As the hospitality industry allocates increasing efforts to ensure guest and employee safety through automation and technology, significant risks are possible. Many have turned to artificial intelligence and mobile applications that eliminate physical transactions entirely and allow guests to interact with staff virtually.
While the use of this technology increases, many hoteliers struggling to stay afloat have furloughed or laid off key management employees, including compliance staff and IT security professionals, who often are the first (and sometimes the only) line of defense against data breaches and fraud.
Nathan W. Hill and Jonathan K. Osborne are attorneys and shareholders at Gunster.
Unfortunately, cybercriminals around the world are taking advantage of the pandemic by attacking the computer systems of businesses at a time when their limited resources are focused on the physical health and safety of their customers and employees. This article provides a few simple tips to help avoid the most common types of cybercrime.
Awareness: The first and most important step is awareness. Specific descriptions of currently known fraud schemes are updated regularly by the FBI. These scams include spoofing and phishing (scams aimed at tricking victims into providing sensitive information), business email compromise (tricking employees into misdirecting payments), and ransomware (a type of malicious software that prevents access to computer systems or files until the victim pays a ransom). Although the types of scams change regularly, a few simple procedures can help mitigate this risk.
Handling emails requesting money: Train employees to apply a critical eye to every email communication requesting the movement of money or for potentially sensitive information — and be especially wary if the requestor is pressing for quick action. Fraudsters today rely on social media research and monitoring business and personal email communications, often for months. Scammers then create email account usernames that — at a brief glance — look like the real thing. Spoofed emails may appear to come from hotel guests, internal management, third-party vendors or suppliers, or consultants. These fraudulent emails typically ask the target to provide either sensitive data, or to send a payment (such as a refund for a customer, a request to change the direct deposit account for an employee, or to change bank account information for a pending wire) directly to the thieves.
Creating internal policies: Catching fraudulent emails is difficult, but internal policies and checklists can go a long way. Checklists should remind employees to go through certain steps before any money or sensitive information is exchanged via email, such as:
- Does the email come from an internal account or a recognized email address? Some email platforms show only the name of the sender and hide the actual email address unless the user hovers the mouse cursor over the name.
- Carefully examine the email address, as scammers use slight differences in email addresses to trick the eye.
- Verify payment and purchase requests, including account number and payment procedure, in person or by phone to ensure it is legitimate.
- Do not rely on any information contained in a suspicious email.
- Never click on a link or open an attachment from an unknown source.
- Never insert unknown drives into a work computer. Fraudsters have been known to leave malware-encoded flash drives in publicly accessible areas (hotel lobby or business center) in the hopes that a well-meaning or curious employee will plug it into the system.
- Never plug a work device into a public USB port. These ports are common today in airports and other public areas, like retail malls, but they can apply malware to attached devices.
- Do not click on an unsolicited email or text message asking to update account information.
In case of a breach: Be prepared to act in the event of a breach. Once a breach has occurred, employees should save all emails and other evidence of a cyber-attack to provide to your counsel and authorities. If sensitive information is stolen or if a business system is compromised, immediately contact the local FBI field office to report the crime and file a complaint with the FBI’s Internet Crime Complaint Center. Contact outside counsel who can assist in mobilizing specialists to diagnose and address malware and stop a further leak of information. If money is inadvertently sent to an incorrect account, immediately contact your financial institution and inform it of the mistake. Often times, misapplied wires can be recalled within a few days.
Manage breach risks: Work with legal teams to manage risk of a breach on the front end. Specific contractual provisions with vendors and suppliers can shift the risk of loss in business transactions to the party whose system was compromised. Such provisions are not common in this, or any other industry today, but can help mitigate inevitable losses by businesses who take conscientious steps to avoid being victimized.
As the hospitality industry begins its recovery from COVID-19 impacts, it cannot afford to overlook the increasing threat posed by cyber-attacks. Fraudsters around the world are watching.