Executive Summary: Commercial Airline Industry Sees Sustained Scam and Impersonation Activity in 2026
Date: February 2026
Source: PreCrime™ Labs
With the peak 2026 travel planning season upon us, it is safe to assume that the commercial airline brands we are all familiar with are being leveraged by criminals who want to deceive and defraud airline customers. As would-be travelers eagerly shop for cheap flights and hunt for limited-time offers or special deals, they are often at risk of being victims of brand-based phishing campaigns and scams. The most common AI-driven phishing scams and fake booking portals are designed to steal financial data, personally identifiable information (PII), or infect users’ devices with malware through fake app downloads.
PreCrime™ Labs, the research division of BforeAI, observed a total of 1,799 suspicious domains between September and December of 2025, targeting over 35 global airline brands. In the midst of the 2025 end-of-year holiday rush into the beginning-of-the-year annual travel planning season of 2026, the PreCrime Labs team analyzed a large set of threat data related to airlines. There was a much higher concentration of generic keywords, numbering close to 10,000, that focused on search terms such as “airline”, “flight”, “charter”, “airfare”, and “private jet”.
These domains demonstrate a consistent pattern of generalized phishing, attracting broader customer interest than merely focusing on a single airline company. However, as such domains combine most airline brands under a single phishing domain, it can lead to loss of cumulative trust in airline ecosystems, loyalty programs, and customer support. The total count of suspicious domains targeting the airline industry surpasses 11,600 domains. The observed activity spans across phishing, fake promotions, fraudulent investments, betting abuse, and reputational harm, indicating both opportunistic fraud and coordinated campaign-style abuse.
Last year’s assessment of the entire OTA ecosystem identified approximately 6,000 malicious domains across all brands and threat categories. In the current analysis, a more category-specific, restrictive approach was applied. Even so, generic flight-related and brand-excluded domains alone accounted for ~7,000 malicious registrations, already exceeding the total observed across the full OTA industry last year.
PreCrime™: The Original Preemptive Cybersecurity
Get complimentary access to the Gartner report, Emerging Tech: Top Use Cases in Preemptive Cyber Defense
Key elements seen within the sustained scam and impersonation activity:
Top-Level Domains (TLD)
Top keywords used
Keyword Category | Frequently Occurring Keywords | Scam Type Inference |
|---|---|---|
Core Travel and Legitimacy | flight (7437), airlines (2158), airway (118), ticket (133) | Confirms domains are posing as primary booking/information services (phishing). |
Promotional Lures | winair (133), reward (17), bet (31), casino (31) | Clearly indicates the use of promotional, contest, and giveaway scams to steal data or fees. |
High-Value Niche | private (367), business (28), charter (78), premium (5), platinum (3) | Targets the specialized, high-transaction-value private aviation sector. |
Heavy Brand Impersonation | batik (328), qantas (279), airasia (67), etihad (118) | Shows a strong reliance on hijacking the trust of specific, globally recognized airline brands for targeted phishing. |
Financial and Loyalty Programs | card (27), partner (11), loyal (9), point (59) | Domains target high-value financials (credit cards, jet cards) or impersonate B2B partners/vendors to facilitate Business Email Compromise (BEC), aiming to divert large payments or steal sensitive client credit data. |
Operations and Career Services | admin (5), support (32), employ (4), hire (2), career (14), recruit (1) | These keywords are used to mimic internal login portals (for employees or vendors) or official customer support sites. The goal is to steal high-level credentials or to trick customers into providing account details to "resolve" a booking issue. |
Digital and Mobile Lures | app (153) | This keyword is used to lure users into downloading a fraudulent mobile application, including TLDs (“.app”). The purpose is to distribute malware disguised as a legitimate airline or travel application to compromise the user's mobile device. |
Top brands targeted
Key threat themes and observed abuse patterns
Recruitment and vendor abuse
Relevant keywords: hiring, employees, partners
Malicious campaigns based on recruitment and partnership themes that impersonated airlines’ internal processes were observed as part of this analysis. These domains are likely intended to be used for fake job postings and recruitment scams, credential harvesting by duplicating employee portals, or partner onboarding platforms that can steal fraud and stolen documents.
An interesting example was the domain name “indigogoehring[.]com” that replicates “IndiGo” (a popular airline in India) and uses the keyword “hiring”, which could also be used for luring job seekers, using password access as a fake barrier to legitimacy. At times, threat actors also prefer a multi-step campaign that restricts suspicious users from accessing the internal phishing elements.
Aside from career services and partnerships, each airline hosts multiple vendors across diverse services such as freight cargo, catering, and other management based operations, while not necessarily all were malicious, sites leveraging these services were observed in “parked” status, making them suspect. This highlights how attackers take every aspect of airline operations into account when launching phishing campaigns, so as to maximize the reach and success of the campaign.
Risk: Misuse of airline hiring keywords can lead to erosion of brand trust, human resources (HR) impersonation scams, and unauthorized collection of personal and corporate credentials under the guise of job offers.
Fake airline tokens, coins, and crypto abuse
Relevant keywords: airindiacoin, indigocoin, solana, airdrop, cash, bitcoin, crypto
Two distinct types of fraudulent airline-themed crypto domain threats were observed as phishing vectors.
The first category includes domains that combine cryptocurrency themes with airline brands (e.g., “airindiacoin”), in which victims investing in this coin are under the perception that the brand has entered the crypto space by launching their own coin, exploiting the trusted brand element. Multiple domains referenced airline-branded “coins,” tokens, or crypto-based reward schemes, possibly linking them to loyalty program familiarity, airdrop, and investment-style websites.
The second category of threats includes users seeking alternative payment methods for travel, making them susceptible to financial frauds especially when rephrased as “travel payment with bitcoins/crypto”. Additionally, these types of attacks can facilitate business email compromise (BEC) operations in the background or the active content can be hosted any time in the future for shorter periods to avoid detection and prolong the life shelf of the phishing domain.
Risk: Association with unverified crypto-themed domains can lead to financial fraud, regulatory scrutiny, and brand trust erosion for airlines involved, even indirectly.
Customer support and service impersonation
Relevant keywords: helpcenter, support, services, indigo issue lately
Domains in their nascent stages and in the post-exploitation pivotal stage were investigated that leveraged the theme of airline help centers and support portals. Certain news flashes, especially during publicly-visible periods of service disruption, were heavily emphasized to generate help desk portals to allegedly address and assist victims of the disruption and target them while the situation remained active. These domains are often designed to harvest booking details and payment information, capture login credentials, and monetize frustration during real operational incidents. For example, the IndiGo flight cancellation crisis after DGCA’s regulations.
Risk: Brand impersonation in support scams leads to direct financial loss for victims and overwhelms official customer support channels, reducing service efficiency.
Betting, gambling, and illicit monetization
Relevant keywords: batik slots, betting
Some airline brands were abused to promote or redirect users to online betting and gambling platforms. This abuse often relies on SEO manipulation using brand keywords with misleading “offers” or “exclusive promotions”. One interesting example was a promotional landing page for “WinAirlines Casino”, a platform targeting Italian-speaking users. The domain mentions a “Crypto Gaming Center” along with sections like “VIP” and “Security” to lure the victims to luxury travel, likely to invoke the themes of trust, travel, and excitement, but twisted toward gambling.
This domain could deceive users into connecting wallets or making deposits under the guise of casino gameplay. Phrases like “Free Bonus Casino” or “Get $100” are commonly used tactics in fake gambling websites.
Risk: Domains like this one can harm the airline industry and specific brands through misassociation, inviting regulatory concerns and heavy customer mistrust.
Aviation, defense, and airport-related targeting
Relevant keywords: Japan Air, airforce, airport transfers, catering, cargo, couriers, pets
Certain domains blurred the line between civil aviation and defense-related terminology. These may indicate certain social engineering attempts targeting government or non-tourism based air transport. Setting up of fake logistics, transfer, or clearance services can be vectors that attract intelligence-gathering or credential harvesting attempts in which specific consignments can be tracked, rather than the typical civilian tourist targeting.
Risk: Targeting of high-sensitivity defense, logistics, and diplomatic sectors via airline-themed phishing poses national security threats, data exfiltration risks, and potential state-sponsored exploitation.
Airline brand-specific observations
LATAM Airlines
Relevant keywords: cyber latam, airwaycard, pass, promotion, latam air mail, services, airdrop
Malicious domains targeting airline brand LATAM focus heavily on loyalty cards and boarding passes, premium branding with travel cards, promotional giveaways, and airdrops. The use of corporate themes and Spanish-language bait (“Para negocios”) suggests tailored targeting of Latin American executives or frequent fliers.
Avianca
Relevant keywords: checkin, cheap, trust, blackfriday, hateavianca, wifi, logistics
Avianca-related domains showed a mix of discount and promotion scams, negative or grievance-based domains (e.g., “hate” branding), in-air WiFi, and logistics impersonation.
British Airways
Relevant keywords: leadership, ba delivery company, casino
Domains targeting British Airways focused on phishing themes that put unverified content around strategic leadership, often to lure users seeking official updates, or look like an official domain for updates in case of email phishing. Other instances observed were for casino and delivery services. Domains such as this can be potentially risky for business email compromise (BEC) style abuse and investment campaigns.
EasyJet
Relevant keywords: easyjetads, easy jet storm, easy jet refunds
The above domain, as an example, leverages airline branding, such as Easyjet, to host a classified ad-style or directory listing structure, indicating potential brand impersonation or SEO abuse. Since the content appears to be auto-generated and keyword-stuffed, multiple ad-frauds and affiliate-abuse schemes can be hosted under a single domain. This essentially exploits the airline brand’s website visitors, especially guiding users searching for travel services to various scam opportunities.
United Airlines
Relevant keywords: millionpoints, classaction, official member, pets delivery
United Airlines related malicious domains leveraged loyalty points abuse, official membership logins, and legal or class action narratives.
Qatar Airways
Relevant keywords: QA app, sourcing QA, jobs, Qatar Airways UAE projects, park, overlap with Emirates
Threat activity targeting Qatar Airways indicates multi-vector brand impersonation, spanning recruitment, mobile applications, and regional projects. Observed patterns suggest QA mobile applications used for credential or data harvesting, recruitment and sourcing-themed domains, and UAE-specific “projects” that also overlap with “emirates” to confuse or hint at partnerships.
Threat activity targeting Qatar Airways indicates multi-vector brand impersonation, spanning recruitment, mobile applications, and regional projects. Observed patterns suggest QA mobile applications used for credential or data harvesting, recruitment and sourcing-themed domains, and UAE-specific “projects” that also overlap with “emirates” to confuse or hint at partnerships.
Geopolitically significant global events like the FIFA World Cup 2026 competition often trigger a wave of domain registrations mimicking airline or ticketing brands, like the observed example which combines legitimate branding with country-specific top-level domains to build trust among regional users. These domains often host realistic cloned payment details or promote fake travel packages.
Ryanair
Relevant keywords: invest, robloxsafetyemergency, stopRyanair, Ryanair email
Ryanair-related malicious domains show a highly opportunistic abuse pattern, mixing unrelated trending themes with airline branding. Notable observations include investment-themed domains falsely associating Ryanair with financial opportunities along with use of unrelated high-interest topics (e.g., gaming safety emergencies) to drive traffic.
Recently, a viral online spat between Elon Musk of SpaceX and Ryanair’s CEO Michael O’Leary, over O’Leary’s refusal to install Starlink routers in Ryanair airplanes. As the debate gained visibility on the internet, crypto scammers wasted no time launching opportunistic marketing campaigns to promote meme coins. Interestingly, the same account that we see below was also involved in promoting “Madurocoin” as observed in PreCrime Lab’s latest threat advisory on the unrest stemming from US actions in Venezuela.
Incidents like these demonstrate how news affects the malicious infrastructure ecosystem, spanning across social media, domains, and themes. Anything trending on the internet is liable to become a weapon against users seeking services in the airline industry with suspicious domains popping up and staying live as long as the activity remains relevant.
Lufthansa
Relevant keywords: traineehub, stopover
Threat activity related to Lufthansa highlights fake trainee or early-career portals impersonating official training programs. Along with these, there are some domains that are themed around abuse of stopover-related services, which are commonly marketed to international travelers.
AirAsia
Relevant keywords: bet, fright, cargo
AirAsia-related domains demonstrate diverse abuse vectors, including betting and gambling-related misuse leveraging airline branding, including DGA pattern seen. Fake help centers with contact details across regions such as Vietnam, Bangladesh, Japan, etc., were seen. Some domains also targeted cargo-themed impersonation targeting logistics partners and freight customers.
Generic airline abuse observations
Relevant keywords: support, review, transport
Generic airline abuse patterns included fake review platforms, transport and baggage-related scams, support impersonation without specific airline naming, and lastly unbelievable too-good-to-be-true deals. These phishing and scam campaigns require minimal effort on behalf of the attackers, but are executed at scale, targeting multiple well-known brands simultaneously. The broad reach increases chances of success while diluting brands in the process.
Noteworthy Threat: At least 36 domains leveraged LLM trends, promoting a revolutionary AI-based flight search experience. Brand exploitation of AI technologies was used to build legitimacy, leading to harvested intent and context of travelers, benefitting threat actors for customized social engineering campaigns.
Additionally, there was a focus on other services such as visas, packages, and missing baggage claims. A significant portion (422 domains) focused on personalized, high-cost, travelling experiences such as private jet and charter flights, in which fraudulent jet brokers or operators steal payment information and personal data.
Other keyword trends include booking, support, or service (e.g., “privatejetsupport[.]com” or “charterbookingportal[.]net”) to trick clients into “verifying” payments or “re-entering” credentials for failed transactions. In these cases, less common TLDs like “.live”, “.shop”, or “.vip” might be used to suggest a limited-time opportunity or a high-value, exclusive service scam.
Mitigation strategies
Organizational measures
Preemptively track newly registered domains that misuse popular tech names (e.g., ChatGPT, airline brands) to create misleading credibility. Flag and report suspected abuse.
Launch awareness campaigns highlighting common scams using AI buzzwords and impersonation of airline services, especially during the peak season.
Work with hosting providers and registrars to initiate takedowns of fraudulent or suspicious lookalike sites.
Create watchlists around future events (e.g., FIFA 26, Olympics, AI Summits, government launches) to catch pre-registration trends. Domains mimicking future products or services are often registered months in advance and used when public attention peaks.
Recognizing that prioritizing vendor-jacking is a major BEC threat, implement mandatory, multi-person verification procedures for all changes to vendor payment information, invoices, or other high-value financial requests to ensure sensitive actions are not taken just over emails.
Traveler awareness
Always cross-check flight booking websites with official airline links or trusted travel aggregators. Be cautious of domains combining popular AI tools (e.g., “ChatGPT”) with unrelated services. Just because a service claims to use AI doesn’t make it legitimate. Avoid inputting personal or payment details without confirming credibility.
In the case of private jet booking, if a payment or security notice is received, independently verify the request by calling the jet operator’s or broker’s known phone number (not a number provided in the email).
Be suspicious of new, high-end TLDs like “.luxury”, “.vip”, or “.gold” when used with high-pressure sales tactics. While they can be legitimate, fraudsters use them to suggest an elite offer.
Never submit scanned images of a traveler’s passport, detailed flight schedules, or private itineraries via unencrypted email, even to a trusted party. Insist on using an end-to-end encrypted messaging service or a dedicated, verified client portal for all sensitive document transfers.
