Why Phishing Attacks Target Hospitality—and What to Do About It

Phishing scams date back almost 30 years – and even longer than that, if you include telegraph, snail mail, and fax impersonation incidents. By now, most modern internet users know to keep an eye out for suspicious messages in their email inboxes. But despite broad awareness of the threat, phishing scams remain one of the most consistently successful attack vectors for today’s cybercriminals. In fact, between 2021 and 2022, researchers saw a staggering 61% increase in the rate of phishing attacks, further underscoring the fact that attackers continue to view the tactic as a lucrative one. Even as digital literacy has improved, phishing remains a common practice for today’s cybercriminals. What gives? 

The truth is that phishing is—and always has been—a numbers game. Phishing emails are sent to so many addresses that even a 1% success rate can result in a staggering number of victims. People make mistakes—human error is called human error for a reason, after all—and all it takes is one tired, distracted, or unobservant employee to put a set of credentials into an attacker’s hands. But while organizations can’t change human nature, they can change the way they go about stopping and mitigating phishing attacks. Hotels, restaurants, and other businesses in the hospitality industry need to reexamine the way they approach phishing if they want to keep their data safe from attackers.

Hospitality Is Particularly Vulnerable to Phishing Attacks

IBM’s Cost of a Data Breach Report 2023 indicates the average cost of a data breach in the hospitality industry is now $3.36 million, up from $2.94 million just one year ago. It’s a notable increase, particularly at a time when industries like finance and technology—typically considered prime targets for attackers—have actually seen their average breach costs fall. This indicates that attackers increasingly see hospitality organizations as a prime target—and a vulnerable one. The report also found that phishing was the initial attack vector in 16% of all breaches, making it the single most common tactic leading to a successful breach. It underscores the relative vulnerability of hospitality businesses, which often collect a significant amount of customer data but are not generally known for their robust cybersecurity. Attackers now see a potential treasure trove of data without much standing in their way. 

Research also indicates that roughly 60% of small businesses are forced to close their doors within six months of a breach—an important data point for the hospitality industry, which has a higher makeup of small and midsize businesses (SMBs) than most. Independent hotels, family-owned restaurants, small venues, and other businesses represent a significant share of hospitality businesses, making them particularly vulnerable to the potentially devastating financial consequences of a breach. The message is clear: businesses that want to avoid becoming another data point need to understand modern phishing tactics and have the tools and strategies in place to mitigate them. 

Preventing and Mitigating Modern Phishing Attacks

Stopping modern phishing tactics starts with effective training. While it’s true that most individuals today understand the basics of phishing, attackers have evolved their tactics over the years—and as technology like generative AI becomes more common, phishing emails will only become more well-written and difficult to spot. Employees need to know the red flags to look for in a modern phishing attack. Does the email invoke one or more forms of authority, such as corporate executives, regulatory agencies, or law enforcement? Is the sender creating a sense of false urgency? Does the email include any unusual or timebound requests? These can all be potential signs of attack. 

Employees need to understand the protocols to follow if they receive such an email—and, crucially, it’s important for businesses to encourage their employees to self-report if they believe they have fallen for a scam. The sooner the security teams known about a potential breach, the sooner they can mitigate it—which means employees should be rewarded for coming forward, not punished for making a single mistake. Multiple mistakes, when additional training has been performed after the each, can indicate a situation which requires disciplinary action—but punishment for an accidental click should be avoided.

It’s impossible to know how effective a security program is without testing it. That means employees must be regularly tested with simulated phishing exercises that allow the company to safely mimic real-world phishing tactics to determine whether employees continue to fall for them. Additionally, it can help identify any high-risk employees who regularly interact with suspicious emails, singling them out for further training and testing. 

Of course, testing doesn’t stop with employees. It is important to conduct breach and attack simulation (BAS) exercises around simulated phishing campaigns to understand how much damage a successful phishing attack could actually do. Organizations need to know whether their existing security controls are capable of recognizing an intruder, even when they are armed with legitimate credentials. Running a simulated phishing campaign can help identify not just which employees are most vulnerable, but whether additional security solutions may be necessary. It is impossible to stop 100% of phishing attacks, which means organizations need to understand whether they can detect and contain an intruder when an employee inevitably does click a malicious link. This can provide useful analytics for businesses, allowing them to track improvement over time. 

Prioritizing Mitigation and Damage Reduction 

Phishing schemes will probably never go away. For attackers, they represent the perfect combination of “easy” and “lucrative,” and tools like generative AI will only make them easier to conduct with a higher success rate. But that doesn’t mean businesses should just accept them. With the proper education, training, and testing, organizations can dramatically reduce the effectiveness of phishing attacks while limiting the potential damage even a successful attack can cause. For businesses in the hospitality industry, that can mean the difference between a minor incident and an extinction-level event.   

About the Author

Mike DeNapoli is the Director and Cybersecurity Architect at Cymulate. He has spent over two decades working with companies from mom and pop shops to Fortune 100 organizations; advising on issues from Business Continuity Planning, to Cloud Transformation, to Real-World Cybersecurity.