For restaurants and hotels focused on customer experience, cybersecurity can feel like an invisible, back-office issue. However, the consequences of overlooking cyber risk are very real and expensive. Criminals are increasingly targeting hospitality businesses with sophisticated scams, often using familiar tactics with a twist. Cybercriminals are betting you’ll make a mistake when you’re distracted by serving guests, scheduling staff, and all the other activities involved in operating your business.
Attacks Happen Daily
The following real-world incidents show how fast things can spiral and what you need to know about protecting your businesses.
$450,000 gone in a flash
A restaurateur preparing to open a new location was deep into a multimillion-dollar build-out. Just days before a significant equipment delivery, their CFO received an urgent email from the vendor, supposedly claiming a payment issue that needed immediate attention. Eager to keep the project on schedule, the CFO wired $450,000 to the account provided in the message. But the email was a fake, and the money was gone.
Behind the scenes, hackers had infiltrated the equipment supplier’s email system and manipulated invoices. This attack wasn’t their first attempt, and only after multiple victims did the issue come to light. Luckily, the restaurant recovered nearly all the money thanks to swift reporting to the insurer and law enforcement. Still, the incident underscores these schemes’ effectiveness when urgency clouds judgment.
Don’t count on your vendors to keep you safe
Many believe cybersecurity isn’t their concern if they’re using third-party platforms like OpenTable or Toast. That’s a dangerous misconception. Under U.S. data privacy laws, the business — not the vendor — is ultimately responsible for customer information.
In one case, a hacker compromised a vendor’s system, triggering notification obligations and costs for the restaurant itself. Worse still, many standard IT contracts don’t include any breach response services. That leaves businesses on the hook for the investigation, customer outreach, and subsequent crisis communications.
AI risks
Artificial intelligence has emboldened bad actors in new ways. Even amateurs are using AI to engage in cybercrime. A hospitality business recently fell victim to an AI-driven impersonation of their CEO, complete with cloned voice and all.
POS tampering
As handheld point-of-sale (POS) devices become the norm, especially in full-service restaurants, a new threat has emerged: device tampering. When servers leave terminals unattended at a table, criminals can have enough time to install skimming devices or insert malware into the reader.
This is more than a one-off nuisance. It’s a data breach risk that could result in weeks of cleanup, reputation damage, and potential lawsuits.
Charging phones at work? Think twice
Even something as simple as plugging a personal phone into a company computer can lead to a cyber compromise. Business owners often overlook these small habits, but the right employee training and company policies can help prevent a breach.
Interconnected Systemic Risk
Cyber threats are no longer isolated incidents. Increasingly, they represent systemic risk, rippling through entire vendor ecosystems. Compromise of a single vendor can cascade into multiple breaches. One business suffered a breach after hackers accessed a phone system that wasn’t up to date with security patches.
Even hotel HVAC systems and guest key platforms have become targets. Bad actors can exploit anything that connects to your network.
These are not theoretical risks; they’re happening now. Unfortunately, the hospitality industry lags in cybersecurity compared to other sectors.
Cyber Insurance as a Safety Net
A comprehensive cyber policy goes well beyond paying claims. It often includes:
- Breach investigation and forensic response
- Customer notification services
- Credit monitoring for affected individuals
- Crisis communications and PR support
- Business interruption compensation
But coverage isn’t automatic. Insurers may decline to offer coverage or charge significantly more if your business is missing basic protections like multi-factor authentication or employee training. Even if you have cyber coverage, look carefully at your policy provisions. There may be “sublimits” for wire fraud or ransomware extortion, leaving you with a coverage gap. Talk with you insurance broker if you have concerns.
Your business continuity planning needs to assume a cyber breach. What is the first step you would take if a cyber incident occurs?
Cyber Safety Tips: What You Can Do Right Now
Whether you’re a boutique hotel or a multi-location restaurant chain, here are some foundational steps to reduce your cyber risk:
- Slow down and verify: Never act on payment instructions received via email or phone without confirming through a trusted communication method. Any message that pushes urgency (“pay now or lose your order”) is a red flag.
- Implement strong financial controls: Set limits on wire/ACH transfer amounts. Require dual approval for large transactions.
- Review vendor contracts closely: Don’t assume your IT or platform vendor handles breach response. Ensure your contracts include security obligations and hold harmless clauses.
- Secure your POS devices: Never leave mobile payment terminals unattended. Regularly inspect devices for tampering or unfamiliar attachments.
- Regularly train your team: Teach staff how to spot phishing emails and suspicious links. Tailor training to roles (e.g., POS safety for servers or additional email cautions for office staff). Consider simulated phishing tests and refresher courses.
- Create strict device charging policies: Ban USB charging from work computers. Offer alternative solutions like dedicated employee charging stations.
- Implement restrictions: Define what activities employees can and cannot do on your work equipment and network. For example, if an employee has a compromised personal cell phone and connects it to your business Wi-Fi, you endanger your network.
- Keep systems up to date: Apply software and firmware updates promptly. Replace outdated systems that no longer receive patches.
- Use multi-factor authentication (MFA): MFA is now a basic requirement for cyber insurance policies. Apply it across all business logins, not just financial systems.
- Know your notification obligations: If a breach occurs, states may require notification within a specific timeframe, often based on the number of affected individuals. This legal burden falls on you, not your vendor.
Don’t Get Blindsided
Cyber risk in hospitality is invisible until it isn’t. Between phishing emails, compromised vendors, and AI-powered scams, bad actors are finding creative ways to breach businesses that aren’t prepared. Don’t wait for a wake-up call. Take action now. Audit your systems, train your team, and review your insurance coverage. The best defense starts from within.
ABOUT THE AUTHOR
Rob Hoover of Risk Strategies is a national expert on restaurant and hotel risk management. At 15, Rob started as a potato peeler in a small, family-owned diner. Today, he’s an industry insider with deep knowledge of day-to-day hospitality challenges. For the past 20 years, he’s helped hospitality businesses as a risk management and insurance advisor.
