Email has been around for over 20 years and is one of the most popular tools used in communicating between people and businesses. Because it’s popular, people often forget about the risk of exposing their personal data and information to hackers and scammers.
Typically, it will involve the impersonation of someone you know or a business you are familiar with.
Email scams have two main goals.
Trick you into providing your personal information. For example, a hacker might send an email pretending to be from a shopping site like “Amazon” informing you that someone else has been using your account. The email can include a link to verify your account details, and when you do, the hacker will get your login information and password.
Get you to download malware onto your device. Malware is a malicious program that installs on to your device and executes program files that allow scammers to get unauthorized access your computer or software applications. Malware can monitor keystrokes or the websites you visit, to uncover sensitive information like your personal credentials and banking information.
Opening an email from a scammer will not expose you or your sensitive information from being compromised. But you’re still going to be giving away some potentially useful details for scammers to build a profile about you for targeted attacks in future. This information may include your internet IP address, operating system, and location.
The threat level of opening an email from an unidentified source is minimal but interacting with its content can be more dangerous. Accidentally clicking a link or downloading an attachment means you stand a very good chance of unleashing malware (more on that below) which can be used for nefarious purposes. Once on your device, your data integrity will be compromised unless you have a robust antimalware sentinel doing its job in background.
The hotel Industry is particularly vulnerable because of the priority hoteliers put on “call to action” and service excellence. The use of individualized tactics to compromise hotel accounts in addition to playing-off reputable websites – for example “Booking.com” to scam guests is unprecedented and quite ingenious.
What’s typical with the Hotel industry is the use of seasonal and part time workers. Hackers and Scammers know many of these employees are less sensitive to email compromise, which adds to the complexity of maintaining a robust cybersecurity profile.
Cybercriminals typically use “phishing” methods to redirect unsuspecting hotel staff to fake websites or extranet login pages to harvest account information. Others can pose as guests asking the hotel to confirm reservation details using a fake OTA mirror website or fake agent names.
The hospitality industry provides a treasure trove of valuable information for Hackers including:
Valuable Data: Hotels and travel agencies handle a wealth of personal and financial information, including legal names, email addresses, credit card details, and often sensitive travel plans. This data is highly valuable for cybercriminals.
Email and Online Booking Systems: The widespread use of email for communication and online platforms for bookings creates numerous ways to plan an attack. Cybercriminals exploit these systems to launch phishing campaigns.
Interconnectedness: The connected nature of various platforms in the hospitality sector amplifies the risk, as breaching one account can expose a wide range of customer data.
Targeting Vulnerabilities: Smaller hotels or those with less robust cybersecurity measures are particularly vulnerable, making them attractive targets for cybercriminals.
Sophistication of Attacks: The evolution of phishing techniques, including the use of Generative AI to create convincing, personalized messages, has made these attacks more effective and challenging to detect.
The most common form of email attack involve the following:
As mentioned earlier, phishing attacks are when the malicious actor pretends to be someone legitimate to obtain your sensitive information, such as usernames, passwords, and other personal information. In most cases, attackers send out a high volume of fraudulent emails that look legitimate to trick users into clicking a malicious link or downloading a benign attachment.
These attacks typically contain three elements:
Deception
Urgency
Fake links and attachments
Phishing takes many forms and can be extremely challenging to detect. That’s one of the reasons phishing and other social engineering attacks are some of the most popular infiltration methods hackers’ use. The different types of phishing attacks include:
Email spoofing is the process of creating emails from a forged email address. It misleads the receiver into believing that the email came from their contact list. Its a technique used to send malware, to access your online accounts, or steal money.
How Email Spoofing Works:
A hacker forged fake email headers when they wanted to initiate an email spoofing attack.
When these bogus emails are received, their headers show a fake sender address. These sender addresses look genuine due to logos or even fonts.
Hackers run the campaign by sending mass emails to the organization.
These emails are attached with malicious links or ask you to download an applications
A BEC attack occurs when malicious actors impersonate colleagues, C-suite executives, or high-ranking officials to target victims and trick them into transferring funds into the hacker’s bank account. Sometimes the hackers also hijack the senior official’s email account to run the attack. Most of the time, the email appears to be from a colleague, senior official within the organization, or business partner.
How BEC Works:
The attackers impersonate someone from the organization or business partner or hack their email accounts.
Runs the campaign by sending out mass emails.
They trick the victim into trusting them and make them transfer money, or worse, it will lead to a data breach.
The three type of attacks mentioned above make up the bulk of case statistics. Although there are other use case scenarios similar to the ones mentioned above, for the sake of keeping this blog simple - we won’t discuss them here.
Not all security breaches will result in the same kind of data compromise and some will be more consequential than others. Either way, one of the following will likely be the outcome of a successful email attack.
Malware: Malware is basically a blanket term for malicious software that includes viruses, worms, trojans, and other harmful software with malicious intent. It is delivered to the victims in the form of malicious links or attachments. When the victim clicks the links or downloads an attachment, the malware gets into the system of the victim.
Ransomware: Ransomware is a form of malware that locks the victim out of their system and, in exchange, the hackers demand a ransom from the victim. Similar to malware, ransomware is often delivered to the victim via a phishing or spear phishing attack.
Credential theft: This occurs when the hackers obtain the victim’s credentials through a phishing or spear phishing attack. Often, the hackers send out emails that include malicious links. When the victim clicks upon the link, they are redirected to a fraudulent website where they are asked to submit their credentials.
Wire transfer fraud: Wire transfer fraud takes place when the hackers trick the victim into transferring funds into the hacker’s bank account. In most cases, hackers pretend to be someone who is closely associated with the victim within the organization.
Even though email attacks are the most common form of data breach, there is a positive side to the story. The good news is that the attacks are often low-tech, which take advantage of the employees' ignorance about cybersecurity. As a result, hoteliers can be proactive by training their employees to be aware of the threats and consequences as well as implementing email security tools and best practice standards as follows.
Educate your Employees: Provide regular workshops and training about data security for new and existing staff, so they are better aware about hotel policy involving the dangers and consequences. Staff should have the knowledge and experience of how to react and not react when they encounter a security breach or cyber-attack.
Audit Your Existing Security Infrastructure: Your organization or hotel needs a clear operating procedure or guideline about data security and how to tackle existing and emerging threats whether by email or malware. Doing a safety audit and review about security measures in place can reveal where need to take remedial action or establishing a more robust framework for better front line protection.
Enforce a Strong Password Policy: When it comes to defending against email or cyber-attack, maintaining a strong password policy acts as the first line of defense. Hoteliers should enforce a strong password policy and also make sure that employees comply with hotel policy. Use different passwords for different accounts and choose passwords that are a combination of uppercase and lowercase letters, along with numbers and symbols, for better all-round protection.
Password cycling: Require employees to use strong passwords, and mandate frequent password changes. This helps to make sure that, even if a password is compromised, the security breach will be limited to one account.
Spam filtering: Implement scanners and other tools to scan messages and block emails containing malware or other malicious files before they reach end users. Benign spam mail, like marketing offers, can burden employee productivity if they have to manually remove it from their inboxes regularly.
Employee on-line Best Practices: Through awareness training make sure hotel staff do not use the hotel’s office equipment to visit websites that seem innocuous but have nefarious intent. Often hotel staff unknowingly visit websites that could pose as either shopping, travel, or social media sites to obtain resourceful information or even for personal use. These sites can and do use cookies which reside on your computer internet browser and because office equipment can and do change hands over time, cookies will continue to provide valuable data to their originators without your knowledge.
