Fly By Night: Airline Emails Wide Open To Cyber Fraud, Study Finds

Airlines, desperate to get people flying again, are leaving their customers exposed to email fraud. 

Of the 296 member airlines in the International Air Transport Association (IATA), 61% have not implemented DMARC  (Domain-based Message Authentication, Reporting and Conformance), the standard email validation protocol, according to an analysis by Proofpoint. The ATA represents 82% of total air travel. 

Worse, even with DMARC compliance such as it is, 93% of global airlines have not implemented “Reject,” the strictest level of DMARC, which blocks fraudulent emails.  

This is scary because of the sheer volume being sent at this point, both promotional and transactional.  

People are awaiting communications from airlines about bookings, flight changes and offers yet only 7% of airlines are protecting their email contacts from phishing, impersonation attacks and misuse of corporate domains. 

And you thought lack of social distancing on flights was the main hassle related to flying.



China and North Asia are the worst, with 85% having no published DMARC policy at all. And 100% are failing to block fraudulent emails from reaching customers. 

And 70% of the airlines in the Asia0Pacific region have no DMARC policy, while 89% cannot head off fraudulent emails.  

Next on the global list are airlines in the Europe and the Middle East and Africa, 57% of which have at least some level of DMARC enforcement. 

Then there are the Americas, where 89% of the carriers are not protecting customers and only 43% have any DMARC policy at all.

DMARC authenticates an email sender’s identity prior to allowing the message reach the recipient. It relies on DKIM DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) standards.

The U.S. government, thanks to a requirement by the Department of Homeland Security, far outpaces airlines and just about all other businesses when it comes to DMARC -- 79% of federal government domains have DMARC, and 93% are at the enforcement level, according to a study conducted earlier this year by Valimail.

Among the businesses that have reached the DMARC enforcement stage are global banks and financial services companies (33%), Fortune 500 companies (28%), tech firms (24%), and media outfits (22%), Valimail says.

The only advice we can give to travelers is be careful which emails you open and respond to. If you get a communication that looks weird, about loyalty points or anything, skip the email and go right to the website and log into your account. And wear a mask when you go. 

Next story loading loading..