Ticket to Fraud: Airline Industry Sees Increased Consumer Phishing Scams

4 min readJun 26, 2019


Editor’s Note: This blog post was originally found on the Agari Email Security Blog.

By Armen Najarian

For many, there are few things more satisfying than receiving an email confirmation for a flight just booked to a tropical location for a much-needed vacation. Most people love traveling, especially to favorite destinations or to explore new locales. The opposite of that feeling? The immediate pang of anxiety a consumer feels when getting a notification for a ticket that they in fact never purchased.

It’s that exact sense of panic that criminals are relying on to successfully pull off a growing number of phishing scams that seek to impersonate trusted airline brands. And these are only growing in number and frequency.

Flights to Nowhere Enable Phishing Attacks

One of the latest scams making the rounds involves fake messages being sent that seek to mimic a ticket confirmation email — usually for an international flight. The phisher hopes the recipient panics, thinking that someone else has purchased tickets using their credentials, in hopes of getting them to click through before they have a chance to think rationally.

Once the recipient does so, they are led to another website asking them to put in their financial details to take part in a cryptocurrency investment scheme, with the promises of fantastic rates of return. Needless to say, those who do fall for it will surely never see that money again. And while many would not fall for this type of clear scam, the fact of the matter is that many do. If it wasn’t lucrative, cybercriminals would not invest their time and energy in creating the scam and following through with these phishing emails impersonating large airlines.

This example is, of course, part of a wider issue. Fraud accounts for billions of dollars in losses per year for the airline industry alone. It’s actually pretty easy to figure out why criminals have targeted the airline industry — we live in a world where it is easy and convenient to purchase travel tickets online or via a mobile app. The process has become so digital that it is ripe for targeting by bad actors.

Cutting Off Cybercriminals at the Pass

This is why it’s critical that airlines, in particular, implement Domain-based Message Authentication, Reporting and Conformance (DMARC) protocols, which provide the ability to protect your brand from unauthorized use and domain spoofing. DMARC is an open standard that aims to ensure only authorized senders can use an organization’s domain name in emails; implementing the policy makes it harder for cybercriminals to pull off the types of phishing scams mentioned above — as it takes away the ability to impersonate the domain.

Crucially, DMARC is designed to authenticate outbound emails using your exact domain, across the entire email ecosystem, including third-party partners as well as various business units. But DMARC only works if you use it — and that’s an issue that spans verticals.

According to our most recent data, only 6.75 million domains use DMARC, out of a whopping 328 million domains examined. That’s a little over two percent, and the number isn’t much better for some of the largest companies in the world. In fact, only eleven percent of the Fortune 500 has a DMARC record set to p=reject, the level needed to stop impersonation-based attacks.

The numbers are similar across the FTSE 100 and ASX 100 at fourteen and seven percent respectively. All this to say that the vast majority of the world’s most prominent companies are vulnerable to email-based impersonation attacks targeting their customers.

Automating Highly Manual Processes to Fly Free

For large and more complex organizations, DMARC protocols can be difficult to implement. But that is simply no excuse for some of the largest business-to-consumer companies in the world. By using technology that uses advanced machine learning techniques to detect and cut-off phishing emails and automates the implementation process, cybercriminals will have to massively change their tactics to defraud customers using your domain.

People love to complain about airlines. If Forbes is to be believed, it’s one of the top five industries people hate. And while no one can fix flights delayed due to weather or some turbulence across the Atlantic, email security is in your control. Ensure your customers won’t complain about falling victim to a phishing attack, and keep your airline out of the email security headlines.

Discover more about how airlines can use DMARC to protect their customers with our Getting Started with DMARC Guide.




Agari is the Trusted Email Identity Company™, protecting companies and people from phishing and socially-engineered email attacks.