Profit urges firms to adopt two anti-phishing systems

Travel companies can limit vulnerability to cybercrime through a couple of simple initiatives. Ian Taylor reports Continue reading →

Travel companies can limit vulnerability to cybercrime through a couple of simple initiatives. Ian Taylor reports

Travel businesses are being urged to cut the increasing risk of cybercrime in the sector by signing up to two free programmes to slash phishing emails and spam.

Industry body Prevention of Fraud in Travel (Profit) launched a campaign to promote the initiatives last week, both freely available through the Global Cyber Alliance (GCA).

The GCA is a not-for-profit organisation launched 18 months ago by the US Centre for Internet Security, the District Attorney of Manhattan, and City of London Police to partner businesses and governments to reduce cyber risk.

GCA executive director Rosemary Scully said: “Email is one of the most pervasive ways of gaining access [to a system] – 91% of hacking attacks begin with a phishing email.”

Profit chairman Barry Gooch said: “Spam and rogue emails are the biggest threat. Infected emails increased 6,000% in 2016. There has been a big spike in ransomware this year and 40% of spam contains ransomware. We can’t stop it all, but we can reduce it and improve resilience.”

One GCA project involves Dmarc (Domain-based Message Authentication Reporting and Conformance). This checks email comes from the claimed source through an ID check of the domain name, preventing unauthorised use of a firm’s name. It uses two existing authentication systems, SPF and DKIM, and combines them to block phishing attacks.

Dmarc has been available since 2015 and is an open-source tool. But Scully said: “People don’t know about it and it can be difficult to load.” So the GCA has made it easy to install.

Scully said: “The UK government has decided all government departments must have Dmarc loaded. It sits in your system to prevent people pretending to be you. But to get this really to work, it needs everybody to have it.”

The GCA says organisations using Dmarc receive about one quarter of the email threats of those which don’t. Yet by February this year only an estimated 31% of travel businesses were using Dmarc.

The second GCA programme involves a Domain Name Server (DNS) email filter which removes malicious emails and quarantines those which are suspect, based on continuous updates from “multiple threat intelligence feeds”. The GCA is seeking partners to join the pilot.

Gooch said: “We want this to succeed and we want the industry on board.” Both GCA programmes are free.

Profit maintains an up-to-date list of attacks in the sector, but believes this provides only a partial picture.

Gooch said: “The list features mainly hotels and airlines. Travel companies, cruise companies and airports are also targeted, but it’s not being reported. Cruise lines could be under the greatest threat because there is a lot of equipment on ships, plus all the passengers’ devices.”

Travolution and Travel Weekly are hosting a free half-day Cyber Security summit in London on June 22, get more information and sign up here