With the summer holidays in full swing, it is an apt time to consider the risks of phishing to leisure and travel companies. The travel and tourism sector ranks highly in terms of cyber-attack risk, and the implications of a successful attack can be devastating to both the company and its service users. It is essential that travel companies of every size are actively considering their cybersecurity and putting measures in place to mitigate against any threats.

Additionally, it is important for people to be aware of what a travel phishing scam might look like. Booking holidays, excursions and experiences can involve handing over large amounts of money, as well as sensitive personal data such as financial details or passport information. For a cyber-criminal, these assets are valuable, and with summer being a particularly busy time of year for this industry, it is especially key for companies to be very vigilant about their cyber security.

What is phishing and what does it look like?

At its most basic level, phishing is a request, often via email or phone, which is trying to trick the recipient into visiting a malicious website or downloading an attachment that has malware installed. The purpose of this is to get you to reveal sensitive information, such as log in credentials, or to fraudulently transfer money to criminals under false pretences. Phishing attempts can be very sophisticated and believable; therefore, it is important to know some of the key features.

Common features of a phishing attempt include:

• Unfamiliar tone

• Spelling or grammar mistakes

• A sense of urgency

• Unusual request

• Praying on curiosity

• Different email address to normal

These are just some indicators that a communication may be a phish. It is always safer to air on the side of caution, and to avoid clicking any links or attachments that have come by email. If you are unsure, you can always exit the email and contact the person or organisation directly that the email claims to come from. You can report any phishing emails you receive to report@phishing.gov.uk.

What can companies do about this?

Travel companies themselves are not responsible for what their customers do when they receive a phishing email. However, they can be very clear to their customers about what they will and will not ask for over email. For example, clarifying that they will never ask for any sort of payment via email, nor would they ask for personal details. Additionally, they can discourage their customers from clicking on any links or attachments that they receive via email and remind them to be aware of phishing. This is mutually beneficial, as a phishing scam that operates fraudulently under the guise of a company’s name will do reputational damage to the company if it is successful.

In terms of preventing attacks in the first place, it is important that travel and tourism companies instil good cyber hygiene amongst everybody in the organisation. These companies are targeted by cybercriminals to try and access money and sensitive information, and if successful, they will either steal these directly from the company, or use the information gained to craft further phishing attacks on customers. This means having robust policies about passwords and MFA, and clear rules about what employees can and cannot do online.

Phishing relies on social engineering, meaning it can be difficult to prevent as it often relies on people disengaging and reporting it. One solution is to invest in Security Awareness Training (SAT) for the company. Security Awareness Training is offered by the ECRC as an affordable way to start an open dialogue amongst your staff about all things cyber-crime. This is delivered by students working as part of CyberPATH programme. Through CyberPATH, students are trained and monitored by senior ethical hackers to provide a selection of cyber services to businesses, which supports the future cyber talent pipeline and keeps the cost to a minimum.

Training can be issued across either a full or half day and is tailored to the needs of its specific audience. It is designed to be contextually relevant and accessible for all abilities. This could include talking about the most common cyber-crimes committed against leisure and travel companies, as well as common features of phishing emails and suspicious requests. Thorough training allows the company to increase cyber resilience as a collective and can transform staff from being a vulnerable access point into an effective line of defence against an attack. SAT also educates people on the best practices of staying safe, such as secure passwords and MFA, and teaches them why the way they conduct themselves online matters to keep them safe.

Additionally, ensuring that there is an open dialogue about cybersecurity throughout the organisation means that people will feel more supported to report and question anything that they deem suspicious. Police Cyber Protect officers can also deliver SAT free of charge and offer engaging activities such as an online Cyber Escape Room.

How else can the ECRC support?

Joining the ECRC as a free member ensures that your organisation is supported in making the small changes that make the biggest difference. Becoming a free member means you will receive regular communications via email, which will drip feed you ways in which you can improve your cyber resilience without costing any money.

The ECRC also offers other affordable services as well as SAT that can help you identify any vulnerabilities in your networks. These can be found on our website and are a great place to start in terms of assessing your current cybersecurity situation.

The ECRC website also contains several links to helpful National Cyber Security Centre (NCSC) resources, which are all free, up-to-date, and easy to use. Tools such as Exercise in a Box and the NCSC Cyber Action Plan are particularly useful in terms of identifying areas where you could improve your cybersecurity. They also have many informative guides that are sector specific, which will give you useful and detailed information.

If you would like more information about how the ECRC can help your organisation specifically, please book a chat with us today!

Reporting a live cyber-attack 24/7:

If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress) please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day 7 days a week.

Reporting a cyber-attack which is not ongoing:

Please report online to Action Fraud, the UK’s national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.

Alternatively, you can call Action Fraud on 0300 123 2040 (textphone 0300 123 2050)