Posted on

Five Ways to Avoid Hotel Phishing Scams

Seeing headlines about yet another hotel hacked have become commonplace and statistics are looking grim. A staggering 64% of US citizens have already had to deal with stolen data. Hotel phishing has become way too common.

Hotels are the perfect targets due to the amount of sensitive data they are processing each day and the tech they are using. Lots of high profile breaches that have happened lately signal that many of them do not have the right cybersecurity solutions in place. 

Hotel phishing scams are a common attack, and Verizon’s 2019 data breach report shows that out of all the data breaches detected, 32% involved phishing. 

What’s even more worrisome, 56% of those breaches weren’t discovered for months

Avoiding attempts of such scams is impossible, but lowering the risk of becoming a victim is. Here are five ways to detect and avoid phishing scams.  

#1 Staff Training 

Hotels often skip cybersecurity training because they wish to invest in other areas, yet a single successful phishing scam can lead to a breach that will tank their reputation and customer trust, which results in high fines.

Because emails are the primary trajectory attackers are using for their hotel phishing scams, it’s important that your employees are able to recognise such scam attempts right away. 

A single click is enough to infect the system. The same report from Verizon gives insight that internal actors were responsible for 34% of breaches. Every misclick will result in having your hotel hacked again and again.  

Cybersecurity training for the hotel staff must be a top priority. 

When staff members know how to detect a suspicious email, check the sender and double-check all domain names, the risk of them clicking on it becomes considerably lower. 

#2 Have an External Mail Warning System 

Creating a hotel phishing email is easier than ever, as people are more than willing to share their personal information online.

A well-constructed phishing email can look like a genuine company email from a well-known staff member.

An external email warning system helps identify suspicious emails by displaying a warning when the email originates from an external source. 

This will prompt the staff to double-check the sender and the actual address before opening the mail or clicking the link and report the suspicious email to the IT office. 

#3 Implement a Sandbox

Sandbox in IT is basically a completely isolated environment that fools malicious code into thinking it got access to actual systems. 

Sandboxes are used to test links and attachments and execute them without risking the security of your network. 

If the system detects malicious code or link, it will show a warning and remove the attachment/link so the user and systems stay safe. 

#4 Keep Your Network Secure 

Have antivirus, antispyware, and malware software on your network and all devices, as well as commercial firewalls. 

Keeping your main network inaccessible to outside devices will reduce the vectors of attack.

Have a different network for your guests, and keep all personal IT devices from your staff on a separate network too. 

#5 Stay Informed About Phishing Techniques & Have Procedures In Place

New phishing scams appear all the time, so make sure your IT department follows all new developments closely.  Ask them to regularly send internal newsletters on threats and distribute them to everyone.

Plus, make sure you have strict procedures in place when it comes to payments and authorising new transactions. For example, change of details must be confirmed by a vendor over the phone (rather than email), requests for money are escalated to a higher management level, and links aren’t clicked on unless they are expected.

Hotels Must Be Hypervigilant

The reason why so many hotels fall victim to hotel phishing attacks is the lack of updates to their systems, operations, and standards. 

When coupled with lack of staff training and monitoring solutions, a data breach might already be in progress without them having the slightest clue about it.

Posted on

5 Reasons Hospitality Businesses Get Hacked

hospitality business hacking

The last several years have revealed that hospitality businesses are vulnerable to cyber attacks. Many major hospitality players being victims of cybercrime that was in some cases undetected for years. In a separate post, we have cited six hospitality businesses that faced data breach fines resulting from hospitality business hacking.

Hackers are becoming increasingly innovative in ways they gain access to secure hospitality systems. In contrast, the hospitality sector is lagging behind in security measures. Businesses often don’t treat cybersecurity as a priority but prefer to focus on customer experience only, which can have far-reaching consequences in case of a breach.

The most common factors that contribute to hospitality business hacking and data breaches include the following:  

#1 The Number of People Involved

It is the nature of the hospitality industry that makes hospitality businesses such targets – there are so many customers and staff involved that hackers easily benefit from those numbers.  Sooner or later, somebody will make a mistake and click on a malicious link delivered into their inbox from a spoofed email address, and that one click is often enough to get access to everything.

Once inside, hackers will easily find employee credentials to get access to sensitive information, such as customer names, emails, addresses, current residence, credit card information, loyalty programs and points, and more, and use all that information for monetary gain or to sell it on the dark web.  

Another big issue that contributes to the high vulnerability of the hospitality sector is the current hospitality retention rates. Retention rate in the hospitality industry is quite low in comparison to averages or other industries. In the UK, the annual staff retention level is just over 70%, which is concerning since the average retention is usually around 85%. Not only are staff usually less interested in the long-term protection of the business, but frequent changes of users and passwords often leads to bad practices like sharing or logging in for each other.

#2 Unsecured Networks Result in Hospitality Business Hacking

One of the easiest ways hackers are able to access guest and employee data is through Wi-Fi networks that are poorly secured and unsecured. While it’s hard to make sure a Wi-Fi network is 100% secure against attacks, hospitality businesses can do a lot to minimise the risk.

First of all, a network should never be unsecured. While it might seem like a great perk – use your network easily without having to ask for a passcode – this also means that anyone can access it, hackers included. The passcode should always be complex to avoid hackers simply guessing it. Businesses should avoid setting up “12345” or the business name as the passcode.

In addition to the right encryption settings for all the networks, it’s important to separate them too. Guests should always have a separate network for all their devices. Sharing the same network for business devices and guest devices is a recipe for disaster. Some of your guests may not be as innocent as they appear. They may be accessing your internal systems and data whilst also enjoying your coffee.

#3 Lack of Understanding

Another fault of many businesses in the hospitality industry is their lack of understanding of cybersecurity. Hotels are now interconnected digital systems that compete for customers by introducing new digital experiences. As such complex systems, they have a large number of endpoints – like the above-mentioned Wi-Fi networks, but also HVAC systems, Points of Sale (PoS), electronic door locks, smart devices – through which customer data is accessed and stored.

It’s true that they do adopt new technology and software to streamline their operations. But their outdated security measures don’t cover new security threats. You see, each of the endpoints used can also be an entry point for hackers to steal data. Sometimes, it’s enough to delay updating your PoS system for hackers to get a successful entry.   

Because hospitality businesses deal with such a large amount of sensitive data daily, it’s of utmost importance that they also understand the risks that come with the benefits of new software and tech solutions.

#4 Cybersecurity Isn’t Their Focus

Most hospitality businesses will agree that customer satisfaction and the overall experience with their brand is what matters most. The competition is fierce, and it’s very easy to lose customers. In their battle to retain customers, they will often prioritise to spend their money on user experience. As a result, they streamline all their internal operations towards this goal.

Providing a seamless experience in every single one of their locations require interconnection of all hotels from the same chain. For this reason, they are able to easily share their data on customers between locations. This way, the customer’s preferences when it comes to rooms and suites and other data that help make them feel welcome is accessible at any time, no matter which of their hotels the customer walks into. Such data sharing happens within the hotel chain national network, which all hotels have access to.

This interconnectedness can have far-reaching consequences – just one breach into a single hotel from the whole chain is enough for hackers to quickly gain access to their whole system and steal information from central data points.

#5 Lack of Education Lead to Hospitality Business Hacking

With a lack of understanding of why security systems are crucial for all the digital systems in the hospitality industry, cybersecurity is often put into the back seat. This, in turn, results in a severe lack of education for staff members and partners.

If employees working in hospitality do not know how to spot risks, the chances of hospitality business hacking skyrocket. Not all employees are tech-savvy or IT professionals. Some of them don’t know how to spot a phishing attempt. However, with the right training, you can greatly reduce the chances of being hacked.

The best approach here would be to have cybersecurity staff that will take proactive measures to keep all systems secure. Therefore, it’s not a bad idea to appoint a Chief Information Security Officer (CISO) who would oversee all security-related operations. The CISO ‘s responsibility includes setting up a plan in case a breach happens.

The Right Measures Help Detect a Breach Quickly

The hospitality industry will remain a high-risk target for cyber attacks, and there will always be a risk. However, taking the right countermeasures will minimise hospitality business hacking. This ensures that if a breach does happen, there are rules in place that will help detect it quickly. Consequently, businesses take the right course of action.