Philippine Airlines recently faced a subtle yet very damaging cyber attack involving fake flight promotions. Rather than taking users to the airline’s official site, fraudulent ads lured users to an impersonated version that harvested credit card details.
The airline was forced to warn customers that no such deal exists and that pursuing these false offers would put them at risk of identity theft and fraud. Unfortunately, this isn’t an isolated incident. United Kingdom-based Lloyds Bank warns that holiday purchase scams have risen by 7% over the past year, with victims losing an average of £765 (over $950).
In fact, sophisticated brand impersonation attacks are rising across industries and, so far, businesses - including airlines - haven’t found effective solutions for tackling them, beyond relying on customers to recognize the signs of scams themselves.
Financial regulators are increasingly holding banks and fintech companies accountable for reimbursing customers defrauded by these kinds of scams. Airlines shouldn’t be surprised if similar legislation comes their way. If it does, they’ll be required to prove that they’re taking reasonable measures to protect their customers from fraud - and to compensate them if those protections fail.
Regulations that prioritize customer protection are on the rise
As website impersonation attacks increase in frequency and sophistication, legislation is holding spoofed brands responsible for failing to safeguard customers. For example, the INFORM Consumers Act requires online marketplaces to verify the identities of suspicious e-commerce sellers to deter criminal behavior. In the U.K., the Financial Services and Markets Act requires banks to reimburse people who fell victim to scammers.
However, advances in artificial intelligence now make it easier and faster for fraudsters to spoof branded digital assets, including apps and websites, in ways that are more convincing than ever. It doesn’t help that bad actors move quickly, yet it can take weeks for fraud victims to become aware of their loss or privacy breach. By the time anyone realizes that a scam is underway, the criminals have already moved on.
Air travel cyber fraud is reaching new heights
Similar customer-centric legislation is expected to hit the air travel industry, fast becoming a favored target for cyber fraud. Lloyds Bank found that flight tickets are the most common fake item sold relating to holidays. Most flights are booked online, cross-border and through third-party vendors, making it easy for scammers to avoid raising skepticism and to dupe consumers with convincing false materials.
Part of the reason for the success of these scams is that climbing post-pandemic prices led customers to turn to social media and lesser-known websites to look for cheaper deals. In addition, rising fees don't always raise suspicion since air travel companies often do add charges at the last minute. It’s not surprising, for example, that one scam victim believed that in a matter of minutes the cost of his JetBlue flight had gone up by over $100.
Scammers are employing a whole range of methods, including phishing attacks aimed at employees and customers. In addition to fake emails and spoofed websites, criminals are also messaging customers who complain on social media about flight disruptions, inviting them to contact them privately to “rebook” their flight.
Fraudsters buy ads that look like genuine air travel company links and make sure they sit at the top of Google search results, using techniques such as SEO poisoning. They even edit phone numbers on Google to redirect customers to their scam lines.
If a customer is fooled by a fraudulent site and enters their login credentials, they are immediately vulnerable to account takeover (ATO) attacks. Bad actors can then access their bank account, use their personal data for identity theft, or – in a crime specific to the air travel industry – exploit airline loyalty and frequent flier programs to steal miles, points or their equivalent value.
Subscribe to our newsletter below
Companies are getting squeezed
Despite increases in the price of air travel, airlines are struggling to turn a profit. The rising cost of raw materials and fierce competition, among other factors, are making it difficult for many to bounce back from the COVID-19 pandemic.
Airlines already lose approximately 1.2% of their mobile and website revenue to fraud every year, amounting to at least $1 billion annually. In addition, reputation damage is estimated to be around 140% of any announced loss. Airlines overspend on expensive tools that scan for impersonated versions of their sites and take them down, while only treating the symptoms of the problem, not the cause - while customers continue to get scammed. If companies have to start reimbursing every fraud victim, it’s unclear how many would survive.
Legislation around fraud in the finance industry focuses on companies’ failure to adequately protect customers from scammers. If airlines start taking proactive steps now, any future schemes are much less likely to succeed.
What can airlines do to protect their customers?
There are a number of steps that airlines can take to help prevent their customers from falling victim to fraud. For starters, they should improve their baseline account security for both customers and employees, through methods such as adding multi-factor authentication (MFA).
Fraud detection tools using advanced analytics and AI should also be deployed, whether in-house or outsourced to fraud specialists. These will safeguard brand digital assets against impersonation and give more visibility into attack scope and magnitude, even identifying individual victims. Real-time protection systems are capable of warning both the impersonated organization (in this case, the airline) and clients visiting the fraudulent sites, thus allowing businesses to avoid any accusations of inadequate customer protection.
It also helps to integrate your booking platform into a single website. You need to be able to track all your ticket sales in real time, whether they take place online, offline or via third parties and monitor them through a central location. This way, you can spot early signs of suspicious activity.
Educating consumers to spot the warning signs of potential scams is still crucial, even if it’s not enough as a stand-alone strategy. It’s important to alert customers to red flags like typos, unofficial URLs or email addresses, and language of urgency. Publicize due diligence measures like checking for official insignia on a site and only entering data on secure pages and establish clear methods for customers to raise the alarm about possible scams.
Every airline should have an incident management process, including a first-response team trained for difficult situations. You’ll need to foster good relationships with partner organizations and governmental fraud teams all over the world, so you can crack down on crime in any location.
Airlines cannot afford to ignore cyber fraud
With cyber fraud on the rise in air travel, and the looming threat of legislation holding companies accountable, airlines need to move quickly to implement proactive customer protection. With robust cyber defenses and fraud detection tools, airlines can reduce the number of successful digital impersonation attacks, while keeping customer information safe from those that do occur.
These are the kinds of anti-fraud measures airlines can and must take to demonstrate that they are taking customer protection seriously. That way, even if strict legislation is adopted, they should be well placed to withstand it.