By Nicola Young
Hoteliers face the dual challenge of adopting new technologies to both improve guest experiences and operations while also addressing the cybersecurity and environmental concerns these technologies bring for their guests. According to reports, up to 25% of Americans will no longer do business with a firm that has experienced a hack, and over two-thirds of people will no longer trust a corporation that has experienced a data breach. There’s no reason to think that visitors from the UK won’t feel the same.
Hotels gather an enormous quantity of individually identifying data which makes them an attractive target for hackers, and this dreaded scenario affects expenditures beyond just any penalty.
Perhaps one of the best known is the data breach which Marriott International experienced in 2022, where hackers used social engineering to access sensitive data, including guests’ credit card information and internal business documents.
For Marriott, although the 2022 attack wasn’t the biggest, it’s a useful example of the importance of understanding Social Engineering because this is what the Marriott hackers used to get the passwords and gain access to the systems.
Social engineering is now the most common form of hacking, preferred because it’s much easier, faster, and cheaper to trick a victim rather than trying to break into a computer system without human help.
This is done by manipulating the emotions of their target victim to trick them into giving away sensitive information or to compromise security. Basically, if someone tries to get sensitive information through manipulation or coercion, you are being targeted with a social engineering attack.
Some of the most common forms of Social Engineering are outlined below. You will notice that they all include some kind of emotional plea to leverage fear, curiosity, excitement, anger, sadness, or guilt, and often have a sense of urgency.
All aim to establish trust with an individual. While both baiting and phishing can often be very similar, a baiting attack mainly exploits human curiosity, whereas phishing attacks rely also largely on trust, add fear or a sense of urgency. You will all be familiar with the messages concerning missed deliveries – this is baiting.
Baiting and Phishing
Although baiting is less far-reaching (and the call to action less urgent) than phishing, it still tries to get the victim to instal or click on something that puts malware (which might be used for pharming or spyware) onto their system.
Phishing is the most common type of social engineering, deceiving, pressuring, or manipulating people into sending information or assets – it is the most popular attack method to deliver ransomware to organisations.
In a work environment the attacker will often masquerade as a person or organisation the victim trusts— like a co-worker, a manager or even CEO, or a company the victim or victim’s employer deals with. The message creates a sense of urgency to make the victim act rashly.
According to IBM a phishing email typically include the impersonated sender’s logo in the email, masking the ‘from’ email address to include the impersonated sender’s domain name. Some even spoof the sender’s domain name—for example, by using ‘rnicrosoft.com’ instead of ‘microsoft.com’—to appear legit.
The subject line addresses a topic that the impersonated sender might credibly address, and that appeals to strong emotions—fear, greed, curiosity, a sense of urgency or time pressure—to get the recipient’s attention.
Typical subject lines include – ‘Please update your user profile,’ ‘Problem with your order,’ ‘Your closing documents are ready to sign’, ‘Your invoice is attached’ while the body of the email instructs the recipient to take a seemingly reasonable action which results in the recipient divulging sensitive information or downloading a file that infects the recipient’s device or network.
For example, recipients might be directed to ‘click here to update your profile’, but the underlying hyperlink takes them to a fake website that tricks them into entering their actual login credentials.
Alternatively, they may be told to open an attachment that appears legitimate (for example, ‘invoice20.xlsx’) but that delivers malware or malicious code to the recipient’s device or network.
This type of Phishing uses the concept of mass mailings in the knowledge that someone will fall for the attack.
Spear Phishing, on the other hand, targets a specific individual—usually someone with privileged access to sensitive data or network resources, or special authority. Again, according to IBM, social media and networking sites—where people publicly congratulate co-workers, endorse colleagues and vendors and tend to overshare—are rich sources of information for spear phishing research. With this information, the spear phisher can send a message containing specific personal details or financial information and a credible request to the target.
For example, ‘I know you’re leaving for your holidays tonight – but can you please pay this invoice before close of business today?’ A spear phishing attack aimed at a C-level executive, a wealthy individual or some other high-value target is often called a whale phishing or whaling attack.
In a phishing attack, watch out for a sense of urgency and be on the lookout for requests that ask (or reveal) any sensitive or personal information, or ask for an updated profile or payment information, contain a file attachment (that the recipient did not request or expect), contain links shortened by using Bit. Ly or some other link-shortening service and the sense of urgency, (‘Your account will be closed today…’ or a request from a colleague to pay an invoice immediately).
Publications such as the Anti-Phishing Working Group’s quarterly Phishing Trends Activity Report can help you keep up to date.
Quid Pro Quo
Like Baiting, in a quid pro quo attack, the attacker pretends to provide something to the victim in exchange for information or a specific action. This benefit usually assumes the form of a service, whereas baiting usually takes the form of a good.
For example, in Quid Pro Quo, the attacker may pretend to be someone from tech support and then convince the target to enter commands or download software that installs malware onto their system.
Pretexting
In pretexting attack, attackers focus on creating a pretext, or a fabricated scenario. It requires building a credible story that leaves little room for doubt. As such, pretexting takes on various forms. In all cases the hacker will impersonate a trusted entity or individual to create trust with the victim, claiming that they need specific details from the user to confirm their identity. This is then used for identity theft, or the data used conduct other malicious activities. An example might be that the attacker claims they’re an external IT services auditor, so the organisation’s physical security team will let them into the building.
There are several examples where the hackers have masqueraded as HR personnel or finance employees to target C-Level executives. While Phishing uses fear and urgency to its advantage, pretexting relies on building a false sense of trust with the victim.
The priority should be to ensure that you have staff training in place – which includes all levels of the business, as well as all sizes, big or small. And don’t forget to have a plan to communicate with your customers. The question shouldn’t be “if” there will be a cyberattack – but when