply copying the HTML code the web browser uses to display the page, then making a few minor changes to redirect the victim's credentials to the thief's computer. The hotel guest would have a seamless web experience with the theft occurring invisibly in the background.
The Marriott River Center follows one of John Matarese's safety tips: The hotel places a high-profile card in the room indicating the name of its legitimate Wi-Fi network, called ibahn. While there's no guarantee a