zeallite2019_ThemeView caught exception: Unable to locate template ‘partials/page/page-hotels.php’
Staying safe online is as important when travelling as when at home. The more you travel and access the internet, the more potential risks you face.
We offer some tips to help minimise the risk of criminals stealing your data and property to use for fraud, identity theft or other illegal activities.
Before your trip
- Update your devices before travelling. Ensure all personal and work devices you plan to take are running the latest versions of software and operating systems. This will improve its ability to defend against malware and viruses.
- Back up your data. It’s boring but important. Back up documents, contacts, photos and other data with another device, to your work server or to the cloud, as appropriate to your organisation.
- Bring only the devices you need. The fewer items you bring, the fewer you have to lose.
- Set up a tracking feature on your devices. Check whether your employer has enrolled your laptop, mobile etc. into a mobile device management solution that allows them to find or wipe lost or stolen corporate devices. For personal devices, consider the use of trackers, such as Apple AirTags or equivalents.
- Print and carry emergency access codes. Applications often provide the option of generating emergency access codes on set up, or offer a secondary validation method such as e-mail. Consider setting these up in advance, where the application allows it, in case your device(s) are stolen and you use them for multi-factor authentication.
- Familiarise yourself with your company’s mobile and remote working policy. Even if you travel on business or work from home regularly, policies may be updated from time to time and serve as a useful reminder of what your organisation permits and requires.
- Book travel arrangements via agreed providers. Using the providers recommended or required by your business will help you avoid visa scams, advance fee fraud and fake websites designed to steal your data.
- Ensure someone knows your whereabouts. Leave details of your itinerary and any deviations, how you will travel, flight numbers etc., when you expect to arrive and return, and what to do in the event of undue delay with a trusted colleague, friend or family member.
- Imagine the worst-case scenario. Consider what you would do if you lost your phone, passport or work laptop, or had a medical emergency. Prepare accordingly with hard copies of itineraries, flight details, key telephone numbers, medical information and so on.
While travelling
- Remain alert when going through airport security. If you’re able, do not log into your computer for it to be inspected. If at all possible, do not surrender your password at airport security. If any devices are confiscated or taken away by officials, speak to your company IT department before turning them back on.
- Use a virtual private network (VPN). Connect to trusted wired or Wi-Fi networks wherever possible. For other times, in airports, hotels, cafés and so on, use a virtual private network (VPN) to keep communications private in transit.
- Use two-factor authentication. Secure accounts with strong passwords, don’t use easy-to-guess passwords or reuse the same passwords for multiple logins. Keep your authentication token separate from your device. Consider printing authentication codes and carrying them with you for a limited period in the event of the loss or theft of your devices or tokens.
- Ensure that your devices are kept in a secure location. Use the hotel room safe overnight and while out of the room. Beware of pickpockets in crowded locations but also while attending business events, dining out with colleagues or hosting clients. Opportunist professional thieves strike when your attention is elsewhere. Spread your valuables between different pockets and bags. Keep them out of sight where possible.
- Do not publicise your route or routine outside trusted colleagues, family and friends. Be careful about your use of social media, including professional networking sites such as LinkedIn, as virtual kidnapping is on the rise.
- Securely destroy sensitive items. Mitigate the risks of sensitive information falling into the wrong hands by shredding or securely destroying of CDs etc. Even copies of meeting agendas and minutes could contain details of strategic and marketing plans. If something has commercial value to your business, it also has commercial value to someone outside the business.
- Retain boarding pass and airline-printed luggage tags until after you return home. Securely destroy the barcode on these items as it’s a potential goldmine for data thieves, containing passenger name, ticket number, port of departure and arrival, date, time, date of birth, passport data, frequent flyer number and so on.
This post was powered by Cortida. Cortida offers information and cyber security consulting, including awareness training for mobile and remote workers. For more information, please get in touch: info@cortida.com
Further Reading
Powered by Cortida
The chance of being kidnapped on a business trip is a rare but real risk and organisations put various measures in place to mitigate this risk as well engaging specialist support should the worst happen. However, as a result of rapid technology advancements, we’ve seen an increase in a relatively new kid on the kidnap block.
The call began with a woman’s screams. We’ve got your daughter, an unknown male voice said. In the background, there were sounds of a scuffle, more screaming and male voices shouting. The caller then demanded a ransom for her safe return.
But the alleged victim was aboard a plane. Safe and well, 35,000 ft over mainland Europe, she was on the way to a business trip. The family had been a target of a virtual kidnapping.
This is the latest extortion scam that tricks victims into paying a ransom to free a family member or employee, who they believe has been kidnapped.
Criminals may clone a person’s phone number to make it seem as if the call is coming from the victim’s phone. Or clone their voice, using AI and deepfake technology, to make the attack seem more convincing.
Virtual kidnapping attempts: how to spot them
While terrifying in the moment, many elements of a virtual kidnap scam rely on old tricks repackaged. For example, the kidnapper sows fear, uncertainty and doubt to catch their victim off guard. Their appeal is designed to trigger an emotional response. This is an attempt to prevent the victim thinking and acting rationally.
They spin up a story to make things more plausible and convincing. And create a sense of urgency or put the victim under time pressure. Either by being aggressive, making threats to harm the alleged kidnap victim, or insisting on expedited payment.
Successful cons are an exercise in the art of persuasion. Often the perpetrator will manipulate the situation, so victims persuade themselves.
Virtual kidnapping: a view from the market
Kidnap is a risk for various reasons, depending on the location. At Maiden Voyage, we include anti-kidnap training as part of our travel safety training programmes to mitigate the risks.
There’s express kidnap, where someone is frogmarched to an ATM, in hotspots such as Central and South America to withdraw cash until their bank stops paying out. There’s also kidnap for ransom, as well as tiger kidnap, whereby two crimes are committed. First a person is taken and then instead of requesting money, the captors will demand that a second crime is committed such as violence, robbery or in some cases murder.
Virtual kidnapping is when the criminal pretends to kidnap someone to extort money from their family or employer. We’ve seen an increase in virtual kidnapping since people started posting to social media.
For example, “I’m in the airline’s first-class lounge en route to Australia”. That person is likely to be off grid for a while, which gives criminals a window of opportunity to carry out the fraud.
We asked the team at Cortida, experts in cyber security consulting what steps individuals and companies can take to reduce the risk of becoming a victim of virtual kidnap.
Virtual kidnapping: how to prevent it
There’s a lot of overlap between virtual kidnapping prevention tips and other forms of social engineering in a business context.
Be wary of sharing details of travel plans or real-time location online.
Restrict social media posts and the use of hashtags, which could give away location, to friends, family and trusted colleagues only.
But, if you’re speaking at a conference or attending a trade fair for business, you’d probably publicise the fact, including on social media. The event organiser would likely do the same, precisely to let customers, prospects and others know about it.
Just be aware that criminals can also use this info to time and tailor their attacks. They’d know when a potential kidnap victim is away from home or unavailable to be contacted.
Consider using a tracking app to let trusted parties check where you are. Various apps can track a mobile device and store the route in the cloud. Even if the device is switched off, the last location can be available for a trusted party to check.
Conduct regular staff training.
Virtual kidnapping is like other forms of social engineering. A prime example is CEO fraud, also known as bogus boss fraud or business e-mail compromise.
Forewarned is forearmed. So, train your staff on how to recognise various types of phishing attacks. This should include targeted ‘spear-phishing’ and vishing, voice-initiated phishing attempts.
To avoid becoming a victim, try to slow the situation down. Repeat the caller’s request. Tell them you’re writing down the demand and that you need time to get things moving. Avoid sharing information about yourself, your business or the alleged kidnap victim.
Verify all requests.
Request to speak to the alleged victim direct. Ask questions of them that only they would know. Consider a password to be agreed in advance that colleagues can use to confirm they are actually in danger.
Attempt to contact the alleged victim via phone, text or social media and request a call back.
If you receive a video file of someone that looks to be bound, gagged or pleading for help, software, such as Deepware, can help determine whether it is fake. Generally, through the use of artificial intelligence to check human faces for signs of manipulation.
Be suspicious of urgent requests.
Urgent, secret or unexpected requests that arrive at the end of a business day or week. Or those that pressure you to act quickly, should automatically raise a red flag in most cases.
With virtual kidnapping, callers may also try to keep you talking and insist you stay on the line. This is to prevent you from raising the alarm or contacting the alleged victim. In most cases, if you receive a call demanding a ransom to free an alleged kidnap victim, the best course of action is to hang up, the FBI advises.
If you suspect a real kidnapping is taking place, or believe a ransom demand to be a scam, contact law enforcement immediately.
Cortida offers information and cyber security consulting, including awareness training for mobile and remote workers. For more information, please get in touch: info@cortida.com
Physical and virtual anti-kidnap training is included in the syllabus of some our travel safety training courses and eLearning modules. Find out more here.