Trustwave, a cybersecurity and managed security services provider, published a short case study in June on blocking email threats in the hotel sector. The overview said the case study was from a New Zealand-based firm (always of high interest), but it was one of the comments inside the case study that really captured my attention:

One common attack vector used to target the hospitality industry, according to the 2018 Trustwave Global Security Report, was telephone-initiated spear phishing. The caller would complain about being unable to make a reservation on the victim’s website and ask to email his details to the staff member. The attacker then emailed a message with a malicious file attached, waited until the victim confirmed they opened the attachment and then hung up the phone.

Ouch. That’s spear phishing with a lot of extra oomph and social engineering nastiness. Instead of merely relying on direct profiling of the target and a hook in an email message (that they hope will get through), the attacker goes the extra step and creates a compelling but fictional story as to why the message and its attachment must be opened immediately, thereby increasing the effectiveness of the scam.

Two thoughts:
– [1] awareness of what others are experiencing can help your staff avoid a similar attack, and
– [2] you better be doing something technically to prevent forced attacks from gaining a foothold in your environment. Trustwave, among others, has capabilities on offer in this area.