Social Engineering: What Your Guests Don’t Know Could Hurt You

If you’re not familiar with WonderHowTo.com, it’s a site worth checking out. Its tagline is “fresh hacks for a changing world” and a notable “how to” post from a few years ago is titled “Use Social Engineering to Gain Unauthorized Access to a Hotel Room.” And while it contains a caveat indicating that the information within should be used only “on your own hotel room” it’s clear how others could put the information to use.

Hotel operators are well aware of the data and cybersecurity risks that face them, especially in light of some high-profile breaches. Many may not, however, be aware of the non-tech driven sources of risk referred to as “social engineering.” Social engineering is “the art of manipulating people so they give up confidential information,” according to Webroot.

It’s a type of manipulation that can be used to attain far more than a room key. One crime group, Carbanak, is known to initiate an attack through a phone call to a customer service desk after performing research to get info like the name of staff members who can be used to gain trust.

Your guests are at risk, which means you have a role to play in helping educate and inform them of the risks they face both from a cybersecurity and social engineering standpoint.

Kent State University and Hospitality Management faculty member Dr. Swathi Ravichandran says that there is “an opportunity for the hotel industry to be a leader in how they protect guest data and also how they communicate steps taken to guests.” There is a potential downside to doing so, she says — the risk of creating concern, or panic, around issues guests had previously been unaware of.

Hotels have an obligation to ensure guest safety, says Ravichandran, and they can do this on many fronts. Doing so can also protect hotels from scrutiny or reputation damage should breaches or other incidents occur.

Hackers tend to focus on point-of-sale (POS) systems, says Ravichandran, because that’s where guest credit card information is stored. Another point of risk is public hotel Wi-Fi. Helping protect guests should involve sharing a privacy policy that indicates exactly why certain information is collected and how it is used, informing guests of steps taken by the hotel to securely store personal information and warning guests about the vulnerability of data they might submit over unprotected networks.

Rebecca Herold is a data security and privacy expert. “Hotels in particular, and hospitality businesses in general, are huge targets for cyber criminals,” she says. “They go to where the money is, and travelers often have the money….” While some hotels, she says, “are taking some great steps to educate their guests,” most are not. She recommends hotels try the following:

  • Providing key information security and privacy points to their guests for data security at check-in; often on a type of info card, on cards placed in the rooms, or within the hotel room binders that contain information about the hotel services.
  • Providing in-room safes for guests to use that are large enough to store their laptops.
  • Providing Wi-Fi networks that are encrypted, and use unique IDs and complex passwords for each guest.
  • Providing tips for how to keep others from visual hacking (shoulder surfing) when guests are in lobbies, restaurants, meeting rooms, etc.
  • Keeping their own networks highly secured and updated with the latest security patches.

She adds: “I personally recommend to my hotel clients that they create an information security video to make available on their hotel channel to provide a 5–10 minute tutorial for protecting their data while in and around the hotel, and while traveling. I’ve found people really appreciate this.”

The big benefit for being proactive in educating guests about security, including social engineering, says Herold, is that “guests see that the hotel cares for them and their data.” It’s a good PR move and a great way to differentiate themselves from their competitors.


Written by Cvent Guest