By Estelle Derouet, VP marketing, email fraud protection, Return Path
Consumers trust travel brands like Airbnb, Kayak, and Expedia with a wealth of personal data, including credit card account information, state-issued identification, emergency contact details, and more. Their trust in these companies makes online travel an attractive industry to cybercriminals, especially when it comes to email fraud.
Every day, cybercriminals worldwide send phishing attacks that spoof some of the most known brands, in order to steal personal data, manipulate reward points, and trick customers into making bogus bookings on fake reservation sites.
To fight this rampant threat, we need to understand it. Here are three examples of how the travel industry is being phished right now and what you can do about it.
Subject line spoofing: American Airlines
Marketers know that personalization and urgency are some of the best ways to boost email engagement. Fraudsters know this too and use these tactics to encourage recipients to open the email.
In this example from American Airlines, the fraudulent message spoofs the subject line, “Your American Airlines order has been processed,” in addition to incorporating a convincing logo, contact details, and record locator information.
Display name spoofing: Airbnb
This phishing example from Airbnb highlights the display name spoofing tactic popular with many cybercriminals targeting the travel industry. The display name is the name that appears to the left of the email address (in this case, “Airbnb
Many malicious emails that spoof the display name, including this one, are sent from a domain out of the targeted brand’s control. This way, the phishing email can bypass email authentication protocols and reach thousands of victims’ inboxes.
This trend holds true across many other verticals as well. In September Return Path analyzed more than 760,000 email threats associated with 40 top global brands and found that nearly half of all email threats spoofed the brand in the display name.
Domain Spoofing: Lufthansa
Phishers in travel also spoof the legitimate sending domains of their target brands. This example from Lufthansa’s Miles&More rewards program spoofs the legitimate sending domain "lufthansa.de" even though it comes from a malicious source.
Companies can prevent malicious emails like these from ever reaching consumers’ inboxes with the implementation of email authentication protocols.
Return Path recently looked at 46 of the world’s top travel companies and found that only 24% were doing so, leaving three quarters of them exposed to domain spoofing.
Travel companies cannot rely on customers to spot fraudulent emails like these - in May, Intel Security released the results of a study that found that 97% of people around the globe cannot identify a sophisticated phishing message.
But there are proactive steps brands can take to protect their customers, their reputation, and their business from email attacks, namely:
Educate your customers:
While you can’t rely on your customers exclusively to spot phishing emails, it’s still worth educating them. Create websites that post warnings about potential scams, and reveal what legitimate communications and accounts look like, so users know to spot fraudulent emails. British Airways offers great educational content on phishing.
Raise awareness with top executives:
With the rate of attacks increasing, travel executives need to make brand protection a priority. Research by Cloudmark suggests that customers are 42% less likely to interact with your brand after being phished or spoofed.
The impact of eroded customer trust is simple; lost revenue. Make sure your executives also understand the negative impact of email fraud on your legitimate email programs.
Authenticate outbound email:
Implementing the right email authentication solutions will help block bad emails spoofing your legitimate domains before they even reach your consumers’ inboxes.
Talk to your security and IT department to make sure your company is doing everything in its power to prevent phishing and spoofing attacks.
Get visibility into all email threats:
You can’t control what you can’t see. Cybercriminals are forever evolving their tactics so it is critical that you have the right threat intelligence data to make sure you see all types of threats targeting your brand in real time.