These days, data security and privacy are paramount. Hotels who have seen security breaches are facing huge fines, like Marriott. And hoteliers are spending more time and more money on data security than ever before. But, as world-famous hacker Kevin Mitnick put it, “Companies spend millions of dollars on firewalls, encryption, and secure access devices, and its money wasted; none of these measures address the weakest link in the security chain.” In other words, no matter how much time and money you spend on cybersecurity, the weakest link in the chain will always be you (yes, you).
That’s not to say that you or any other hotelier who has been the victim of a breach was doing something wrong. What it does mean is that the number one way hackers can bypass security is by targeting individuals in an organization and getting them to divulge sensitive information. This practice is called phishing and it’s widespread in every industry. So, how can hotels keep their guest data safe? By making sure their staff know the basics of data security and won’t be fooled by phishing scams. To help you get up to speed, here are five common phishing scams and how to recognize them.
- Classic Phishing Scheme: Sometimes known as the “Nigerian Prince” scam, this form of fishing is the most well known and understood. Thes scammer casts a wide net, sending thousands of emails in the hopes of capturing just a few responses. These scams can usually be identified by their poor spelling and awkward language, which may be a feature of the scam.
- Spear Phishing: Spear phishing is a much more focused version of the above scheme. In this case, the bad actor is targeting a person or persons based explicitly on the access they have to certain information (think C-level executives, heads of departments, etc.). The scammer may spend months researching the target, learning about them in order to send a personalized scam message. This requires more work than the classic phishing scheme, but because it can be challenging to recognize as a scam.
- Clone Phish: Here, the scam works by impersonating a trusted contact and sending an email or other communication with malicious links replacing the real ones. They might lead, for instance, to a “login page” that looks genuine but is, in fact, designed to steal your data.
Being familiar with the types of phishing schemes is important, but even more important is knowing how to spot these malicious acts. Here are five ways you can easily spot a phishing attack that comes your way.
1. Double-check the Sender’s Address
One of the most common phishing scams relies on using email addresses that are similar to the email address of a person or organization you trust. If you’re unsure of a particular email, double-check the sender’s email address. Look for telltale errors such as missing letters (i.e., mazon.com, Gooogle.com, etc.) in the domain name.
2. Look for Poor Spelling and Grammar
Poor spelling is common is phishing emails. Always be wary of emails that contain an unusual number of spelling errors. This is especially true if the email is coming from someone you know. If you see more mistakes than usual, it’s worth double-checking with that person that the email is legitimate.
3. Don’t Give Out Your Personal Information
Anytime someone is asking for personal information or login credentials over email, you should be suspicious. Legitimate companies will not ask you for any such information via email. Even if they do, don’t provide any such information over email. Instead, use another, more secure form of communication to transmit this information.
4. Beware a Sense of Urgency
One common tactic scammers use is to infuse their emails with a false sense of urgency. These might be emails supposedly from a boss or coworker who needs this data by the end of the day! If you’ve followed the first few tips, you’re likely to notice that perhaps the sender’s address is close to, but not the same as, your coworkers. Or maybe you saw the poor grammar. Regardless, if you’re at all unsure, reach out to the person who requested the information using a channel other than email like a phone call. If it is urgent, they’ll pick up.
5. Look Before You Click
If you do nothing else after reading this blog post, remember this: always check all links before you click on them. Hover over them (without clicking on them) to reveal the link’s URL. Does it match what you were expecting? If the email is from a reputable company, does the link lead to their website? Again, here you’ll want to check the grammar and spelling in these links. A misspelled domain could be a means of entrapping unwary clickers.
You can read more about hotel data security in our Basics of Hotel Data Security Guide.