Our experts have detected a fraudulent email campaign on behalf of well-known airlines and airports. Since the beginning of September, our solutions have detected and blocked thousands of similar emails in which scammers posed as employees of Amsterdam Schiphol, Emirates Airlines, Etihad Airways, Lufthansa, Qatar Airways, and other well-known large aviation-related companies. Our experts then started discovering similar mailings exploiting the names of companies in the oil and gas sector. The attackers are imitating normal business correspondence, pretending to be looking for new partners and targeting companies of various sizes and from various industries. The essence of the scheme boils down to convincing the recipients of emails to transfer money to the fraudsters\u2019 accounts.<\/p>\n
Attackers try to draw the victim into a correspondence exchange. At the first stage, they send the victim a rather innocuous email on behalf of the procurement department of a major airline or airport, in which they announce the start of a partnership program for 2025\/2026, and offer them mutually beneficial cooperation. If the recipient responds, the second stage begins: they send several documents to divert attention \u2014 registration forms for a new partner, non-disclosure agreements, and so on.<\/p>\n
These emails don\u2019t contain malicious attachments or links, and there are no hidden scripts in the documents, so basic defense mechanisms don\u2019t always block such correspondence. Attackers use only social engineering techniques. In the next letter they ask to pay a certain \u201cmandatory refundable deposit as an expression of interest\u201d of around several thousand dollars. The purpose of this payment is supposedly to secure a priority place on the schedule for consideration of partnership proposals. And the authors of the email give assurances that once the partnership agreement is finalized the money will be returned.<\/p>\n
The letters used in this campaign look very plausible, but some inconsistencies can still be detected with the naked eye. The first thing to look closely at is the sender\u2019s email address. It often contains the name of the organization whose employees the scammers are imitating. But if you search for the company\u2019s real website and examine email addresses listed in the contact section, you\u2019ll see that the legitimate addresses of the airport or airline employees have a different domain name. Sometimes attackers don\u2019t bother to keep the From<\/em> field plausible at all, and simply write the name of the imitated organization in the displayed name field, so you can see a completely unrelated domain in the email address field.<\/p>\n The general rule for business correspondence that for some reason raises suspicion: if there are any doubts, you can write a letter to the address specified on the official website of the company and clarify whether an affiliate program mentioned in the emails really exists, whether the sender works for this company, and whether the address used in a suspicious email is their real email.<\/p>\n But the main red flag is the offer to make a deposit to \u201cexpress interest\u201d. Respectable companies don\u2019t work that way. They choose partners, suppliers, and contractors after a serious and comprehensive business reputation check \u2014 not based on the ability to transfer a small (by their standards) amount of money.<\/p>\n Ideally, you should implement solutions that prevent fraudulent, phishing and malicious emails from reaching employee inboxes in the first place. We recommend installing strong protection at the corporate email gateway level<\/a>.<\/p>\nHow to protect your company from fraudsters<\/h2>\n