When I say the word ‘bat’, what image comes to mind? A flying mammal? A cricket bat?
In English, they call this a ‘homograph’: when two or more words are spelt the same but don’t have the same meanings or origins.
In cybersecurity, a homograph is a lot more sinister. It’s a term given to a type of impersonation attack where an email address or website URL looks legitimate but isn’t. It’s designed to trick people into clicking on malicious links or to fool them into transferring money or sharing sensitive information.
Recent research by Vanson Bourne and Mimecast found that more than 85% of respondents had seen impersonation fraud in the past 12 months, and 40% had seen an increase in this type of attack in the same period. In South Africa, 36% of respondents had seen an increase in impersonation fraud asking to make wire transactions, and 37% had seen an increase in impersonation fraud asking for confidential data.
Despite this growth, many organisations do not have a cyber resilience strategy in place to help them detect, prevent and recover from these types of attacks.
Easy to execute, hard to detect
Homograph attacks are difficult to detect – by both the user and regular email security systems.
To create these lookalike domains, attackers use non-Western character sets or special characters found in Greek, Cyrillic and Chinese, to display letters which, to the naked eye, look identical to the western alphabet. Mimecast.com, for example, looks like мімесаѕт.com in Cyrillic. According to one domain name checker, there are 117 possible Mimecast domains that can be misrepresented with just one character from a non-English alphabet.
These subtle changes are likely to go unnoticed by users. In South Africa, 31% of respondents were not confident that employees could spot and defend against impersonation attacks, which easily and often slip through an organisation’s security systems.
Some 21% of South African respondents were not confident that their organisation’s security defences could defend against impersonation fraud asking for confidential information, rising to 25% for fraud asking to make wire transactions – in line with global trends.
This is because the emails themselves don’t contain malware and the URLs often have legitimate (read: stolen) security certificates.
Is it me you’re looking for?
Website URLs aren’t the only avenues for impersonation attacks; email address impersonation is also on the rise.
These types of attacks are designed to trick users such as finance managers, executive assistants and HR representatives into transferring money or disclosing information that can be monetised by cybercriminals. The email appears to come from someone they trust – a C-suite executive or a third-party supplier that they regularly do business with – and therefore wouldn’t think twice about responding to.
South Africans reported that, in the past 12 months, cybercriminals have attempted to impersonate finance teams (24%), third-party vendors (20%), a member of the C-suite (7%), as well as HR, sales, operations, legal and marketing team members (between 5% and 8%).
Again, these emails do not contain malware, which means they can go undetected by most email security systems. Social engineering attacks such as these rely on our inability to spot anomalies in URLs and email addresses – and the fact that we believe we’re communicating with someone we know.
Know what to do
Cybercriminals have figured out that they can bypass security systems by switching from malware-laden attacks to malware-less impersonation attacks. Now, social engineering meets technical means to put us in the middle of the next evolution of cyber-attacks.
Here are some measures organisations can implement to guard against these types of attacks.
- Education. When users know how social engineering and spoofing attacks work and then understand they shouldn’t click on links in emails, breach incidents can be drastically reduced. Users should be encouraged to physically type an address into a browser rather than click on a link in an email, even if it was supposedly sent by someone they know and trust. Education and awareness will always be the most important defence mechanisms.
- Protection. Email security systems are getting better at stopping malware which enter the network through dodgy files and attachments, but few are effective against impersonation attacks. Organisations need a solution that can deep-scan all inbound emails and inspect for header anomalies, domain similarity, sender spoofing and the existence of keywords and suspicious impersonation emails. These can then be blocked, quarantined, or delivered as flagged to alert the receiver of potential risk.
- Resilience. Having the right threat protection in place is just one part of a robust cyber resilience strategy. Organisations also need to be able to adapt their strategies to stay ahead of attacks, while having the durability to continue with business as usual in the event of an attack, and the recoverability to ensure data and emails are always accessible.
- Oversight. Often, lax security on a third-party supplier’s side provides an entry point into an organisation’s network. Enterprises should continuously evaluate and manage the security and privacy policies of their suppliers and include security in their service level agreements. They should also perform on-site security assessments with new suppliers before sharing sensitive information.
- Visibility. Organisations need to know who their vendors are and who has access to company information, and for what reasons. This is even more important now that the EU’s General Data Protection Regulation has come into force and will affect all South African organisations when the Protection of Personal Information Act is finalised.
Thirty-seven percent of South African organisations have suffered data loss because of email-based impersonation attacks in past 12 months. These organisations also reported reputational damage (34%), loss of customers (29%), direct financial loss (17%) and lost market position (19%).
Email continues to be the number one threat to organisations globally and accounts for 96% of all incidents that organisations face.
Clearly, there is an urgent need to work towards a higher standard of email security. Cybercriminals have evolved their attack methods. It’s time the security strategies organisations use to protect their users and their businesses evolve as well.
3D printed room-service? Visit the hotel of tomorrow
To mark its 100th birthday, Hilton predicts the trends that will change travel and hospitality in the next 100 years.
Intergalactic getaways, fast-food nutrient pills, 2-3 hour working days and adaptable, personalised rooms that can transport guests everywhere from jungles to mountain ranges. These are some of the predictions for the next 100 years that the Hilton hotel group has put together in celebration of its 100th anniversary.
In a report supported by expert insight from the fields of sustainability, innovation, design, human relations and nutrition, findings reveal the impact of the growing sophistication of technology and climate change on the hotel industry in the future.
Key predictions for the hotel of the future include:
Personalisation is King
- Technology will allow every space, fitting and furnishing to continuously update to respond to an individual’s real-time needs – the Lobby will conjure up anything from a tranquil spa to a buzzy bar, giving every guest the perfect, personal welcome
- From temperature and lighting, to entertainment and beyond, microchips under the skin will enable us to wirelessly control the setting around us based on what we need, whenever we need it
The Human Touch
- In a world filled with Artificial Intelligence, human contact and the personal touch will be more critical and sought after than ever
- Technology will free up time for hotel staff to focus on what matters most: helping guests to connect with one another and building memorable moments
‘Sustainable Everything’ – The Role of Responsibility
- Only businesses that are inherently responsible will survive the next century
- Sustainability will be baked into everything about a hotel’s design – from weather-proofed domes, to buildings made from ocean-dredged plastic
- Hotels will act as the Town Hall of any community, managing local resources and contributing to the areas they serve with community-tended insect farms and vertical hydroponic crop gardens
Menu Surprises and Personalisation
- Our diets will include more plant-based recipes and some surprising sources of protein – Beetle Bolognese, Plankton Pies and Seaweed Green Velvet Cake will be menu staples!
- Decadent 3D-printed dinners and room service will provide unrivalled plate personalisation
- Chefs will be provided with biometric data for each guest, automatically creating meals based on preferences and nutritional requirements
Futuristic Fitness and Digital Detoxes
- Outswim a virtual sea turtle in the pool, or challenge yourself to climb the digital face of Mount Everest, your exercise routine will be as unique as you are. What’s more, exercise energy generated from workouts will be used to power the hotel, providing a zero-impact, circular system. Guests could even earn rewards based on reaching workout targets
- Pick up where you left off with trackable workouts and holographic personal trainers
- Offline will be the new luxury as we seek to find moments of tech-free time
“Since its inception in 1919, Hilton has pioneered the hospitality industry, introducing first-to-market concepts such as air-conditioning and in-room televisions. Last year, Hilton also became the first hospitality company to set science-based targets to reduce its environmental impact,” said Simon Vincent, EVP & President, EMEA, Hilton. “We enter our second century with the same commitment to innovation, harnessing the power of our people and technology to respond to guest demands. Our research paints an exciting future for the hospitality industry, highlighting the growing importance of human interaction in an increasingly tech-centric world.”
Futurologist Gerd Leonhard said: “In 2119 we will still be searching for unique experiences, but they will be more personalised than ever. As technology shapes our lives we will seek out moments of offline connection with others, including hotel team members who will help us truly get what we need from our stays. 100 years from now hotels will have to create opportunities to converse, collaborate and connect, delivering moments that matter, individually, to each and every guest.”
Gadget ed to chair Digital Council
Specialist financial services provider Sasfin Bank has established a Digital Advisory Council to provide the market with industry-leading expertise and insights on trends shaping the use of technology in financial services.
Digitalisation is one of the most powerful forces for change shaping Finance today. This has turned Fintech into one of the most vibrant sectors in both information technology and among start-ups, generating billions of dollars in investment and development globally. The South African fintech space is dynamic, and Sasfin is playing a leading role in the transformation of local financial services and the resulting enhancement of customer experiences.
“We have been investing in fintech development in-house and acquiring or integrating fintech start-ups,” says Sasfin CEO Michael Sassoon. “Over the last year we have built further digital offerings, integrated via APIs into leading businesses and invested in fintechs. We built and launched B\\YOND, an innovative digital business banking platform and SWIP, a digital wealth and investing platform. We have invested in Payabill, an online SME lender and DMA, a digital trading platform. We recently announced our alliance banking relationship, leveraging open banking, with Hello Paisa to offer seamless banking to the unbanked. We feel that there is a huge opportunity to improve the experience of South African businesses and savers through using technology. We have therefore created an independent forum to assess how to even better improve financial services for South Africans by leveraging the digital economy.”
Arthur Goldstuck, founder of high-tech research consultancy World Wide Worx, editor-in-chief of Gadget, and a globally respected technology analyst has accepted Sasfin’s invitation to head up the Sasfin Digital Advisory Council, an independent think tank that will help Sasfin and its clients decipher the fintech present and future.
“The Sasfin Digital Advisory Council is broader than providing only the bank with a source of insight on how digital services are evolving and lessons from across the world,” said CEO Michael Sassoon. “Sasfin has been involved in fintech investing for many years and we are leveraging this experience as well as the experience of independent experts such as Arthur to provide insights and guidance to interested stakeholders in this space.”
The team appointed to the Digital Advisory Council is being selected for the breadth and range of knowledge they would bring to the table, with further appointments to the Council being announced soon. There will also be room for the Council to co-opt specialist expertise as it is required.
Goldstuck, who has been covering the fintech sector as an analyst, commentator and columnist for many years, says he sees the role as a welcome challenge.
“There has been a long-standing need for a clear understanding of the impact being made by fintech today, and the exponential change it will cause tomorrow,” said Goldstuck. “My role will be, partly, to curate the wide spectrum of fintech and digitalisation knowledge and insights that the members will bring to the Digital Advisory Council, and help create scenarios that businesses and policymakers may use to navigate the future – both inside and outside Sasfin.”