Hoteliers beware: As the hospitality industry responds to the challenges of the coronavirus pandemic, efforts to ensure guest and employee safety through automation and technology can also pose significant cyber-safety risks. Many businesses have turned to AI and mobile applications that limit physical transactions and allow guests to interact with staff virtually. While the ubiquity of this technology is increasing, however, many hoteliers struggling to stay afloat have furloughed or laid-off key management employees, including compliance staff and IT security professionals who are often the first (and sometimes the only) line of defense against data breaches and fraud. Unfortunately, cybercriminals around the world are taking advantage of the pandemic by attacking the computer systems of businesses at a time when their limited resources are focused on the physical health and safety of their customers and employees.
In 2019 alone, the FBI received nearly 24,000 complaints reporting close to $1.8 billion in losses from BEC fraud.
Without a sufficient focus on network security and compliance programs, hotels large and small are particularly susceptible to malware and other malicious attacks. Malware schemes, for example, involve embedding malicious software into coronavirus- related websites and links. Most often, these links are contained in emails designed to look legitimate, i.e., from a government agency like the CDC, from a known supplier, or from an internal manager. Employees are tricked into clicking on links that download malware to their computers or mobile devices, and in turn, into the business systems. Ransomware attacks are also a threat. Increased reliance on technology means that hotels cannot afford to lose access to the systems, where increasing amounts of guest data, including personal and credit card information, are stored. Even if no data is ultimately lost, the reputational damage caused by a data breach can bury a business already struggling to survive.
Business email compromise fraud (BEC) fraud is a type of phishing scam in which fraudsters impersonate a company employee, customer, or a third-party business to trick employees of the company into transferring funds or disclosing confidential data.
Hotels also face significant external threats from another type of cyber-attack, commonly referred to by law enforcement as business email compromise fraud (BEC) fraud. Increased email usage by hotel employees to communicate with guests, fellow employees, and vendors, combined with reductions in IT and compliance staff, only amplifies this threat.
In 2019 alone, the FBI received nearly 24,000 complaints reporting close to $1.8 billion in losses from BEC fraud. Worldwide estimated losses approached $26 billion between 2016 and 2019. According to one news report, “BEC attacks targeted more than 30,700 organizations in the first quarter of 2020.” These numbers, as high as they are, likely underestimate the prevalence of BEC threats because victims do not always realize they were attacked; and fearing reputational damage, do not always report suspected fraud. The losses incurred by businesses as a result of BEC scams can be attributed, at least in part, to the increasing savviness of scammers. No longer are fraudulent emails fraught with broken English and improper syntax. Instead, today’s phishing scams rely on social media research and monitoring business and personal email communications, often for months. Scammers then create email account usernames that—at a brief glance by a busy employee—look legitimate.
With respect to the hotel industry, spoofed emails may appear to come from hotel guests, internal management, third-party vendors or suppliers, or consultants. Clothed with legitimacy, these fraudulent emails typically ask the target to provide either sensitive data, or to send a payment (such as a refund for a customer, a request to change the direct deposit account for an employee, or to change bank account information for a significant pending wire) directly to the thieves. Customarily, these requests stress a sense of urgency and may press the employee to set aside standard policies and procedures.
In instances where the scammer impersonates a vendor, supplier, or other third-party business, there is additional risk that the scheme will leave costly civil litigation in its wake, as the hotel and its vendor fight over who is responsible for the lapse in security. Most courts currently attribute the loss to “the party who was in the best position to prevent the fraud by exercising reasonable care.” As a result, businesses that fall victim to these schemes, after laying off or furloughing their compliance and IT teams, may suffer the loss of funds and be required to provide services anticipated by the contract.
There are a variety of preventative steps that hoteliers can take now to mitigate the risks of malware, ransomware, and BEC cyber-attacks. One of the most important is simple: awareness. Employees should be trained to look for red flags in all emails and outside links. Does the email come from an internal account? Is it an account you have communicated with before? Any emails, phone calls, or messages asking for payment or changing account information deserve special attention. Checklists can be helpful in reminding staff to confirm important information prior to authorizing payment. Successful policies should also require multiple people to review a transaction before it is finalized, and for large transactions, require several levels of confirmation with the intended recipient. Hoteliers should also work with their legal teams to manage risk on the front end by using specific contractual provisions that can shift the risk of loss in business transactions to the party whose system was compromised. And in the event of a breach, make sure employees save all emails and other evidence of a cyber-attack to provide to your counsel and authorities.
As the hospitality industry begins its recovery, it cannot afford to overlook the increasing threat posed by cyber-attacks. Fraudsters around the world are watching.