Practice English Speaking&Listening with: Elevate masterclass: Protecting your business against online threats.

Difficulty: 0

Hello, everyone, and welcome. My name is Amir Naveh.

I'm the Security Awareness and Communications Manager at

And today I'm happy to be joined by two of our Security Directors,

Valentina Bonzi and Ben Carrall.

Hey Amir.

It's great to be here. Thanks for having us.

Thanks both. And today's conversation we'll be discussing cyber security

recipes for success and how together we can ensure our partners,

customers, and business, is safe and secure.

So, jumping right off, I'd really love to hear more about you

and how you would describe your job to a complete stranger on the streets.

So let's start with Valentina and then move to Ben.

Sure, what I would say is that I protect the data that partners

and customers share with from online criminals.

Yeah, and on my side, I see it as a challenging game of cat and mouse.

Or a trusting safety protector.

I love that. And even more to that,

how do you think your family would describe the job that you do today?

I would think that they say that I sit in calls all day,

and kind of get annoyed when they try to jump into the camera view.

Yeah, and I think on my side, I don't think they really know what I do.

Here it is often seen as a bit of a black box.

So what I find useful is always to relate it to more physical security.

So thinking of an airport and the different controls from check-in and customs,

right through to a valid boarding pass before you get onto the plane.

That's awesome. And when we move in a little deeper,

I'd love to hear more about what the defining career moment was

for both of you in your jobs today. And Valentina, why don't you start us off?

Sure. For me, it was how I landed in security,

it was the moment when I was asked to join the security team to help us

scale it and use my expertise in working with other engineering teams at Booking

and also my extensive time at Booking, to use my network for that.

It was quite a defining moment because it also meant that for Booking,

we were ready to invest a lot more in security because the company was growing so much,

it was becoming much more of a target.

Yeah, and for me, it all started back in 2014.

There's definitely an increase in cyber security threats that we were seeing targeting hospitality,

and decided to make some significant investments around detection,

prevention, and also response. Right.

So at the time, I applied for the lead role on that Security and Forward Operations,

and that's where my journey started.

Fantastic. I think now we can learn a lot more.

We've learned a lot more about you and let's jump right on in.

So, in our first section, we want to really focus on cybersecurity crime.

And so it's safe to say with your experience,

you're very well aware of how those cyber criminals operate.

And when we think about the coronavirus pandemic,

how would you say coronavirus has impacted their ways of working?

In a few ways, actually, so we see a shift to remote work,

which also means different channels so they can use to actually exploit technology or people.

And then on a different front, we also see a lot more unemployment rate, unfortunately,

which means a higher number of people that can be employed by criminals to follow their needs.

And then in addition to that, on the receiving end, people are in general more scared,

more fearful of what's going on.

So they're definitely more willing to listen when you mentioned something related to Covid, right.

So shifting this technique to exploit this fear,

and also using material that is much more related to the current pandemic has been quite,

quite a trend.

Yeah, absolutely. Thanks for that, Valentina.

It is really unfortunate that criminals are capitalizing on the pandemic,

but I heard some really clear points there about the security threats

and how we need to be aware of all of them.

And when we continue to think about this from the partner perspective,

what would be looking out for and Ill hand this off to you, Valentina.

Sure, the two main threats remain, phishing and social engineering.

Just to explain a bit more, what those two terms mean,

phishing is usually an email you would get with a link to a website that turns out to be malicious.

But from the look of it, it doesn't look malicious.

And usually the site would ask for credential information, your log-in, your password,

or on a similar note, social engineering is usually performed by phone,

and somebody would just call you up to ask exactly the same information, right.

To gain, yeah, to basically gain insight into what are the log-in credentials you have

or information that is considered sensitive.

So this while these remain the threats that we've observed in the past as well,

what we also see is that there wasn't a decrease in these threats, right.

So we definitely didn't see the decrease that went with the

decrease in transaction, the decrease in people traveling.

So these threats remained as high as ever.

And to give an example of what I said before, of fraudsters exploiting the crisis,

they tend to use maybe Covid-19 themed email phishing campaigns where people are more willing

to see the urgency right off, of that topic.

So they're more willing to respond, basically, to what they receive.

Yeah, some really good points, Valentina, and actually just thinking in terms of

some tips and hints to really help stay safe, I guess,

against phishing and social engineering attacks.

You know, what can our partners do?

Firstly, always check the sender name and email address.

And always just do those checks to make sure it's genuine.

I think Valentina's sort of touched on the urgency topic,

and we need to be really careful if you receive something that's highly urgent.

Always just take that step back and reflect, especially if it's asking for personal details,

credit card information, or in some cases, even account passwords.

You know, were you expecting this email? What is the tone of the email?

Also, incorrect spelling is a key giveaway.

So always look out for some incorrect spelling within those emails,

and always hover over the link.

It's really easy to do. You just sort of drag the mouse and make sure that the link is from

the sender, as I said before, but never click on it.

And then finally, always report via the Partner Hub, through

Yeah, thank you both, I think it's really quite interesting, Valentina, as you said,

that we would expect it to go down the social engineering and phishing attacks,

but they actually haven't, and Ben, on your side,

Those tips are incredibly helpful to spot the warning signs for anybody who could be a target.

And when we continue on this thought,

are there any other examples we can think of as far as threats and laying that out

for any viewers today? Valentina, any thoughts on that?

Yeah, I think in general, across the e-commerce industry,

what has been seen is that scammers tend to use Covid as a way to inflict urgency

on people, like to make them actually respond, to what they're trying to get.

An example of that would be a call from

a pretend Booking employee saying that they need to give the partner an update

on Covid-19 like something urgent that might impact the property, they might have to close

or something like that. But before doing so, they ask for log-in details of the property. Right.

Yeah, and I guess keeping up to date, Valentina, with the current risks

and just making sure that you've got the right security controls in place to protect ourselves,

I think also what we've seen, particularly over the last 12 to 18 months,

is more sophisticated attacks targeting different segments of travel with ransomware

and also malware from transports and logistics, cruise companies, and many others.

And so these type of attacks really take advantage of the weaknesses in security controls,

or even taking advantage of employees and their lack of awareness around security risk.

And then they accidentally download malicious malware onto their computers.

And so with these types of attacks, there's much more major disruption to business operations.

We've seen companies that were offline for hours, even days,

not to mention the unauthorized access to customer and company data.

So, circling back, I think its best to assess the risk,

make the right investments into security,

keep updated of course, on emerging risks,

and just ensure that there's a regular security awareness plan

for both your employees and customers.

Absolutely, that was all incredible information,

really useful and I think the practical examples add a lot of weight as well.

And in this next section, it's really important that we also

look at things from the partner's perspective,

and in the partner's shoes. So I'd love if you could tell us

a little bit more about who cyber criminals actually target and why.

And let's start with Valentina to get your thoughts on this.

Yeah, yeah. So basically, one thing that we see is that quite common target would be somebody

that is used to taking a lot of calls, maybe a lot of them like in a sequence. Right.

So they would go through them quite often in their day.

And then also they're very customer-focused. Right.

So they would always have the mindset of trying to solve the problem of the person

on the other side. And that angle may be targeting employees who actually work the night shift.

So they work out where they are more usually alone and

and therefore they are less likely to be able to check with somebody else whether this

is a legitimate request or not.

Thanks, Valentina. That's some really great points.

I think it's important we also touch on

the point of urgency in this conversation. Ben, is there anything else you'd like to add for us?

Yeah, look, thanks, Amir. As I touched on before,

cyber criminals also target employees that handle sensitive data.

As well as executives right. So, for example, with spear-phishing attacks,

they target high value individuals that have access to systems or specific data.

That could be your accounts payable staff, reservation, or even front desk check-in staff.

So also, while not specific to the hospitality industry, we also see whaling attacks.

And so they're really sophisticated attacks that really target that CEO or C-suite level, right.

And with that, they really build trust and credibility through

a whole range of different tactics

And to Valentina's point earlier, you would then receive naturally a very urgent request

for a funds transfer due to a merger, or acquisition, or something of that effect

and also So from time to time,

we do see social engineering attacks targeting our hotel partners and their employees.

And the main purpose of that is to access systems

that have customer data, and also payment card information.

But they do this naturally to steal the payment card information or even use

the reservation data to scam customers at the end of the day,

So always remember those sort of red flags that we've discussed before

and watch out where there's a level of urgency around a request.

Thanks, Ben. This was all really valuable to, you know,

understand the different levels of which security can be targeted

and how we can help prevent it.

And you both have spoken a lot about how partners should react in these situations.

And I'm curious now whether there's anything partners can proactively do to help prevent them.

And, Valentina, why don't you start us off?

Yeah, I can start. So, first of all,

let's focus on the fact that the attackers would mostly be looking to get access to credit cards

or to other sensitive information about the guests. Right.

So the first thing to remind yourself is to keep the credit cards as secure as you possibly can.

So don't print them. Don't share them with anyone.

And if you can enroll in Payments by Booking, so that you don't even get to see

the credit cards, and the payment is handled securely for you by us.

The second point is what Ben already touched on,

like make sure your log-in credentials are kept safe.

What I mean with this is that mostly what

the attackers would try to do is to get access to your log-in and password,

sometimes asking you to do so.

Remember that will never ask you for your log-in and password,

so there is no legitimate reason why you should be sharing it.

But in addition to that, you also have Two-Factor Authentication.

And for that to be as secure as possible,

you need to make sure that only authorized devices are actually in

the list of devices who can get the second factor, so the PIN.

And also remember to remove

a device when you change your phone, and use the Pulse app as a second factor,

that's also a good way to keep safe. Still related to accounts, it's important,

as much as you don't share those accounts with a stranger,

you shouldn't also share in your employee base.

So make sure everyone has their own individual account.

This is important because then you can tweak what each employee can actually see.

So not everybody gets to see everything,

but only things that are related to what they actually need to do their job.

And the last point is also make sure you inform yourself about the new trends in security

in Partner Hub

Yeah. Thank you so much. I think all of that really touches on

a number of really important points for partners to consider.

And moving into our next section we want to think about,

that it might be safe to assume that Booking really has a big role in this.

Would that be safe to say?

Yeah, definitely, right, for us. Trust is the key, is a key thing that we provide, right?

It's at the heart of our platform.

There wouldn't be a platform if we couldn't provide

this trustworthy relationship between ourselves,

the partners, and the customers.

I would completely agree. Trust is really at the core and heart of our mission here.

And on that point, how do we speak more to help looking at investing in

protecting not only our customers, but also our partner audience?

Valentina, why don't you shed some more light here for us?

Yeah. So we have a team of dedicated professionals, right,

who are skilled in different fields and that every day monitor what's going on

and try to detect suspicious behavior, fraud, and this kind of thing like specifically we do.

We have always-on monitoring through automated tooling,

to machine learning algorithms that check for suspicious activity.

We also enforce strict authentication rules.

That's why partners have to perform Two-Factor Authentication to access their details

on the systems. And then we also do monitoring of

the payments that we take through our platform, right.

So whatever transaction happens gets checked

for different data points to see if it could be a suspicious transaction.

And then, of course, we also have an open channel with our partners.

Where we very much encourage you to report

through for anything suspicious you might see.

That's all really useful. Thank you so much, Valentina.

From a fraud perspective, is there any more insight you could provide for us, Ben?

Yeah, definitely, thanks, Amir. Definitely looking at the agency model in terms of that platform,

and fraud monitoring that we have in place,

we do take as many precautions, there's dedicated teams to protect you,

from fraud and the availability and, naturally, the cost of chargebacks.

But what can partners do to help themselves and protect themselves here?

We recommend taking a temporary zero-dollar authorization

on the payment card to confirm that it's valid.

If the card is invalid, then requesting your payment method through the Extranet.

So that's a key opportunity to get a different payment method.

Beyond that, if you are receiving a significant volume of bookings

and you do suspect them to be fraudulent, then work with us,

contact, and we'll look at what additional prevention methods we can put in place.

And then, finally, always engage with your payment service provider,

because there's also additional fraud screening that they might be able to provide

for card-not-present transactions.

Thanks so much. I think it's really good that we get both sides of the coin there

and those all sound like really important points for partner security to take into account.

So next, digging even further when it comes to customers,

is there anything Booking is doing to help safeguard them, and to get this rolling

Let's hand off to Valentina.

Yeah, so on the customer side, we have to make sure that customers feel they're safe and secure,

their investment is not at risk when they make a booking on our site.

To do this, we try to do a few things. So first of all,

we make sure that the information displayed on our site is accurate. Right.

So that they know exactly what to expect when they show up at the property.

And then we process the payments in a secure and compliant way

so that they know that this is, that their payment method is safe.

And then what we also do for society at large, I would say, and the industry,

is that we have to follow basically local regulations. Right.

And international regulations, the most important ones,

maybe are GDPR and PCI data security standards that we have to abide by.

In addition to this, we also do third-party assessments of our security controls by

an independent party to make sure that we are always up to date.

And we are also implementing the latest recommendations.

Valentina, thanks. I think that was all really useful information not just about partner support,

but also about how we protect our customers as well.

Ben, I'd love to hear a little bit more from you around practical examples,

of how we safeguard and support our customers. Take it away.

Yeah, great, thanks, Amir.

And let's walk through, I think,

some of the more practical ways that we're safeguarding our customers here at

we offer Two-Factor Authentication on customer accounts,

but that adds an additional layer of security to protect their information.

We also offer 24/7 security reporting channels for any suspicious calls,

emails, or even activity, on an account.

We have the Trust and Safety Resource Center,

which has tips and hints to protect and support both our partners and also our customers.

And then finally, we have a dedicated Customer Service Team,

operating 24/7 in over 40 languages, all around the world.

Fantastic, that all sounds like there's a lot of investment here, so even more to that,

I know our global partners really look to Booking to help them stay ahead.

And given both of your knowledge and expertise,

do you see any major long-term impacts on cyber security as a result of the pandemic today?

Yeah, I would like to speak about two different angles.

So one is, we do see a trend of more people working remotely for the long term. Right.

So in that sense, I think investing in better and secure Wi-Fi would be a good investment

because more customers will probably stay at your property to also work from there,

not only for vacation.

And then the other angle is prepare your employees also to work from anywhere.

The difference is, of course, they need to have their technology up to date,

making sure their antivirus software is updated and all of these things.

But also they need to be more trained on what social engineering tactics

or phishing attempts they might receive,

because being remote also means they wouldn't have any colleagues to check in with to make sure that

what they're being requested to do is legitimate.

Great, thank you, Valentina. Those are really great to be able to get some insight not only

on guests, but also on employees as well.

Ben, is there any more insight you could shed light on here?

Yes, sure. Look, not as cyber security focused, but I think what we've seen through the pandemic,

and as we work together towards recovery,

we must take time to sort of reflect on how much the hospitality industry has been impacted,

and how customer travel expectations have evolved.

So, as an industry we need to continue to explore

how we come together and focus on a broader range of security health and safety measures,

to build customer trust, tackle the cyber security risks we see,

and provide an even safer travel experience for our customers and partners.

Yeah, certainly all those really work together, I think,

to contribute to trust, and really insightful points from both of you. Thanks.

And moving on to our next section.

I'd love to you know, it's important to think about not always what will change,

but what won't change. The fundamentals, and the pillars, and the essentials.

So can you help our partners with any insights on this?

Valentina, I'll pass this off to you to begin.

Yeah, sure. So what won't change is that the target,

the data points, what the attackers are after are still the same.

So they would be looking at getting credit card information about the customers.

So it's quite important that you keep those details safe.

The attackers ways are still going to be the same.

So getting to your log-in credentials is still going to be quite

a key way in which attackers will get access to your information.

So make sure you use Two-Factor Authentication properly

and you check which devices have access to it.

Same for using individual accounts, as I said before,

and not sharing the credentials for those accounts with anyone.

And in general, just keep reporting to anything you see that might be suspicious.

So when you see something, just say something.

It's very important that we work together on this.

Fantastic. I think those points are all really cohesive,

and add a really good summary of a lot of what we covered today.

And so to close out our session and give partners a chance to hear some words of wisdom,

are there any closing remarks you'd love to share with our partners today? Listening.

Yeah, maybe I can start, I think, in my view, right.

Because trust is so key to the platform that we manage,

but it's also so key to the ecosystem,

We have to keep working together with our partners to make sure this trust is kept in

the whole journey for all parties involved.

Yeah, absolutely.

Yeah, look, I think following on from that, from trust and safety is core,

and so if we sort of take that away today,

that's really important as is, we're in this together, right.

And I spoke to that before, as an industry,

we need to come together and really look at how we better protect our customers

and their information, and then finally, report anything suspicious.

We're here available to help 24/7.

So you get that strange call, a weird email comes through with that sense of urgency.

Make sure to get in contact with us.

Great, thank you both, Valentina and Ben,

so much for joining me today and sharing all of your expert insights.

For more information about how protects your cyber security,

head to, and check out our Cybersecurity page under the Solutions tab.

The Description of Elevate masterclass: Protecting your business against online threats.