Ticket to Fraud: Airline Industry Sees Increased Consumer Phishing Scams

Editor’s Note: This blog post was originally found on the Agari Email Security Blog.

By Armen Najarian

For many, there are few things more satisfying than receiving an email confirmation for a flight just booked to a tropical location for a much-needed vacation. Most people love traveling, especially to favorite destinations or to explore new locales. The opposite of that feeling? The immediate pang of anxiety a consumer feels when getting a notification for a ticket that they in fact never purchased.

It’s that exact sense of panic that criminals are relying on to successfully pull off a growing number of phishing scams that seek to impersonate trusted airline brands. And these are only growing in number and frequency.

Flights to Nowhere Enable Phishing Attacks

Once the recipient does so, they are led to another website asking them to put in their financial details to take part in a cryptocurrency investment scheme, with the promises of fantastic rates of return. Needless to say, those who do fall for it will surely never see that money again. And while many would not fall for this type of clear scam, the fact of the matter is that many do. If it wasn’t lucrative, cybercriminals would not invest their time and energy in creating the scam and following through with these phishing emails impersonating large airlines.

This example is, of course, part of a wider issue. Fraud accounts for billions of dollars in losses per year for the airline industry alone. It’s actually pretty easy to figure out why criminals have targeted the airline industry — we live in a world where it is easy and convenient to purchase travel tickets online or via a mobile app. The process has become so digital that it is ripe for targeting by bad actors.

Cutting Off Cybercriminals at the Pass

Crucially, DMARC is designed to authenticate outbound emails using your exact domain, across the entire email ecosystem, including third-party partners as well as various business units. But DMARC only works if you use it — and that’s an issue that spans verticals.

According to our most recent data, only 6.75 million domains use DMARC, out of a whopping 328 million domains examined. That’s a little over two percent, and the number isn’t much better for some of the largest companies in the world. In fact, only eleven percent of the Fortune 500 has a DMARC record set to p=reject, the level needed to stop impersonation-based attacks.

The numbers are similar across the FTSE 100 and ASX 100 at fourteen and seven percent respectively. All this to say that the vast majority of the world’s most prominent companies are vulnerable to email-based impersonation attacks targeting their customers.

Automating Highly Manual Processes to Fly Free

People love to complain about airlines. If Forbes is to be believed, it’s one of the top five industries people hate. And while no one can fix flights delayed due to weather or some turbulence across the Atlantic, email security is in your control. Ensure your customers won’t complain about falling victim to a phishing attack, and keep your airline out of the email security headlines.

Discover more about how airlines can use DMARC to protect their customers with our Getting Started with DMARC Guide.

Agari is the Trusted Email Identity Company™, protecting companies and people from phishing and socially-engineered email attacks.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store