US-CERT Warns About Airline Phishing Scams

What if there was a new phishing scam that had an open rate of 90%.  That’s right, this phishing email is so believable, 90 out of 100 recipients open the the attachment or click on the link without a second thought.

These attacks begin with the scammer researching the target victim.  These targets usually work at companies where there is a lot of air travel.  The emails are personalized, and designed to look like airline flight confirmations, or travel company invoices.  Subject lines include details such as airline, ticket price, and destination that would be believable to the recipient.

There are two versions of this exploit.

  • One uses malicious attachments that look like flight itineraries, invoices, or receipts. Opening the attachment will install a remote access Trojan or keylogger.  The keylogger collects more personal data, including user IDs and passwords to other websites and internal systems.
  • The other provides a link to a replica website login screen, and captures the victims’ user credentials.  Often there are additional web forms to capture more detailed information about the victim and their organization.
  • If they can gain access to a user’s computer, they can pivot to other computers and extend the exploit deeper into the organization.

Like other phishing scams, the best way to protect yourself is:

  • When confirming travel arrangements, use the vendor’s website.  Do not click on the offered link in the email.  Open your browser and go directly to the airline website by typing the address into the address bar, or use a bookmark or favorite you created earlier.
  • Never click on any link in an email without at least checking the destination by hovering over the link and reading what appears in the tool tip box.  If the web address looks unusual, just assume the email is a fake and delete it.
  • Never open an attachment without confirming with the sender,
  • Or forward the email with the attachment to  Change the subject line to SCAN, and wait for a response from VirusTotal.  The attachment will be scans, and if the attachment contains malware, you will be notified in the scanner results email.  This process takes less than 10 minutes.

Be aware, and pass this warning on to others in your company.

More information:


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.