Airline brands become launchpads for phishing, crypto fraud
Airline brands sit at the center of peak travel booking cycles, loyalty programs, and high value transactions. Criminal groups continue to register thousands of lookalike domains tied to these brands, targeting travelers, employees, and business partners. Recent threat intelligence from BforeAI’s PreCrime Labs identifies sustained impersonation activity across the global commercial airline sector.
Between September and December 2025, researchers tracked 1,799 suspicious domains linked to more than 35 airline brands. The broader dataset shows more than 11,600 domains targeting the airline industry across multiple abuse categories. Generic flight related domains accounted for roughly 7,000 malicious registrations, exceeding counts observed across the wider online travel agency ecosystem during the prior year.
Attackers rely on high volume keyword combinations such as flight, airline, airfare, charter, and private jet to attract broad search traffic. Many domains combine multiple airline brand names under a single site to capture users searching for deals or booking information.
Brand impersonation across multiple abuse themes
Phishing remains the dominant theme. Domains frequently mimic booking portals, check in pages, and loyalty account logins. Keywords tied to tickets, rewards, points, and cards signal attempts to harvest credentials and payment information. Attackers also register domains that impersonate corporate partner portals, opening paths for business email compromise and payment diversion schemes.
Recruitment and vendor impersonation form another cluster of activity. Domains incorporating terms such as hiring, career, employee, and partner replicate airline job portals and onboarding systems. These sites solicit resumes, identity documents, and login credentials. In some cases, password protected pages create a sense of internal legitimacy. Airlines maintain extensive vendor networks across cargo, catering, and airport operations, creating a wide attack surface for vendor jacking campaigns.
Support themed impersonation rises during service disruptions. When flight cancellations or regulatory actions generate media attention, malicious help center domains appear that reference the affected airline and the incident. These portals request booking references, payment details, and account credentials. Campaign timing indicates coordination with public events to increase conversion rates.
Crypto and token themed fraud
Airline branding has entered cryptocurrency themed scams. One category includes fake airline coins and tokens that suggest a loyalty program expansion into digital assets. Domains referencing airlinecoin, airdrop, or branded tokens attempt to capture investments from users who believe a carrier launched a crypto initiative.
A second pattern centers on travel payments using bitcoin or other digital currencies. These domains advertise alternative payment options for flights and packages, targeting travelers interested in cryptocurrency transactions. Such infrastructure can support advance fee fraud, wallet connection theft, and business email compromise activity linked to invoice manipulation.
Gambling and affiliate abuse
Airline brand names also appear in gambling and betting domains. Some sites promote casino platforms using airline related keywords, along with phrases such as VIP and bonus. These campaigns lure users into depositing funds or connecting crypto wallets. SEO manipulation drives traffic from users seeking travel deals or airline updates.
Affiliate abuse and ad fraud appear in directory style domains populated with auto generated content and keyword stuffing. These sites redirect visitors to unrelated offers and scams, monetizing brand recognition through traffic arbitrage.
Defense and logistics targeting
Certain domains blur lines between commercial aviation and defense terminology. Keywords referencing air force, airport transfers, cargo, couriers, and pets indicate interest in logistics and government linked transport. Fake clearance services and shipment tracking portals can support intelligence gathering and credential harvesting in high sensitivity sectors.
High cost travel segments draw attention as well. More than 400 domains reference private jet and charter services. Fraudulent brokers request payment verification or re-entry of transaction details through lookalike booking portals. Less common top level domains such as .vip and .luxury appear in these campaigns to convey exclusivity.
Detection thresholds and impact patterns
Luigi Lenguito, CEO of BforeAI, told Help Net Security that PreCrime uses network metadata aggregated over time to identify malicious infrastructure before it becomes active. The system decodes patterns associated with criminal DevOps practices to classify future threat infrastructure. He said the company maintains a false positive rate below 0.05 percent, backed by a contractual performance commitment.
Lenguito said financial impact varies by scam category. Crypto themed fraud carries a direct monetary objective and often generates immediate losses. Fake support portals that collect credentials can lead to long term impersonation fraud and downstream account compromise. Hiring scams continue to expand and serve as entry points for social engineering campaigns aimed at infiltrating organizations. He said some activity in this category aligns with state linked objectives tied to intelligence collection and internal access.
He said campaign timing has accelerated. In prior years, domain registrations tied to major airline disruptions could take days to surface. During 2026, threat actors launch supporting infrastructure within hours of a public incident. Criminal operators preload domains and related infrastructure, allow them to age, then activate them when public attention peaks. Lenguito said this pattern appears in prediction datasets that show waves of dormant domains prepared for later activation. He said preemptive disruption and takedown activity now blocks tens of millions of potential victim interactions per day before active phishing content appears.
Learn more:
- United Airlines CISO on building resilience when disruption is inevitable
- Southwest Airlines CISO on tackling cyber risks in the aviation industry