When a Donegal hotel's night receptionist received a call at 11pm from someone claiming to be a guest who had left his credit card in the room, the caller asked her to read back the last four digits of the card number so he could verify it was his. She did. The card number she read was from a booking the previous weekend. The caller then used those digits to pass a security check with the bank and access the guest's account. The guest only discovered the fraud three days later when his statement arrived.
That attack did not require any technical skill. It required a phone call, a plausible story, and a staff member who had never been told that reading card details to an incoming caller — for any reason — is a security breach. Front desk staff in Donegal's hospitality sector are targeted in exactly this way every week. They answer every call because answering calls is their job. They help people because helping guests is their purpose. Criminals exploit both of those things.
Why Front Desk Staff Are Prime Targets
The front desk is the operational centre of a hotel. Staff who work there have access to guest information, payment data, booking systems, and communication systems. They are trained to be helpful, to resolve problems quickly, and to avoid inconveniencing guests. These are exactly the qualities that social engineering attacks exploit.
Vishing — voice phishing — is the telephone equivalent of a phishing email. An attacker calls pretending to have a legitimate reason to request information or access, creates urgency or authority to suppress the instinct to verify, and extracts what they need before the target has time to think carefully. A convincing caller can be almost impossible for an untrained staff member to identify in real time. The NCSC Ireland has documented vishing as one of the fastest-growing attack vectors against Irish businesses.[^1]
The attacks targeting Irish hospitality follow predictable patterns. Criminals call pretending to be guests asking about room assignments or other guests' contact details — which violates GDPR if disclosed to someone who is not authorised to receive them. They call pretending to be IT support asking staff to reset passwords or provide access credentials. They call pretending to be vendors asking to update payment details or verify contract information. They call pretending to be regulatory authorities creating fear of immediate consequences if the staff member does not cooperate. An Garda Síochána's Garda NCCB has documented all of these variants against Irish hospitality businesses in the past twelve months.[^2]
When did your front desk staff last receive training specifically on recognising phone-based social engineering? Book a free 20-minute strategy call — we design and deliver practical social engineering awareness training for Donegal hospitality businesses that fits within a normal shift briefing.
How These Attacks Work in Practice
Understanding the mechanics of social engineering calls helps staff recognise them in the moment. Most successful attacks share four characteristics: the caller establishes a plausible identity, creates urgency or authority, limits the staff member's ability to verify independently, and extracts information or access before suspicion is aroused.
The guest impersonation attack works because hotels routinely handle requests from guests they cannot see. A caller who knows a guest name — easily obtained from a social media post or a review — can establish enough credibility to get a front desk member talking. The IT support impersonation works because IT problems do happen and staff are trained to cooperate with technical assistance. The vendor impersonation works because finance and procurement staff are accustomed to supplier calls. In each case, the attacker is borrowing a legitimate context to make an illegitimate request seem normal.
Urgency is the most consistent feature. The script typically includes phrases designed to accelerate action and suppress caution: "I need this before my flight in thirty minutes," "our systems go down in ten minutes and this needs to happen now," "this is a regulatory audit and there will be consequences if you delay." The Data Protection Commission has noted that pressure tactics are a consistent feature of social engineering attacks that lead to GDPR data breaches in the hospitality sector.[^3]
The Training Your Staff Need
Effective social engineering training does not require multiple days of classroom work. For front desk staff, a sixty-minute briefing that covers three things produces measurable improvement in how staff handle suspicious calls.
The first thing staff must understand is what they are never allowed to disclose over the phone, regardless of who the caller claims to be. Guest room numbers and guest contact details must never be shared with incoming callers — if a caller wants to reach another guest, they can leave a message. Payment card details, account numbers, or security codes must never be read back to any caller. System passwords and access credentials must never be provided over the phone to anyone claiming to be IT support — genuine IT support does not ask for passwords. Staff who understand these absolute limits can handle a confident, authoritative caller without needing to make a judgement call about whether the person is genuine.
The second thing is the verification procedure. Any caller requesting something that falls outside normal guest service should be handled with a callback: "I'll need to verify this — let me take your name and number and have a manager call you back." A genuine caller will accept this. An attacker will increase pressure to avoid it. That pressure itself is the tell. For requests involving supplier payment details, the callback must use a number from the hotel's existing records — not the number provided by the caller.
The third thing is the reporting procedure. Staff who receive a call they believe was a social engineering attempt must know who to tell, what information to record (date, time, content of the call, the number the call came from), and that reporting is actively encouraged. The faster management is aware of an attempted attack, the faster they can warn other staff and prevent a successful follow-up attempt.
Building a Protective Culture
Training is necessary but not sufficient. The hotel's management must consistently model the security behaviours they expect from front desk staff. If managers routinely bypass verification procedures because they are in a hurry, staff will learn that the procedures are optional. If managers create pressure to resolve guest requests at speed above all else, staff will learn that speed matters more than security.
Create specific written procedures for the most common scenarios and post them where front desk staff can refer to them during calls. The procedure for handling a request for another guest's contact details, the procedure for a caller claiming to be from IT support, and the procedure for a payment-related request from a supplier — each should be a single clear sentence stating what to do.
What Next: Three Actions for Donegal Hospitality Businesses
First, run a thirty-minute social engineering briefing with your front desk team this week. Cover the three things staff are never allowed to disclose over the phone, the callback procedure for unusual requests, and the reporting procedure for suspected attacks. This one briefing will immediately reduce your exposure to the most common attacks.
Second, create a laminated reference card for the front desk stating the absolute limits — what cannot be shared by phone under any circumstances — and the callback number for managers. Staff in fast-moving environments need a reference they can consult in real time, not guidance they have to recall under pressure.
Third, report any suspected vishing attempts to An Garda Síochána and retain records. If a caller attempted to extract guest data or payment information under false pretences, that is a criminal offence. Filing a crime report creates a record that helps the Garda NCCB identify patterns across multiple Irish hospitality businesses being targeted by the same criminal.
[^1]: NCSC Ireland — Advice for Organisations [^2]: An Garda Síochána — Cybercrime [^3]: Data Protection Commission Ireland
Related Reading
- Seasonal Staff Cybersecurity: Training and Access Control for Donegal Tourism
- Your Booking System Is Your Biggest Attack Surface
- Cyber Insurance for Donegal Hospitality
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.