If you run a restaurant or a hotel, you already know this in your gut: your front-of-house team is the busiest, most distracted, most interrupted group of people in the building. They are also, statistically, the group most likely to click on a phishing email. Across the engagements we run at CloudMatters, hospitality front-of-house staff click on simulated phishing messages at roughly two to three times the rate we see in professional services. That is not a comment on the people. It is a comment on the conditions they work in.
I want to be very clear at the outset, because this is where most security conversations in our industry go wrong. The answer is not to blame the staff. It is not to send them a stern email after every incident, or to humiliate the person who clicked. The answer is to understand why the click happened, and then to build an environment where a click does not turn into a breach.
Why front-of-house is uniquely exposed
Think for a moment about what a reservations manager or a duty manager actually does on a typical Friday lunchtime. They are answering the phone. They are checking a booking system. They are taking a delivery from a wine merchant. They are dealing with a guest complaint. They are forwarding an email from head office to a supplier. They are doing all of this on a shared terminal that three other people will use during the same shift.
Now layer on the conditions specific to hospitality. Turnover in front-of-house roles often runs at thirty to fifty per cent annually, which means a meaningful portion of your team has been with you for less than six months. Onboarding is, in most operations I see, a half-day affair focused on the menu, the booking system and the till - security awareness training, if it happens at all, is a single slide. Devices are shared between staff and shifts. Personal email is checked from the same browser as the supplier portal. And crucially, the inbox is full of legitimate messages from suppliers, agencies, delivery platforms and booking systems that all look broadly the same.
That last point is the real issue. In a finance or legal environment, an unexpected email from a delivery rider platform is suspicious by default. In a restaurant, it is Tuesday. The signal-to-noise ratio that most security training assumes simply does not exist on your floor.
If you want a deeper look at how we think about the operating environment for hospitality teams, our hospitality IT support page describes the model we run for restaurants and hotels.
The attacks that work best against us
Over the last two years I have seen the same handful of phishing patterns succeed against hospitality operators again and again. They are worth knowing by name.
Supplier invoice change. The attacker compromises a real supplier, or spoofs one convincingly, and emails your accounts function asking to update bank details for the next payment run. The first you know about it is when the genuine supplier rings to ask where their money is. By then it is gone.
Reservation system credential phishing. A message arrives claiming to be from OpenTable, SevenRooms or a similar platform, asking the duty manager to re-authenticate because of “unusual activity”. The page looks perfect. The credentials end up in the hands of someone who can now read every guest record you hold, change confirmation emails to insert malicious links, and pivot from there.
HMRC and Right to Work phishing during recruitment spikes. Hospitality hires in waves. When you are onboarding fifteen new starters before a Christmas season, an email purporting to be from HMRC about PAYE references, or from the Home Office about Right to Work checks, lands in exactly the right inbox at exactly the right time to be opened without much thought.
Delivery platform scams. Fake messages from Deliveroo, Uber Eats and Just Eat about disputed orders, account suspensions or new tablet activations are now routine. The targets here are typically the kitchen pass and the duty manager - both of whom genuinely depend on those platforms to do their job.
The common thread is that none of these attacks require the recipient to be careless. They require the recipient to be busy, and to be working in an environment where messages of this kind are normal.
Why “just train them harder” does not work
Every operator I speak to has tried some version of training their way out of this problem. They run an annual e-learning module. They put up posters. They send a memo. And then, six months later, the click rate is back where it started.
This is not a failure of will. It is a failure of approach. Security awareness decays - the academic literature is consistent that whatever you teach a user about phishing is largely gone within ninety days unless you reinforce it. Hospitality teams turn over fast enough that a meaningful fraction of the people you trained are no longer with you within the year. And the cognitive load of a busy service is not compatible with the careful, deliberate inspection of email headers that most training implicitly demands.
The honest conclusion is that the first line of defence cannot be human. It has to be technical. Training matters, but it is the third or fourth layer, not the first.
The layered defence that actually works
A properly defended hospitality environment makes the click a non-event. Here is what that looks like in practice.
At the email gateway, you need DMARC, SPF and DKIM properly configured on your own domains so that attackers cannot spoof you to your own staff or to your suppliers. You need attachment scanning that detonates suspicious files in a sandbox before they reach the inbox. You need safe-link rewriting so that any URL the user clicks is checked at the moment of the click, not just when the message arrived.
On the device, you need endpoint detection and response - the kind of thing a SOC actually watches - that can stop credential theft tools and remote access malware regardless of whether the user clicked something they shouldn’t have. You need the device itself to be managed, patched and capable of being wiped remotely.
On identity, multi-factor authentication has to be on everything - not just email, but the booking system, the payroll system, the supplier portals and any cloud back office. Conditional access policies should restrict logins to expected countries, devices and times of day, so that even a stolen password and one-time code from a residential UK IP at three in the morning gets blocked. The cyber security work we do for hospitality operators is built around exactly this layering.
On the network, your guest Wi-Fi must be properly segregated from your operational network, and your back-of-house systems must be on a managed and monitored network rather than whatever the building came with. Our managed network service is what most of our restaurant clients use to get this right.
Then, and only then, comes the human layer. Monthly simulated phishing - short, realistic, role-relevant. Our cyber awareness training delivers micro-training of two or three minutes in the flow of work when a user clicks something they shouldn’t have, rather than annual hour-long modules nobody remembers.
What this looks like from the inside
Here is a worked example of how a well-defended environment handles the same attack that breaches everyone else.
It is Friday evening. A reservations supervisor is dealing with a walk-in dispute and forty covers turning over. An email arrives that appears to be from OpenTable, asking her to re-authenticate. She glances at it, sees the logo, and clicks the link.
The link is rewritten by the gateway. At the moment of the click, the destination is checked against threat intelligence and recognised as a known credential-harvesting page. The browser is redirected to a warning page that tells her, in one sentence, that the link was unsafe and has been blocked. A short note appears explaining what to look out for next time.
Nothing else happens. She closes the tab, deals with the walk-in, and finishes service. The IT team gets an alert and confirms the next morning that nothing reached her credentials. No bank details were changed. No guest data was exposed. The day continues.
That is the goal. Not zero clicks - that is impossible - but a click that does not matter.
Why hospitality security training has to be different
If you take nothing else from this piece, take this: the security awareness training that works in a law firm or an accountancy practice will not work in your restaurant. The shifts are different. The attention budgets are different. The turnover is different. The kinds of email that look legitimate are different.
Effective hospitality training is short - three to five minutes, not an hour. It is frequent - monthly, not annual. It is role-relevant - a kitchen porter does not need to learn about wire transfer fraud, and a reservations manager does not need a module on KYC. And it is anchored in real examples drawn from your own inbox, not a generic e-learning library.
Where CloudMatters fits
We design and run phishing-resistant environments for restaurants, hotels and hospitality groups. That means the gateway, the endpoints, the identity layer, the network and the human layer all working together as one system, with the same team accountable for all of it. It means the duty manager who clicks something on a Friday night does not become the reason your group is on the news on Monday morning.
If your current setup relies on hoping that nobody ever clicks the wrong link, you are one busy service away from a problem you do not want to have. We would be glad to talk through how a layered model would look for your sites - start at our cyber security page, or get in touch directly.