In today’s digitalized and hyper-connected business environments, having the appropriate security measures in place has become a basic requirement. Yet whether operating a large-scale resort or a small boutique property, having the most advanced security technology in place ultimately means little if human employees can unwittingly serve as a backdoor loophole.
Less discussed than more high-profile topics such as cybersecurity but just as vital to protecting businesses and their customers from harm is the issue of social engineering- where attackers leverage phycology to trick staff into revealing sensitive information or performing illegal/unauthorized activity. Demonstrating social engineering’s threat to the hospitality industry is an example where scammers successfully posed as legitimate hotel employees in order to trick guests into revealing personal credit card information. To ensure the safety of their business and guests, hoteliers must take the threat posed by social engineering as seriously as any other security-related risk, and must take steps to immunize their operations against any potential vulnerability that lets crafty criminals slip through the cracks.
What is Social Engineering and How to Recognize its Traits?
Simply stated, social engineering is the use of manipulation and/or deception to convince business employees into revealing confidential information or performing a certain action that they wouldn’t otherwise do. A tactic as old as the hospitality industry itself, social engineering can be as low-tech as simply posing as the “spouse” of a checked-in guest in order to be issued a room key. Another would-be attacker may try to pose as an employee so that an actual member of staff grants them access to restricted areas such as stock rooms or equipment/amenity storage.
Not one to be left behind by advances in technology, social engineering attacks have also more recently made the jump into the digital space as a way to increase the odds of success for cyber hacks. One common example is the sending of an email that has been fabricated to appear as if it has been sent from a legitimate source, such as an employee’s boss or co-workers. Once the email has accomplished its first task of appearing seemingly authentic, next comes the ‘ask’ or ‘favor’ that is at the core of the attempt. This could be a request to ‘verify’ information such as system login details or to provide an update on a project that the property is working on. Other ploys can include sending an ‘urgent’ request for money or data to be transferred, along with a list of ‘consequences’ should an employee fail to act in time. The potential range of scenarios that hotels and their employees can encounter can be as diverse and creative as an attacker’s imagination, so staff members shouldn’t find comfort in the misconception that social engineering attacks only come in certain shapes and sizes.
Oftentimes, email-based social engineering attempts come with a URL link or file attachment embedded with malicious software that makes its way onto an organization’s computers once an employee has been successfully tricked and has let their guard down. This not only can grant attackers access to sensitive information and systems, but also allows social engineering emails to make their way to other employees listed in the original victim’s address contacts, providing yet more opportunities to outmaneuver a hotel’s security measures and cause further damage.
Bringing AI into the Social Engineering Equation
As if hoteliers weren’t already dealing with the fallout of being known as one of the most hacker-targeted industries, advances in artificial intelligence have only added to the capabilities of would-be attackers. While gaining less of the spotlight, the same AI advantages that allow hoteliers to personalize guest experiences and offer faster service are also proving increasingly invaluable to modern social engineering efforts.
When adequately programmed, an AI leveraged for social engineering can instantly personalize emails to make them appear even more legitimate. It can, for example, automatically analyze company or individual social media accounts and can integrate the information it finds into a convincing message that would seem like it comes from management or a fellow colleague. This is made only easier thanks to the proliferation of AI-based writing software programs that can fool even the most vigilant employee into believing that a message comes from a human.
With the rise of deepfake technology, AI can now also convincingly replicate a person’s voice or physical appearance in order to further erode employee hesitancy and win over their trust. This could include an employee receiving a phone call from their ‘boss’ who misplaced their system login details and needs the employee to email the information over immediately. It could also take the shape of a video-recorded meeting where the individual on the other end looks and sounds like a legitimate boss/employee, but who is making odd requests such as the transferring of finances or guest information to a new and recently installed server. These are just some examples of how attackers may exploit new technologies. But regardless of what shape an attack ultimately takes place in, they demonstrate that the lines between what is legitimate and what is fraudulent are increasingly becoming blurred and harder to tell apart.
Protecting Your Hotel Business From Social Engineering’s Rising Threat
Although the tools and capabilities of social engineering-based attacks have undoubtedly expanded, much of the same strategies that hoteliers have used to combat more traditional fraudulent activity can still prove to be effective. What business management and their employees need to do is double-down and ensure that the appropriate infrastructure and educational resources are in place to stop an attack in its tracks when one inevitably does take place:
- Keeping System Software Up-to-date: Hackers using social engineering ploys or any other type of cyberattack tactic find their job much easier when businesses don’t routinely update their systems and leave discovered vulnerabilities in place. To consistently safeguard themselves against this risk, hoteliers should consider adopting cloud-based solutions that automatically update to protect against newly identified threats and attack strategies.
- Secure All Onsite Devices: No matter how seemingly inconsequential, any and all devices connected to the internet at a hotel should always be behind an effective firewall and benefit from antivirus/spamware software. One casino found out too late that a single unprotected fish tank sensor served as an ideal backdoor into other property systems.
- Secure Email Accounts: With many cyberattacks and social engineering ploys starting out as a seemingly innocent email, ensuring that spam filters are set to high for all employee email accounts is crucial. This will minimize the likelihood of risk-prone messages making it into worker inboxes, yet staff should periodically check spam folders to identify any legitimate emails that were incorrectly flagged.
- Maintain Continuous Training & Education: At the end of the day and regardless of the number of tools and advanced technologies that a hotel business adopts, social engineering attacks become successful the moment an employee is able to be fooled. To strengthen this potential weak link, hoteliers need to remain vigilant with constant training and education for their employee teams. Staff members must be able to recognize the warning signs, such as an email supposedly coming from the organization or a colleague but using an unfamiliar email address. When a request comes through as ‘urgent,’ employees need to be trained to resist the urge to act immediately and instead take the time to investigate the facts and/or bring the matter to the attention of a superior. Through regularly held meetings and training sessions, employees can know ahead of time how they should respond to a potential threat and can sidestep the second-guessing and panic that only benefits those behind an attack.
In this month's blog we have a bonus article. Read the article here!