Experts share the cybersecurity threats to watch for and advice to stay protected.
We look forward to summer’s warm weather, travel plans, and maybe some added relaxation. Cybercriminals look forward to summer’s new opportunities for scams and targeted attacks.
Seasonal threats aren’t new; for example, the holiday season typically brings phishing attacks in the form of fake package deliveries and fraudulent gift cards. Similarly, summertime, which drives an increase in flights and hotel stays, should put people on high alert for a wave of related scams.
Travelers taking time away from work and home are often too busy planning their vacations to protect their devices and data, but there’s no downtime for cyberattackers. Hackers are getting more advanced in their techniques to capture information, and they’re taking a closer look at the travel industry, targeting hotel chains and airlines with data breaches to capture loyalty program numbers, payment card data, and other personally identifiable information (PII).
But travel scams aren’t the only security threats to worry about this summer. Here, security experts weigh in on threats that should be top-of-mind for consumers and employees alike. Any threats you’re worried about that aren’t listed here? Feel free to share them in the Comments, below.
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.
Travel Security: Confidence Is Higher Than Deserved
In research released late last month, IBM discovered a disconnect between survey respondents’ confidence in their security practices and their actual security habits while on the road. One-quarter say they are “very” or “extremely” confident in their abilities to protect themselves from cybercrime while traveling; 37% say they’re “somewhat” confident. Only 16% and 9% say they’re “a little” or “not at all” confident, respectively.
But when asked about their travel habits, 24% of these confident respondents admit to connecting to public Wi-Fi networks every time they travel on business; 22% do the same on all personal trips. More than 25% bring and use a device containing confidential or sensitive work-related data when they travel for work; 16% do the same when traveling for pleasure. Nearly 20% of seemingly security-savvy travelers charge devices via public USB ports or charging stations when traveling for business; 17% do the same when they’re on vacation.
More than 70% of Americans have engaged in a higher-risk travel behavior – connecting to public Wi-Fi, for example, or charging on a public USB station – regardless of whether they’re traveling for business or pleasure. Charles Henderson, global managing partner at IBM and head of X-Force Red, points to another trend: “Very often, consumers treat work information differently than they treat personal information,” he says.
In addition, people are more likely to protect their own data than corporate trade secrets, a common issue faced by CISOs, he says. It is worth noting respondents travel far more frequently for personal than business reasons. Only 26% report traveling for work, while 84% say they primarily travel for personal reasons.
Seasonal Scams Turn Political
It’s not new for cybercriminals to capitalize on major events with phishing campaigns; we’ve previously seen this in Olympic Destroyer and World Cup-themed attacks. It is helpful, however, to know which trends are top-of-mind. This summer, it’s the 2020 presidential campaign.
“Obviously, political alliances and political leanings are something that’s useful in trying to get people,” says Adam Kujawa, director of Malwarebytes Labs.
Leading into the 2020 campaign, we’ll likely see several attempts by cybercriminals locally based in the US or Western countries. Will disinformation manifest in social media campaigns, as it did during the 2016 elections? Not necessarily. After social media came under a harsh spotlight following the last presidential campaign, Kujawa thinks criminals spreading gossip and disinformation will turn to phishing.
“These are the kind of focused attacks we see more against consumers,” he adds. Still, it’s important for employees to be aware of threats that could potentially arrive in their inboxes.
Loyal to Fraud
Cybercriminals are ramping up with attacks against travel companies. In recent years we’ve seen massive breaches at Marriott/Starwood, Cathay Pacific, and British Airways. “The travel industry as a whole has been targeted much, much more,” IBM’s Henderson says, because it “has the trifecta of data criminals care about.”
This includes PII (names, passports, driver’s license numbers, birthdates), payment card data, and loyalty numbers. It’s an emerging trend for cybercriminals, he explains. “Loyalty programs, and loyalty fraud, is huge,” Henderson says. Rewards numbers for airlines and hotels are located on boarding passes and baggage tags. Cybercriminals have their eyes peeled, as points can be cashed in for free flight tickets and hotel stays, Henderson explains.
And because rewards customers are considered VIPs, hotels and airlines try to avoid inconveniencing them and often don’t pressure them for details if they call in with a loyalty program number. This makes it easy for criminals, armed with a loyalty program number, to pretend to be someone else and walk away with free flights or hotel stays.
“They don’t want to be the inconvenient travel airline or hotel,” says Henderson, who points to a need for industry standards around traveler protection with respect to loyalty programs. He also advises companies in the travel industry to test what a breach looks like, so they can more effectively detect and respond to incidents when they occur.
Summertime Employment Scams
Job hunters should be aware of multiple variations of employment scams during the summer months, says Adrien Gendre, chief solution architect at Vade Secure. These impersonate companies of all sizes and industries, and while they happen year-round, they’re most prevalent during the summer months and at year’s end when people are job hunting.
Some scams arrive in the form of fake job offers appearing to come from recruiters at large companies. They invite recipients to join a job search database by downloading a free application, which is laced with malware. Others are deceptive spam emails, which claim to offer available jobs but redirect recipients to a fraudulent site. There are also LinkedIn phishing attempts, which try to manipulate people into sharing data or downloading malware.
“The topics of LinkedIn phishing emails range from bogus connection requests to fake job offers, with the goal of harvesting credentials and other personal information or installing malware,” Gendre says.
He advises employees to be logical: If something seems too good to be true, it likely is. “For instance, large, well-known companies typically have candidates flocking to them, so why would they need to blindly email people who may or may not have the necessary experience?” he says.
Further, think twice if an alleged recruiter demands an immediate response. Yes, you have to move quickly to land a dream job – but that’s exactly what the attacker wants.
Watch Your Wi-Fi
Travelers have a nasty habit of hunting down free Wi-Fi before and after their flights. Attackers are taking advantage, IBM’s Henderson says, and using this behavior to inform their strategies. Many have started to bring their own Wi-Fi hotspots and/or sting rays (fake cell towers designed to intercept data between devices and the Internet) into airports, hoping travelers will connect. While cybercriminals target travel companies year-round, they’re more likely to target travelers during peak times of the year.
“If you notice a behavior in travelers, you’re going to target it in the form of crime,” he explains. The airport is an interesting place because people who are getting off a flight and didn’t want to pay for in-flight Wi-Fi want to catch up with the world as soon as they land. Similarly, people whose devices are running low on battery are quick to plug into any USB charging port without stopping to think the connection could be malicious.
Malwarebytes Labs’ Kujawa also points to the risks associated with not only rogue hotspots, but public Internet. “Public Wi-Fi, combined with auto-connecting on devices, is a huge security vulnerability, in my opinion,” he says.
Travelers should be aware of when their devices connect to public Wi-Fi networks at Starbucks or McDonald’s, which can happen without their agreement. “That’s an easy way to not even be aware the information’s traveling over the network,” he adds.
Targeted in Transit
More than half of the respondents in IBM’s research are “very” or “extremely” concerned their credit cards or other sensitive information will be stolen while traveling, while about 31% say they are similarly concerned about this type of data theft at home. Nearly 40% say they put “a great deal” or “extreme amount” of effort into protecting digital data while traveling, 32% say they put “some” effort into their protection, and 19% say they put in “not much” or no effort at all.
But data is in demand, and Henderson encourages travelers to recognize this. “Understand that your data is valuable,” he says. “That’s something that a lot of consumers miss.” If people accept their data has value, he continues, they’re more likely to protect it.
“Luckily, it’s very easy to try and avoid that stuff happening anymore,” says Kujawa, who recommends prepaid credit cards for those worried about having numbers stolen on the road. But that’s not all travelers can do to protect their data: Malwarebytes advises travelers to buy shields for contactless payment cards so they can transport them without leaking information. It’s also smart to back up data on all devices coming on the journey; this way, if anything is stolen, the information isn’t lost.