top of page

Don't be hospitable to cyber criminals: call time on cyber crime

As we're sure you're aware, pubs, bars, clubs, restaurants and hotels re-opened their doors again on Monday (May 17), but not everyone is welcome. If you own a business in the hospitality sector, now's the time to be cyber resilient.

This week (w/c May 17) saw customers return to pubs, clubs, restaurants and hotels as the hospitality sector finally got to open its doors and welcome people inside in a huge boost in what has been a miserable 14 months.

Whilst April 12 was the official day on which pubs and bars could begin serving outdoors, that proved problematic for those without the space outside, and the weather drowned out any real takings for those that did venture outdoors.

But on Monday (May 17), stage three of Boris Johnson’s roadmap out of lockdown began, and it was the day many a publican, restaurateur, hotelier and club owner would have been waiting for since it was announced back in February.

Of course, we’re not back to normality yet, and there are still rules that punters and business owners and staff alike must abide by. But at least the takings will be up for the first time since some businesses opened last summer, prior to the regional tier systems being introduced.

But while many business owners in the hospitality sector can finally smile - albeit beneath their masks - there should be a cautionary tale, and it’s up to us to tell it.

Scammers, fraudsters and cyber criminals will know that money is once again going to be exchanging hands, most of it digitally, and bank balances of pubs, clubs, hotels and restaurants will be swelled once again. And where there’s money, there should be caution, because the last thing any business owner wants is to be hit by cyber criminals, especially when it’s absolutely imperative to generate enough money in order for the business model to be sustainable.

But it’s not just about the business, it’s about the customer and their cyber security, too.

So let’s look at the threats…


If hackers find a way into a business’s systems, they can paralyze it, and demand a princely sum to unlock it. Choosing to pay the ransom may or may not release the system from the hacker’s grasp (although usually they do let go, but may return knowing that a business is vulnerable or susceptible to part with funds) but that’s a huge slice of cash drained - cash which has been absent for so long throughout this pandemic.

Another option is to fix it, and rebuild the system with stronger safety measures built in. But this can take time, and it’s hard for a business to operate during this period meaning there's the potential of a temporary closure. Not what a business in hospitality needs after just getting back on its feet.

There’s more on ransomware and how to protect against it on our website: What are ransomware attacks and how can you stop them? (

Point of Sale (POS)

With cash increasingly becoming a last resort for customers when it comes to purchases, pubs, clubs, restaurants and hotels rely heavily on point-of-sale (POS) terminals for their transactions. Weak remote access security is the main risk here, but it was discovered recently that human intervention could prevent compromises simply by setting secure passwords, and not just settling for ‘Password01’ (still the most commonly-used password even now), easy-to-remember passwords or - worse - leaving the device configured with the default password.

This can give hackers easy access into the system to plant malware.


Many businesses will have an on-site record of payroll details for their employees, banking information, vendor information etc. To protect all of this, secure measures need to be firmly in place. If, for example, an employee’s details are accessible to hackers, they can find ways to fraudulently use those details in an attempt to access their money. Elsewhere, vendor data may be used to create forged invoices.

Consumer risk

Last July, when the hospitality sector re-opened amidst Rishi Sunak’s Eat Out to Help Out scheme, it was recorded that consumers faced a potential explosion in cyber criminality, largely in part due to customers being asked to submit their contact details on arrival at pubs and restaurants (which may include emails) for tracing purposes. Businesses should perform due diligence when it comes to storing this information, ensuring it’s safe and secure and that it cannot be used fraudulently.

But not every risk comes from your favourite watering hole, eatery or place to stay. Phishing emails, fake websites or fictitious social media accounts can lure eager-to-return customers into a false network where cyber criminals lurk.

Customers awaiting opening times from pubs, bars and clubs, discount codes for restaurants and special offer promos from hotels may not spot that the email or digital communication is fake, hence opening the door to fraudulent activity.

Indeed, just recently, a pub in Derbyshire was forced to post on their official Facebook page about a bogus Facebook page masquerading as them. This fake page was enticing customers to book on a range of events happening at the pub. These events were actually happening, but any bookings for them via this fake page would have gone to the fraudsters and not the pub. The bogus page, to the unassuming eye, looked genuine, and was fooling enough people that the pub had to take action.

Phishing emails can also look genuine, and are therefore deceptive and dangerous, as they may ask for payments or encourage the recipient to visit a fake website. However, there is often a tell-tale sign that it’s fake. Maybe the offer they are so desperate to award you with looks too good to be true, in which case, it probably is. Look at the URL, or link. Does this look right? There could be a misspelling, albeit very slight. Hovering over a link will show the real URL. If it doesn’t match what you were expecting, don’t click it. Meanwhile the type face or font could also be slightly different from the official brand’s.

There's more on phishing here: All topics - NCSC.GOV.UK

If you run a business in the hospitality sector and are concerned about cyber criminality, or want to be kept up-to-date with emerging threats, we can help with the above threats and more. Registration to our core membership is absolutely free. For all membership options visit: Membership | The Cyber Resilience Centre for the East Midlands (



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).


The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page