Almost All Airlines Are Vulnerable to Email Fraud Attacks

• The vast majority of airlines around the globe aren’t using the DMARC email authentication standard.
• Only 7% of them do, leaving the rest vulnerable to domain and email spoofing actors that may trick customers.
• It is unacceptable for big airlines to still not have email authentication systems in place even after their operational hiatus.

Airlines operating at a global level are just now tentatively returning to business conditions that resemble something close to normality. Still, this return isn’t happening with the strongest guarantees. If one was to add Proofpoint’s warning about susceptibility to email fraud attacks, the situation becomes even worse.

According to the cybersecurity experts’ report, a staggering 93% of the 296 global airlines studied are not compliant with the strictest level of DMARC protection guidelines, and 61% don’t even bother to publish any DMARC record. This leaves only a mere 7% that is operating in a properly secured manner.

DMARC stands for “Domain-Based Message Authentication, Reporting, and Conformance,” and it’s a standard whose purpose is to protect entities from email spoofing. DMARC adds a step of SPF (Sender Policy Framework) authentication and/or DKIM (DomainKeys Identified Mail) authentication and alignment. This way, malicious actors who engage in domain spoofing in order to reach out to recipients via email for phishing or scamming purposes will see their messages failing to pass DMARC checks and getting rejected.

In the best-case scenario for the actors, these messages end up in the recipient’s spam folder. Not having DMARC means that anyone can potentially send emails from spoofed domains and possibly trick the recipients.

The worst-performing airlines on that part are the 41 companies based in China and North Asia, as none of them cares to even bother with DMARC. Notably, European airlines aren’t doing much better, as 92 of the 101 airlines studied aren’t blocking fraudulent emails from reaching their customers. The most responsible-acting airlines are from APAC and the Americas, with 11% of them using DMARC.

In general, though, the situation is pretty much disheartening, and even though airlines had all the time and comfort to fix these “security details” during the global COVID-19 lockdown, they didn’t.

Once again, the burden of security is passed over to the customers in its entirety. If airlines refuse to implement DKIM and SPF, then you can do a couple of things to check the authenticity of the messages that supposedly come from them. For example, you can check the headers and the message source. If the return path isn’t the same as the sender’s email address, the message is spoofed.

Another check would be on the originating IP address. This would require some investigation, as airlines could be sending emails from anywhere really, but if you get an American Airlines message from an IP that points to Krasnoyarsk, Russia, then something phishy might be going on.