Executive summary: Only 1 in 5 airlines enforces DMARC at the highest level, leaving customers exposed to phishing attacks that are now supercharged by AI. With billions at stake and national security on the line, airlines must move fast by adopting strong email authentication, deploying AI to counter AI, and leading by example across critical infrastructure.
3 key takeaways:
- The gap is real: Only 21.4% of top airlines use DMARC at reject; past scams (AA mailbox breach, Emirates ticket hoax, FACC’s $49M CEO fraud) show the cost of weak email authentication.
- AI raises the stakes: Adversaries use deepfakes and MFA-bypass tactics; aviation’s interconnected supply chain amplifies blast radius—from flight delays to forensic investigations and brand harm.
- Act now: Mandate DMARC at reject, deploy AI to counter AI, and participate in AI-ISAC information sharing—treating email authentication as a first line of defense and a sector-wide standard.
Across the commercial aviation industry, phishing scams are becoming commonplace, with criminals impersonating airlines in the US as well as across the globe to defraud the public. In 2022, American Airlines confirmed that attackers gained access to some employee mailboxes via a phishing campaign, which exposed employee data and forced the company to invest heavily in forensic investigations and after action reports, costing valuable time and money. Elsewhere, emails offered free tickets on a major airline if the recipient paid a small fee – it was fake, and the link stole credit cards from Emirates customers. And in one costly example, a leading global aerospace company, FACC, was hit by a CEO impersonation email scam, resulting in a nearly $49 million fraudulent transfer and leading to the dismissal of the company’s CEO.
These incidents illustrate how stronger enforcement makes a difference, particularly with the U.S. industry increasingly under duress. From air traffic control staffing shortages to the infrastructure and safety issues raised following the tragic midair collision outside Ronald Reagan Washington National Airport in January, the industry is facing significant challenges, which will only be compounded by cyberattacks becoming easier to implement thanks to AI.
Phishing attacks, which involve manipulating individuals into revealing sensitive information, are becoming one of the most prevalent threats to the aviation industry, with recent attacks leading to substantial financial losses and disruptions, highlighting the industry’s vulnerability to these methods. New research by Red Sift shows only 21.4% of top operational airlines have implemented methods to secure their outbound email communications from would-be attackers. The data focuses on a well-known email security standard, DMARC, an authentication protocol that helps protect email senders and recipients from phishing and spoofing attacks, and assesses the numbers of airlines currently at a policy of rejection, considered the highest level of enforcement.
Today, threat actors are leveraging sophisticated techniques like impersonating support staff, bypassing multi-factor authentication, and utilizing AI to craft convincing deepfakes in phishing campaigns.
The interconnected nature of the aviation supply chain amplifies these risks, as a single compromised email can affect numerous vendors and clients, leading to flight delays, forensic investigations, and reputational damage, costing the industry millions. With AI attack vectors, the danger is growing every day, especially as airlines utilize automation and AI for more functions like baggage tracking and customer check-in.
The national security implications cannot be overstated, as these attacks are often designed to fund nefarious endeavors like terrorism and money laundering.
This is also not just a challenge unique to aviation. Red Sift’s research shows the same pattern in US commercial banking, where fewer than half of institutions are adequately protected. With phishing attacks hammering organizations across critical-infrastructure sectors, airlines have an opportunity to lead by example, proving that robust digital security is an essential first line of defense. As we witness cybercriminals become faster, nimbler and more effective with AI, the industry must respond in kind by sharpening its own defences. This includes deploying AI to counter AI.
The institutions underpinning everyday life. Red Sift’s research shows the same pattern in commercial banking, where fewer than half of American financial institutions are adequately protected. With phishing attacks hammering organizations across critical-infrastructure sectors, airlines have an opportunity to lead by example, proving that robust digital security is an essential first line of defense.
While AI seemed like a buzzword just a few years ago, it has become an important component of any robust cybersecurity program. The industry currently faces a rising number of issues in the US, including a growing talent gap – reducing workflow while increasing protection is an obvious and smart deliverable. The sector must shore up its standards and ensure that situations like the ones recently seen in other parts of the world are not replicated here.
As infrastructure issues continue to grow across the US the federal government plays a major role in supporting all critical industries in strong cybersecurity. The recently released AI Action Plan is a sweeping policy roadmap aimed at clarifying the regulatory landscape while supercharging US investment in infrastructure and talent. One component of this, the AI Information Sharing and Analysis Center (AI-ISAC), will promote AI-security threat information and intelligence sharing across critical infrastructure sectors, including the airline industry, raising awareness around AI powered threats and how defensive AI cyber capabilities can be tapped to combat them.
With the race to develop and deploy advanced AI heightening on all sides, critical infrastructure sectors must follow suit and invest in smart, AI-backed solutions designed to stop massive attacks before they arise. It’s time for all airlines to catch up and we’re ready to support you. Come speak with us today to stay secure.
