Are you being served? 4 ways the hospitality sector can defend against rising phishing attacks

The incident, sadly, is part of a growing trend of hackers targeting the hospitality sector, where just one phishing attack can compromise credentials and lead to further incidents that can expose customer data and business processes of dozens of hotels, restaurants, and bars.

For instance, Seagrass Boutique Hospitality Group manages 13 Meat & Wine Co locations in Australia alone, two restaurants under the 6HEAD brand, and Hunter & Barrel restaurants in Australia and the United Arab Emirates.

“Cyber criminals are actively targeting hotel property management systems (PMS), email systems, and booking channels. They are sending emails that appear to be from legitimate sources, including OTA platforms or internal systems, designed to trick staff into entering login information or downloading malware,” Nicola Longfield, general manager for accommodation at hotel software firm Access Hospitality, said.

“They start by tricking employees who manage hotel reservations into logging in to a fake system. They do this by creating nearly identical copies of system login pages and even buying similar domain names to lure unsuspecting users. Threat actors are using Google ads to get their sites to the top of the page.

“Once they gain access via stolen credentials, attackers can send fake reservation confirmations or phishing emails to your guests, damaging trust and exposing sensitive guest information.”

But there are ways to prepare for the worst. Here are four vital steps hospitality businesses can take to keep their data, clients, and employees safe from cyber criminals.

VIEW ALL

1. Upgrade to phishing-resistant multifactor authentication (MFA)

Diego Baldini, CISO of The Access Group, said that passkey-based MFA is “the current gold standard of security protection”.

“Unlike traditional one-time password codes, passkeys provide phishing-resistant authentication that makes it very difficult for attackers to compromise your accounts, even with sophisticated phishing attempts,” Baldini said.

“Even if you already have standard MFA, you are still vulnerable and need phishing-resistant passkey-based MFA.”

Passkeys offer some unique advantages. For one thing, they don’t require employees to use passwords or one-time codes, which can be harvested via phishing attacks. They’re also fast to use and are based on unique cryptographic links between staff accounts and official sign-in applications.

2. Provide staff training and encourage bookmarks over search engines

Staff often rely upon search engines to find official login pages, leaving them open to phishing sites that look like the real thing. Using bookmarks over search engines is a far more secure process.

Also, train staff to identify suspicious emails.

“Encourage employees to watch out for unusual sender addresses, urgent language, unexpected attachments, or requests to share credentials,” Baldini said.

“Lastly, encourage an immediate reporting culture so that even uncertain suspicions are escalated and analysed without delay.”

3. Avoid reusing passwords, and ensure staff use strong, unique passwords or passphrases

“We recommend using long, unique passwords and avoiding reusing them across multiple accounts or systems,” Baldini said.

“Also, disable shared logins (like [email protected]) for critical services. Instead, assign individual accounts for staff with role-based access rights.”

4. Keep software and systems up to date

Lastly, make sure all software is kept up to date to apply the latest security patches. According to Baldini, using outdated software can significantly increase vulnerability to cyber attacks.

“Also, deploy reputable antivirus, malware protection, and firewalls to detect and block malicious activity and finally, back up critical data regularly and test recovery procedures,” Baldini said.

“Backups let you recover quickly if systems are compromised.”