How Can Employees in the Hospitality Industry Look Out for Social Engineering Attempts?

by Sarah Harvey / April 18th, 2019

Employees in the hospitality industry are trained to meet needs, so it doesn’t take much effort for hackers to take advantage of their willingness to help. Employees are so valuable, but they can also be your weakest link. How much customer service is too much? When should an employee become suspicious of a guest or visitor’s behavior? Unfortunately, not often enough.

What is Social Engineering?

How sure are you that your employees can withstand a social engineering attempt? Social engineering is creative and engineered to trick your employees. Social engineering leverages and manipulates human interactions to compromise your organization. This could be something like bypassing a procedure and letting a guest into an employee-only area or believing someone’s unusual circumstances that lead to breaking policy. Eventually, these breaks in policy or procedure lead to malware or unauthorized access to your system. The stories that come out of social engineering engagements can be shocking to security officers and executives who believe that their employees would never fall for it – especially in the hospitality industry. Social engineering doesn’t require a lot of technology or complicated processes; all it needs is a distracted, careless, or maybe a too-accommodating employee.

Social Engineering in Hospitality

In the 2016 Erin Andrews-Marriott case, Andrews’ stalker was able to use the hotel restaurant’s house phone and asked to be connected to Andrews’ room. When the hotel complied with this request, he was able to see Andrews’ room number and discovered there was a room available next to hers. From there, he went to the front desk, requested that room, and was able to book it. Although the room was available, should the employee have let him book it, knowing a high-profile guest was in the room next door? Andrew’s stalker was then able to set up a camera through a peephole and record Andrews undressing, which he later released on the Internet.

Andrews asked in court, “Why didn’t they even call me to tell me? Why didn’t they ask? I was so angry. This could’ve been stopped. The Nashville Marriott could’ve just called me.” Why didn’t the Marriott employee recognize suspicious behavior? Why didn’t they tell her someone had requested a room that was, coincidentally, next to hers? This social engineering tactic worked on the front desk employee, eventually costing the hotel chain $26 million after Andrews sought justice for her privacy being violated. How many other times has a method like this one worked? The hospitality industry depends on guests and visitors feeling safe. When that trust is lost, how will your brand survive?

pic.twitter.com/2qWWxgVo9U

— Erin Andrews (@ErinAndrews) March 7, 2016

Social engineering with the intent of phishing is also a low-effort tactic for hackers. A simple attempt may look something like this: a hacker calls customer service to get help “confirming a reservation.” When the hacker offers to send the reservation information via email, the customer service representative doesn’t think twice about opening it. They’re just helping a customer, right? This is how quickly malware can enter into your organization when employees fall for phishing.

Not enough organizations test their employees with social engineering. It’s hard to convince organizations that our team of penetration testers will be able to manipulate their employees or environment, until they see the results. Even if employees mean well or cause unintentional harm, your employees are probably your weakest link and are highly targeted. Let us help educate your employees on ways they could be compromised during their day-to-day interactions.