61% of Airlines Have No Published DMARC Record, Customers Susceptible to Email Fraud

The majority of airline companies are potentially leaving their customers vulnerable to email fraud, such as phishing, according to a new analysis by Proofpoint.

It found that 61% of member airlines belonging to the International Air Transport Association (IATA) do not have a published Domain-based Message Authentication, Reporting & Conformance (DMARC) record, increasing the risk of having their identity spoofed and of customers being targeted by email fraud. IATA member airlines make up 82% of total air traffic.

In addition, 93% of global airlines included in the study have not implemented the recommended level of DMARC protection, known as Reject. This blocks fraudulent emails from reaching their intended target.

DMARC is an email validation protocol that verifies that the domain of the sender has not been impersonated.

Adoption rates were found to vary significantly between regions, with 85% of airlines in China and North Asia having no published DMARC policy, followed by Asia Pacific (70%), Europe and Middle East and Africa (both 57%) and The Americas (43%).

Adenike Cosgrove, cybersecurity strategist, international at Proofpoint, commented: “The COVID-19 pandemic saw international travel halted and while many regions are still unable to travel, a number of countries worldwide are slowly ungrounding their airlines.

“While the travel sector has always been a rife target for cyber-criminals, the pandemic has offered new grounds for the targeting of travellers globally. Whether booking new flights, or seeking information on flight cancellations, one thing remains the same: many people worldwide are eagerly awaiting communication from airlines.

“Worryingly, at a time when opportunistic cyber-criminals may look to take advantage of such global uncertainty, the majority of international airlines are leaving their customers exposed to email fraud.”

In June, the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) called for greater DMARC support and adoption to prevent rampant phishing, which has been emboldened and bolstered by the global pandemic.

What’s Hot on Infosecurity Magazine?