AI’s role in facilitating automated and personalised cybersecurity attacks is posing a new threat for inbound operators, particularly those working directly with multiple suppliers to arrange complex itineraries for overseas clients.
Tourism Update has been made aware of instances where tour operators lost large sums of money after their suppliers’ business email addresses were hacked, resulting in fraudulent invoices being sent to the operators.
Ryan van de Coolwijk, Managing Executive of ITOO Special Risks, pointed out that compromise of business email accounts is one of the most common current forms of cybercrime.
“This could be through unauthorised access and manipulating communications to gain access to sensitive data and crafting fraudulent or modified invoices to solicit fraudulent payment,” said Van de Coolwijk.
Dieter Holler, Chief Information Officer at Tourvest Destination Management, said AI has increased incidences of scaled, automated and convincing phishing campaigns.
“The run-of-the-mill vulnerabilities are related to impersonation and thereby typically linked to financial fraud to make or divert payments. Automation has always played a major role in finding and exploiting vulnerabilities but the ability to impersonate individuals through written communication and even voice communication is the new challenge,” said Holler, pointing out that large brands are often targets.
“There is no specific travel sector where these practices are more prevalent but, of course, more well-known brands and names are at greater risk of being used in initial phishing and impersonation attempts due to their high trust and recognition factors.”
Van de Coolwijk said using a number of online channels, such as multiple email communications with various suppliers, increases the risk for operators.
“I believe it will always be important to use reputable DMCs and ensure they have the appropriate security controls in place to try to prevent cyber incidents.”
Holler suggested operators use vendor cyber-risk assessment platforms.
“These allow businesses to assess the risk of transacting with a given party based on their public digital footprint, which is typically also a strong indicator of the presence or lack of internal cybersecurity risk mitigation strategy.” He also cautioned that cyber criminals use similar tools to find vulnerable businesses to target.
Cyber extortion on the rise
Cyber extortion – linked to theft of data and ransom demands to not publish that data – is also increasingly prevalent and potentially more dangerous than other forms of cybercrime, according to Holler.
“Often much more damaging is exploitation via human or software vulnerabilities to position malware within a business IT infrastructure leading to data loss, data exfiltration and encryption of all company data. These ransomware attacks aim to extort large sums, typically in cryptocurrency, to restore data or stop publication of exfiltrated data on the dark web.”
The most effective mitigation measures involve a layered approach incorporating technology, human engagement and stringent controls, especially around financial transactions.
“This includes strong authentication controls, ensuring that data backups are secured and protected, and the careful management of access to systems and data including employees, partners and external service provides,” said Van de Coolwijk.
Despite the risks, uptake of cybercrime insurance among tour operators remains low, according to Van de Coolwijk.
“There is still a need for education and awareness on the risks,” he said, adding that he has seen stronger adoption on the lodge and accommodation side.
