Cyber Security Risks in Aviation Businesses Continued from page 15 might receive an email that appears to be from a com- pany with which you have been doing business. Some spoofs might ask to share files with you from a cloud- based website. All details in the email might seem real—even the company logo and signature line—so it is important to ensure the context is appropriate to the matter at hand. “We have seen spoofing from email addresses at actual companies, using real employee names and cur- rent matters,” said Paul Lange of Law Offices of Paul A. Lange, LLC, which specializes in aviation. “It all looks legit on the surface, but the context is not quite right. Empower your employees to hold off on replying until they can contact the supposed sender and verify the legitimacy of the email.” All employees should be trained to identify signs of potential email hacking. One operator’s human resources manager received an email that appeared to be from a company employee ask- ing for a new direct deposit form because his bank infor- mation had changed. Fortunately, the human resources manager asked another employee to send the request- ing employee the form and did not just hit “reply.” This prompted the supposed requesting employee to ask why he was getting a new direct deposit form. If the human resources manager had simply replied to the original email, the hacker could have changed the employee’s bank information and received his future paychecks. Financial fraud is another cyber security risk. Wire transfer fraud and check fraud are two concerns for businesses. For example, in one case of a brokered trip involving a $150,000 wire transfer from the broker, the wire transfer ended up being fraudulent. “Not a lot of Part 135 operators can sustain that sort of loss without it causing major harm to the business,” said Lange. “And if you do get burned on a wire transfer, establishing jurisdiction can be a challenge. In some cases, a broker might not have an easily identifiable physical address.” Prevention and Risk Mitigation An aviation business can establish policies and proce- dures to help prevent these intrusions or limit the impact of these incidents on the business. “The keys to avoiding email phishing and spoofing are training and empowerment,” said Lange. All employees should be trained to identify signs of potential email hacking. While some signs—like mis- spelled words, improper grammar, and links to suspi- cious or unknown websites—are easy to spot, in many cases, the emails are properly spelled and well-written. However, receiving an email, seemingly out of context, should raise concerns. When not absolutely certain an email is legitimate, call the supposed sender to verify they sent the email before opening the link or attachment. Do not assume a link or attachment is legitimate just because you have received email from that individual in the past. Tim Sullivan, Chief Operating Officer and Director of Operations at Chantilly Air, a Manassas, VA-based boutique aircraft management and charter company, requires employees to change passwords frequently and is implementing secondary authentication methods company-wide. Public WiFi use is allowed but certain precautions must be taken to protect company data, including usernames and password information. “Is it a perfect system? No, but it does provide some level of protection,” explained Sullivan, who said prohib- iting all public WiFi use is often impractical, especially for pilots and other employees who travel frequently. Preventing financial fraud begins with KYC—Know Your Customer—a term used commonly in the legal and financial fields. Companies should properly vet potential aircraft management clients and charter clients. Continued on page 19 Aviation Business Journal | Winter 2019/2020 17
