Email Security Blog

Ticket to Fraud: Airline Industry Sees Increased Consumer Phishing Scams

Armen Najarian June 26, 2019 DMARC

For many, there are few things more satisfying than receiving an email confirmation for a flight just booked to a tropical location for a much-needed vacation. Most people love traveling, especially to favorite destinations or to explore new locales. The opposite of that feeling? The immediate pang of anxiety a consumer feels when getting a notification for a ticket that they in fact never purchased.

It’s that exact sense of panic that criminals are relying on to successfully pull off a growing number of phishing scams that seek to impersonate trusted airline brands. And these are only growing in number and frequency.

Flights to Nowhere Enable Phishing Attacks

One of the latest scams making the rounds involves fake messages being sent that seek to mimic a ticket confirmation email—usually for an international flight. The phisher hopes the recipient panics, thinking that someone else has purchased tickets using their credentials, in hopes of getting them to click through before they have a chance to think rationally.

Once the recipient does so, they are led to another website asking them to put in their financial details to take part in a cryptocurrency investment scheme, with the promises of fantastic rates of return. Needless to say, those who do fall for it will surely never see that money again. And while many would not fall for this type of clear scam, the fact of the matter is that many do. If it wasn’t lucrative, cybercriminals would not invest their time and energy in creating the scam and following through with these phishing emails impersonating large airlines.

This example is, of course, part of a wider issue. Fraud accounts for billions of dollars in losses per year for the airline industry alone. It’s actually pretty easy to figure out why criminals have targeted the airline industry—we live in a world where it is easy and convenient to purchase travel tickets online or via a mobile app. The process has become so digital that it is ripe for targeting by bad actors.

Cutting Off Cybercriminals at the Pass

This is why it’s critical that airlines, in particular, implement Domain-based Message Authentication, Reporting and Conformance (DMARC) protocols, which provide the ability to protect your brand from unauthorized use and domain spoofing. DMARC is an open standard that aims to ensure only authorized senders can use an organization’s domain name in emails; implementing the policy makes it harder for cybercriminals to pull off the types of phishing scams mentioned above—as it takes away the ability to impersonate the domain.

Crucially, DMARC is designed to authenticate outbound emails using your exact domain, across the entire email ecosystem, including third-party partners as well as various business units. But DMARC only works if you use it—and that’s an issue that spans verticals.

According to our most recent data, only 6.75 million domains use DMARC, out of a whopping 328 million domains examined. That’s a little over two percent, and the number isn’t much better for some of the largest companies in the world. In fact, only eleven percent of the Fortune 500 has a DMARC record set to p=reject, the level needed to stop impersonation-based attacks.

The numbers are similar across the FTSE 100 and ASX 100 at fourteen and seven percent respectively. All this to say that the vast majority of the world’s most prominent companies are vulnerable to email-based impersonation attacks targeting their customers.

Automating Highly Manual Processes to Fly Free

For large and more complex organizations, DMARC protocols can be difficult to implement. But that is simply no excuse for some of the largest business-to-consumer companies in the world. By using technology that uses advanced machine learning techniques to detect and cut-off phishing emails and automates the implementation process, cybercriminals will have to massively change their tactics to defraud customers using your domain.

People love to complain about airlines. If Forbes is to be believed, it’s one of the top five industries people hate. And while no one can fix flights delayed due to weather or some turbulence across the Atlantic, email security is in your control. Ensure your customers won’t complain about falling victim to a phishing attack, and keep your airline out of the email security headlines.

Discover more about how airlines can use DMARC to protect their customers with our Getting Started with DMARC Guide.

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

September 26, 2019 Doug Jones

How to Prevent Phishing Attacks that Target Your Customers with DMARC and Office 365

Editor's Note: This post originally appeared on the Microsoft Security blog and has been republished…

Agari Blog Image

September 16, 2019 Jacob Rideout

5 Big Myths about DMARC, Debunked

With email attacks contributing to billions of lost dollars each year, a growing number of…

Agari Blog Image

September 6, 2019 Fareed Bukhari

Ensuring DMARC Compliance for Third-Party Senders

Marketo. Salesforce. Eloqua. Bamboo HR. Zendesk. It only takes a minute to realize how much…

Agari Blog Image

August 8, 2019 Fareed Bukhari

DMARC Quarantine vs. DMARC Reject: Which Should You Implement?

You did it! You implemented DMARC and authenticated your email domains. This is no easy…

Agari Blog Image

June 13, 2019 Fareed Bukhari

DMARC Adoption Worldwide Slows with Australia's ASX 100 Remaining Most Vulnerable

DMARC adoption rose a tepid 1% in the first quarter of the year, with the…

mobile image