Business Basics: Beating Edinburgh Festival Scams - Cyber and Fraud Centre

The Edinburgh Festivals are known the world over and have become a powerful income generator for the city of Edinburgh. In 2022, their economic impact increased in Edinburgh from £280 million (2015) to £407 million (2022) and are important drivers in the national economy. On average £33 is generated in impact for every £1 invested from the public*.

Unfortunately, this surge in income attracts people with malicious intentions who look to use unscrupulous means to steal or defraud businesses. Organisations of any shape or size can be impacted by fraud, particularly during busy times or when least expected.

In this guide, we highlight some of the ways that fraudsters may target your business during the Edinburgh Festivals, and the best ways to mitigate against being a victim.

Ticket Scams

Often the first port of call for anyone looking to book tickets for colleagues as a team building, or fun night out with clients is to check for ticket availability.

Fraudsters might sell counterfeit tickets for festival events or create fake ticketing sites to steal personal or payment information from unsuspecting buyers. These fake tickets are often sold through unauthorised channels or look-alike websites, so always make sure you visit the official Edinburgh Festival websites, use strong passwords and always use two-factor authentication.

The official Edinburgh Festival websites to access ticket and event information are:

Edinburgh International Children’s Festival – https://www.sisf.org.uk/

Scottish International Storytelling Festival – https://www.imaginate.org.uk/festival/

Edinburgh Jazz and Blues Festival – https://www.ejbf.co.uk/

The Royal Edinburgh Military Tattoo – https://www.edintattoo.co.uk/

Edinburgh International Festival – https://www.eif.co.uk/

Edinburgh Festival Fringe – https://www.edfringe.com/

Edinburgh Art Festival – https://www.edinburghartfestival.com/

Edinburgh International Book Festival – https://www.edbookfest.co.uk/

Edinburgh International Film Festival – https://www.edfilmfest.org/

Edinburgh Science Festival – https://www.edinburghscience.co.uk/

Edinburgh’s Hogmanay – https://www.edinburghshogmanay.com/

Additionally, sponsoring events or taking advertising in official festival publications can bring a lot of attention to a brand or special offer. This, in turn, may present opportunities for fraudsters posing as festival organisers, or representatives, offering fake sponsorship opportunities to solicit funds. If you are approached by someone offering promotional opportunities, contact the official phone number of the festival in question to double check that the person who got in touch does work with them, and therefore the approach is legitimate.

For more advice on how to avoid being a victim of ticket scams, visit the Take Five – Stop Fraud website here – https://www.takefive-stopfraud.org.uk/ticket-fraud/

Accommodation Fraud

If your colleagues or clients require an overnight stay after watching a show, be alert to fake listings. Fraudsters can post fake accommodation on reputable booking sites, encouraging bookers to make payments in advance for properties that are not available for rent, or in some cases do not even exist.

Additionally, scammers may target businesses with fake emails or messages claiming to be from legitimate accommodation providers offering their property, then ask for personal information or payment details. To help protect your business and colleagues, before you make a booking:

Check how long the accommodation has been listed and reviews from others who have stayed there.

Use Google Maps to confirm the location and speak to the owner of the property on the phone (if using a house rental service such as Air BnB) if possible.

If you do pay for accommodation, use a credit card, which offers some protection and do not pay for the accommodation up front, in full. Reputable companies will only ask for a deposit to secure the accommodation.

When using the booking website www.booking.com, make sure you have changed your password recently following a data hack in 2023. Protect your personal data by keeping your security information safely stored using a password manager.

Further advice on avoiding booking scams can be found in a Good Housekeeping blog here – https://www.goodhousekeeping.com/uk/consumer-advice/money/a33012561/holiday-booking-scams/

Overall, be suspicious of anything that is too good to be true and especially of any holiday offers that are unusually cheap or ask for a high deposit. Spend time researching where you want to stay to make sure the property you book does exist and is legitimate.

Business Email Compromise (BEC)

One of the most commonly reported company-related incidents is Business Email Compromise (BEC). This is where fraudsters attempt to exploit vulnerabilities within a businesses’ infrastructure by sending a fake, but well-designed email compromising an email account. If successful, the attacker will be in a position where they can access information about a business by accessing the victim’s mailbox containing business-confidential information. Additionally, an attacker may look to impersonate the account’s owner and ask for financial information or transfers to be made, which look legitimate.

Some attackers may also try to compromise email accounts by sending fake invoices to festival organisers, theatre companies or organisations looking to book hospitality for their colleagues or clients.

There is a myriad of ways scammers can look to take advantage of BEC and often organisations only tend to identify an account compromise when an external party notifies them. By having proactive monitoring, many businesses will be in a better position to mitigate against attacks. These include:

Implement a robust password policy – password length of 8 characters, which is changed every three months is more likely to result in users choosing poorer passwords than a 14-character password changed annually.

Implement multi-factor authentication – is the most effective method for preventing account compromises, additionally any internet-facing service should be configured to authenticate an individual with more than just a username and password combination alone. An additional form of authentication should be used such as an app, SMS messaging or token.

Use password managers – this generates and stores passwords for a user and reduces the burden associated with remembering passwords that are unique, individual and complex.

Consider how much company information is on your About Us web page – consider reducing public information about employees, such as email addresses or interests. This can help fraudsters design emails that look authentic.

Team training and support – make sure that your team is aware of the threats posed by BEC and give real examples of the types of emails received throughout the company. Sharing and reminding team members of good practice will put your company in the best position to try and mitigate against an attack.

Check your website against the HaveIBeenPwned (https://haveibeenpwned.com/DomainSearch) alert service to be notified of any email address for your organisation is involved in a data breach, which could be the start of a business email compromise attack.

For more details on measures to take to avoid Business Email Compromise, and what to do if your organisation is targeted, read our blog on Preventative and Remedial Measures here – Business Email Compromise: Preventative and Remedial Measures – Cyber and Fraud Centre – Scotland (cyberfraudcentre.com)

Cyber Threats

Intensive promotional activities by festival organisers, theatre production companies and even hotels and restaurants to attract the impending influx of visitors to Edinburgh may be exploited by cyber criminals.

Threats to local hoteliers and hospitality providers could include:

Phishing attacks – the sending or receiving of emails that appear to be from a genuine source that looks to convince an employee to share information, that could include passwords and financial information. The aim may be to take over a user’s email account to send bogus emails to colleagues, trying to persuade them to authorise transactions approved by those at the top of an organisation.

Ransomware – cyber attackers take information and hold it hostage for a fee, looking to gain financially to release the data or systems back to the business.

Distributed Denial-of-Service attack – where an attacker looks to target the wide array of systems hotels use every day, such as the security cameras, sprinkler systems or room key access.

Customer data/ identity theft – protecting any data is paramount to any organisation and is key to its success. The amount of sensitive data collected by the hospitality industry poses a high reward for criminals that attempt to steal identities and credit card data.

DarkHotel hacking – in this example, criminals attempt to use hotel or hospitality Wi-Fi to target business guests. Fraudsters use forged digital certificates to convince patrons that a software download is safe.

Point of sale/ payment card attacks – this threat arguably poses one of the biggest threats to the hospitality industry as a whole. Rather than attacking a venue, this is a third-party crime, attacking the vendor by exploiting weaknesses in the system.

The hospitality industry provides a wealth of potential opportunities for criminals. Given the cyber threat landscape, all organisations should prioritise prevention and education to be flexible, alert and adaptable to change. Conducting regular risk assessments, using a cybersecurity framework and providing regular training for staff will all increase cyber awareness.

For more information and advice, read this blog from UpGuard on Cybersecurity in the Hospitality Industry: Challenges and Solutions – https://www.upguard.com/blog/cybersecurity-in-the-hospitality-industry

Public Wi-Fi Security Threats

Public Wi-Fi networks used by remote or hybrid workers during the festival can be targeted by attackers to intercept data and steal information. In a survey, 35% of people access public Wi-Fi three to four times a month, with 23% of people using public Wi-Fi to cut down on data use, and a further 20% using public Wi-Fi to make financial transactions**.

With the majority of hospitality and transport providers now offering free Wi-Fi, encourage your colleagues and clients to be mindful of potential hacking dangers, and how to avoid them. Criminals can set up a rogue hotspot with a name similar to a legitimate hotspot to trick unsuspecting users into connecting their network and intercept data.

Alternatively, data passing through a public Wi-Fi network is often unencrypted, and a man-in-the-middle attack could take place whereby a hacker intercepts the data travelling between a device and the Wi-Fi router, making it possible to steal confidential information such as passwords or credit card information.

So, how do you encourage your colleagues, suppliers or clients to stay safe?

Make sure any websites being used has a secure https connection – the full web address should begin with https, rather than http, which is not encrypted.

Avoid using password-protected websites that contain sensitive information such as online banking, work email or business-related social media.

Beware of rogue hotspots that use names similar to authentic public Wi-Fi networks. Take time to check that a connection is to the right network. If in doubt, contact an employee at the business you are using to verify the connect name of the Wi-Fi point.

Set your device to ‘ask’ before connecting to a Wi-Fi network, rather than automatically connecting to an available network.

Ensure your anti-virus and software is up to date, which reduces the risk of infection by viruses or malware.

Consider using a virtual private network (VPN) if you regularly work on confidential data whilst away from home, or your place of business. VPN software encrypts all network traffic.

Make sure your team log out of accounts when finished using them.

Ensure all company devices have password access, and ideally two-factor authentication to use systems and products.

If you have hybrid or remote team members, consider installing a mobile device management software (MDM) that will initiate a remote wipe of all data, if the company device is stolen or lost.

For more information about how to protect your team when using public Wi-Fi, visit the Which website here and read their article on How to Keep Your Data Safe When Using Public Wi-Fi – 8 Quick Tips – https://www.which.co.uk/news/article/how-to-keep-your-data-safe-when-using-public-wi-fi-aZKdQ4L8sKI9

How to Mitigate Against Risk

We’ve touched on some of the main ways that criminals may look to take advantage of organisations looking to engage with the Edinburgh Festivals and simple steps to take in the case of each type of fraud. Overall, the main strategies your business should take to try and prevent being a victim of an attack are:

Verification process – if your business plans to host team building or hospitality, always verify the authenticity of ticket sellers, accommodation providers and any vendors by using official channels. Once sourced, it’s recommended to use secure and trusted payment methods to protect any transactions your organisation makes.

Clear communication – by having strong and clear lines of communication with your employees about purchasing tickets or booking accommodation in a safe way, and with suppliers or clients on how to have a safe Edinburgh Festival, your organisation will help to build a resilient ecosystem.

Proactive cybersecurity measures – implement strong cybersecurity practices, such as using secure Wi-Fi networks, anti-malware software, utilising fraud detection and prevention tools, and regularly conducting system updates to monitor and identify suspicious activities. These are all key measures alongside training to ensure a positive cyber position.

Education and awareness – educate your employees, suppliers and clients about common attacks and how to identify them. By providing clear guidelines or signposting reliable sources on how to book accommodation, purchase tickets and cyber threats, your business will be in a better position to safely get involved with the Edinburgh festivals and have fun.

By staying vigilant, having the right training, maintaining an awareness of current and developing threats, and implementing robust security measures, companies can better protect themselves, their teams and clients from fraud and cyber threats.

31.07.24