Airline-mimicking fraud | Kaspersky official blog

Airline-mimicking fraud | Kaspersky official blog

/in

Our experts have detected a fraudulent email campaign on behalf of well-known airlines and airports. Since the beginning of September, our solutions have detected and blocked thousands of similar emails in which scammers posed as employees of Amsterdam Schiphol, Emirates Airlines, Etihad Airways, Lufthansa, Qatar Airways, and other well-known large aviation-related companies. Our experts then started discovering similar mailings exploiting the names of companies in the oil and gas sector. The attackers are imitating normal business correspondence, pretending to be looking for new partners and targeting companies of various sizes and from various industries. The essence of the scheme boils down to convincing the recipients of emails to transfer money to the fraudsters’ accounts.

How the fraudulent scheme works

Attackers try to draw the victim into a correspondence exchange. At the first stage, they send the victim a rather innocuous email on behalf of the procurement department of a major airline or airport, in which they announce the start of a partnership program for 2025/2026, and offer them mutually beneficial cooperation. If the recipient responds, the second stage begins: they send several documents to divert attention — registration forms for a new partner, non-disclosure agreements, and so on.

These emails don’t contain malicious attachments or links, and there are no hidden scripts in the documents, so basic defense mechanisms don’t always block such correspondence. Attackers use only social engineering techniques. In the next letter they ask to pay a certain “mandatory refundable deposit as an expression of interest” of around several thousand dollars. The purpose of this payment is supposedly to secure a priority place on the schedule for consideration of partnership proposals. And the authors of the email give assurances that once the partnership agreement is finalized the money will be returned.

How to realize there’s something wrong with the email

The letters used in this campaign look very plausible, but some inconsistencies can still be detected with the naked eye. The first thing to look closely at is the sender’s e-mail address. It often contains the name of the organization whose employees the scammers are imitating. But if you search for the company’s real website and examine addresses listed at the contact section, you’ll see that the legitimate address of the airport or airline employees have a different domain name. Sometimes attackers don’t bother to keep the From field plausible at all, and simply write the name of the imitated organization in the displayed name field, so you can see a completely unrelated domain in the email address field.

The general rule for business correspondence that for some reason raises suspicion: if there are any doubts, you can write a letter to the address specified on the official website of the company and clarify whether an affiliate program mentioned in the emails really exists, whether the sender works for this company, and whether the address used in a suspicious email is their real email.

But the main red flag is the offer to make a deposit to “express interest”. Respectable companies don’t work that way. They choose partners, suppliers, and contractors after a serious and comprehensive business reputation check — not based on the ability to transfer a small (by their standards) amount of money.

How to protect your company from fraudsters

Ideally, you should implement solutions that prevent fraudulent, phishing and malicious emails from reaching employee inboxes in the first place. We recommend installing strong protection at the corporate email gateway level.

Another important aspect of protecting your company from cyberthreats is to increase employee awareness of scammers’ tricks and other cyberthreats. Particular attention should be paid to training for finance, sales and procurement staff. Comprehensive training sessions can be conducted, for example, via our online Kaspersky Automated Security Awareness Platform.

Kaspersky official blog – ​Read More