Philippine
Airlines recently faced a subtle yet very damaging cyber attack involving fake
flight promotions. Rather than taking users to the airline’s official site,
fraudulent ads lured users to an impersonated version that harvested credit
card details.
The
airline was forced to warn
customers that no such deal exists and that pursuing these false offers
would put them at risk of identity theft and fraud. Unfortunately, this isn’t
an isolated incident. United Kingdom-based Lloyds Bank warns that holiday
purchase scams have risen
by 7% over the past year, with victims losing an average of £765 (over
$950).
In
fact, sophisticated brand impersonation attacks are rising across industries
and, so far, businesses – including airlines – haven’t found effective
solutions for tackling them, beyond relying on customers to recognize the signs
of scams themselves.
Financial
regulators are increasingly holding banks
and fintech
companies accountable for reimbursing customers defrauded by these kinds of
scams. Airlines shouldn’t be surprised if similar legislation comes their way.
If it does, they’ll be required to prove that they’re taking reasonable
measures to protect their customers from fraud – and to compensate them if
those protections fail.
Regulations
that prioritize customer protection are on the rise
As
website impersonation attacks increase in frequency and sophistication,
legislation is holding spoofed brands responsible for failing to safeguard
customers. For example, the INFORM
Consumers Act requires online marketplaces to verify the identities of
suspicious e-commerce sellers to deter criminal behavior. In the U.K., the Financial
Services and Markets Act requires banks to reimburse people who fell victim
to scammers.
However,
advances in artificial intelligence now make it easier and faster for
fraudsters to spoof branded digital assets, including apps and websites, in
ways that are more convincing than ever. It doesn’t help that bad actors move
quickly, yet it can take weeks for fraud victims to become aware of their loss
or privacy breach. By the time anyone realizes that a scam is underway, the
criminals have already moved on.
Air
travel cyber fraud is reaching new heights
Similar
customer-centric legislation is expected to hit the air travel industry, fast
becoming a favored target for cyber fraud. Lloyds Bank found that flight
tickets are the most common fake item sold relating to holidays. Most flights
are booked online, cross-border and through third-party vendors, making it
easy for scammers to avoid raising skepticism and to dupe consumers with
convincing false materials.
Part
of the reason for the success of these scams is that climbing post-pandemic
prices led customers to turn to social media and lesser-known websites to look
for cheaper deals. In addition, rising fees don’t always raise suspicion since
air travel companies often do add charges at the last minute. It’s not
surprising, for example, that one scam victim believed
that in a matter of minutes the cost of his JetBlue flight had gone up by over
$100.
Scammers
are employing a whole range of methods, including phishing attacks aimed at
employees and customers. In addition to fake emails and spoofed websites,
criminals are also messaging
customers who complain on social media about flight disruptions, inviting
them to contact them privately to “rebook” their flight.
Fraudsters
buy ads that look like genuine air travel company links and make sure they sit
at the top of Google search results, using techniques such as SEO poisoning.
They even edit phone
numbers on Google to redirect customers to their scam lines.
If
a customer is fooled by a fraudulent site and enters their login credentials,
they are immediately vulnerable to account takeover (ATO) attacks. Bad actors
can then access their bank account, use their personal data for identity theft,
or – in a crime specific to the air travel industry – exploit
airline loyalty and frequent flier programs to steal miles, points or
their equivalent value.
Subscribe to our newsletter below
Companies
are getting squeezed
Despite
increases in the price of air travel, airlines are struggling to turn a profit.
The rising cost of raw materials and fierce competition, among other factors,
are making it difficult for many to bounce back from the COVID-19
pandemic.
Airlines
already lose
approximately 1.2% of their mobile and website revenue to fraud every year,
amounting to at least $1 billion annually. In addition, reputation damage is
estimated to be around 140%
of any announced loss. Airlines overspend on expensive tools that scan for
impersonated versions of their sites and take them down, while only treating the
symptoms of the problem, not the cause – while customers continue to get
scammed. If companies have to start reimbursing every fraud victim, it’s
unclear how many would survive.
Legislation
around fraud in the finance industry focuses on companies’ failure to
adequately protect customers from scammers. If airlines start taking proactive
steps now, any future schemes are much less likely to succeed.
What
can airlines do to protect their customers?
There
are a number of steps that airlines can take to help prevent their customers
from falling victim to fraud. For starters, they should improve their baseline
account security for both customers and employees, through methods such as
adding multi-factor authentication (MFA).
Fraud
detection tools using advanced analytics and AI should also be deployed,
whether in-house or outsourced to fraud specialists. These will safeguard brand
digital assets against impersonation and give more visibility into attack scope
and magnitude, even identifying individual victims. Real-time protection
systems are capable of warning both the impersonated organization (in this
case, the airline) and clients visiting the fraudulent sites, thus allowing
businesses to avoid any accusations of inadequate customer protection.
It
also helps to integrate your booking platform into a single website. You need
to be able to track all your ticket sales in real time, whether they take place
online, offline or via third parties and monitor them through a central
location. This way, you can spot early signs of suspicious activity.
Educating
consumers to spot the warning signs of potential scams is still crucial, even
if it’s not enough as a stand-alone strategy. It’s important to alert customers
to red flags like typos, unofficial URLs or email addresses, and language of
urgency. Publicize due diligence measures like checking for official insignia
on a site and only entering data on secure pages and establish clear methods
for customers to raise the alarm about possible scams.
Every
airline should have an incident management process, including a first-response
team trained for difficult situations. You’ll need to foster good relationships
with partner organizations and governmental fraud teams all over the world, so
you can crack down on crime in any location.
Airlines
cannot afford to ignore cyber fraud
With
cyber fraud on the rise in air travel, and the looming threat of legislation
holding companies accountable, airlines need to move quickly to implement
proactive customer protection. With robust cyber defenses and fraud detection
tools, airlines can reduce the number of successful digital impersonation
attacks, while keeping customer information safe from those that do occur.
These
are the kinds of anti-fraud measures airlines can and must take to demonstrate
that they are taking customer protection seriously. That way, even if strict
legislation is adopted, they should be well placed to withstand it.
About the author …
Mazin is the co-founder, chief executive officer and chairman of Memcyco, a website impersonation
detection and protection solution.