Threat actors attempting to steal or impersonate a tribal casino’s brand, image, and employees is growing and every tribe needs to be aware of the danger they face. That was the message from Brent Hutfless, who leads the information-security program for Wind Creek Hospitality, the gaming and hospitality enterprise of the Poarch Band of Creek Indians in Alabama.
“Casinos, hospitality, and entertainment are frequent targets,” Hutfless said at the TribalNet Conference & Tradeshow that ended on Thursday in Reno. “Why? Because we have money and are associated with celebrities and a particular type of lifestyle. People imagine the jet-setting crowd coming into the casinos and blowing millions of dollars.”
There are a lot of nefarious activities.
Criminals are using email to impersonate executives and trick the staff into transferring funds or reveal sensitive information. Fraudsters are sending direct messages on social media, posing as marketing or support teams, and doing help-desk attacks where they create an environment to act as the good guys.
“We actually had someone calling the solution center and pretend to be one of our database administrators, who happens to be good friends with the lady who answered his call,” Hutfless said. “The database administrator he was posing as is a woman that she’s been friends with for years. It was a pretty entertaining conversation.”
Attackers are targeting the accounting people, chief financial officers, and the IT staff. A CFO might get a notice from IT about suspicious activity involving their email. Deep-fake audio and video involving key executives has also happened to companies, Hutfless said.
“Why do these attacks matter?” Hutfless asked. “The online scams are shifting from crude phishing to sophisticated impersonizations. Many of us in security and IT already see that. There was a session on all the great stuff AI is going to bring us. We’re seeing the bad stuff AI is already bringing us. It used to be emails with bad punctuation and spelling and now it’s like this person doesn’t even speak this well. The attacks are exploiting our trust in familiar faces and brands and AI makes it really easy.”
The attackers do this to gain access to the casino’s systems, where they can capture data, shut down operations, and hold the casino hostage for ransom.
“We have a bigger team than you and we deal with this all the time,” Hutfless told the audience of IT and security professionals.
Fake Facebook pages and ads hype the exclusive online or VIP access to Wind Creek Casinos, even though the only state for legal real-money gaming online at any of their casinos is Pennsylvania. These are coming from accounts with limited history or activity, but have good-looking photos, he said.
Hutfless has been contacted by people who said they’ve lost $2,000 on their tribe’s non-existent online-gambling site and that damages their brand’s reputation. He asked anyone in the audience if they have online gaming and none said they did.
“You do and just don’t know it,” Hutfless said, prompting laughter. “Your customers believe it’s real. They see your brand on it and they trust your brand. It’s hard to say if we’ve lost their trust. That person who lost $2,000 online thought they were spending money with us. When they found out it wasn’t us, maybe they don’t hold us accountable, but they’re probably wondering why we doing anything about this stuff. This is how we lose control of our brand and reputation.”
Hutfless admitted didn’t have the solutions to these problems “to make this all go away. You need to collaborate. There’s some hard work ahead.”
That means collaborating with the marketing team or whoever handles websites and social-media platforms. They need to set up instructions when they see fake information and talk to the legal team and risk officer.
“This is a full-frontal attack on your organization and brand and you need to respond accordingly,” Hutfless said.
Some efforts to alleviate attacks on brands include awareness training for employees. Staff should monitor for fake profiles on social media and work with platforms to remove imposter content.
“Most of the organizations you deal with from a marketing and social-media standpoint offer a service that includes where it monitors and gives reports,” Hutfless said. “There’s AI-powered domain and phishing monitoring and you can deploy tools that can continuously scan for look-alike domains and squatting and alert you to suspicious content and threats.”
In addition, brand and social-media protection services are available.
It’s important to have the legal team set up to take down content and be willing to pursue cases in court against the social-media platforms, companies that take these ads for revenue.
“It’s hard to come up here and give you information about something that you can’t immediately affect,” Hutfless said. “I wish I could give you the quick and easy button.”
