The Scale of the Threat
Between September and December 2025, security researchers at BforeAI’s PreCrime Labs identified 1,799 suspicious domains impersonating more than 35 major airline brands. The broader dataset reveals over 11,600 domains targeting the airline industry across multiple abuse categories. Generic flight-related domains accounted for roughly 7,000 malicious registrations, exceeding counts observed across the wider online travel agency ecosystem during the prior year.
This is not your typical phishing wave. Attackers are building sustained infrastructure designed to harvest credentials, divert payments, and infiltrate B2B networks. For travel merchants processing airline transactions, the implications extend far beyond consumer inconvenience. They touch chargeback exposure, merchant account integrity, and supply chain security.
How the Scams Work
Criminal groups rely on high-volume keyword combinations such as flight, airline, airfare, charter, and private jet to attract broad search traffic. Many domains combine multiple airline brand names under a single site to capture users searching for deals or booking information. The sophistication level has evolved considerably.
Phishing and Credential Harvesting
Phishing remains the dominant theme. Domains frequently mimic booking portals, check-in pages, and loyalty account logins. Keywords tied to tickets, rewards, points, and cards signal attempts to harvest credentials and payment information. Attackers also register domains that impersonate corporate partner portals, opening paths for business email compromise and payment diversion schemes.
When travelers enter payment details on these spoofed sites, merchants face downstream consequences. Fraudulent transactions generate chargebacks. Stolen credentials enable account takeovers that damage brand reputation. And the velocity of these attacks suggests automation at scale.
Recruitment and Vendor Impersonation
A secondary cluster of activity targets the airline supply chain. Domains incorporating terms such as hiring, career, employee, and partner replicate airline job portals and onboarding systems. These sites solicit resumes, identity documents, and login credentials. In some cases, password-protected pages create a sense of internal legitimacy.
Airlines maintain extensive vendor networks across cargo, catering, and airport operations. Each vendor is a potential attack vector. For payment processors and merchants integrated with airline systems, vendor jacking campaigns introduce supply chain risk that traditional fraud controls may not detect.
Support-Themed Exploitation
Support-themed impersonation rises during service disruptions. When flight cancellations or regulatory actions generate media attention, malicious help center domains appear that reference the affected airline and the incident. These portals request booking references, payment details, and account credentials. Campaign timing indicates coordination with public events to increase conversion rates.
Merchants should note the pattern. Fraudsters monitor news cycles and operational disruptions, spinning up targeted infrastructure within hours. Static fraud rules cannot keep pace with this level of agility.
The Emerging Crypto Angle
Perhaps most concerning for forward-looking risk models is the emergence of cryptocurrency-themed fraud using airline branding. One category includes fake airline coins and tokens that suggest a loyalty program expansion into digital assets. Domains referencing airlinecoin, airdrop, or branded tokens attempt to capture investments from users who believe a carrier launched a crypto initiative.
A second pattern centers on travel payments using bitcoin or other digital currencies. These domains advertise alternative payment options for flights and packages, targeting travelers interested in cryptocurrency transactions. Such infrastructure can support advance fee fraud, wallet connection theft, and business email compromise activity.
For merchants evaluating alternative payment acceptance, this trend signals a warning. Fraudsters are actively exploiting the gap between consumer interest in crypto payments and merchant readiness to support them securely.
Risk Mitigation for Travel Merchants
The attack surface described in the BforeAI research demands a layered response. Merchants processing airline-related transactions should consider the following measures:
- Domain monitoring: add brand protection services that detect lookalike domains at registration, not after they go live.
- Customer education: Proactive communication about legitimate booking channels reduces the likelihood that customers will interact with spoofed sites.
- Supply chain verification: Vendors with access to airline systems should face enhanced due diligence and ongoing monitoring.
- Fraud model updates: Machine learning models should incorporate signals from domain age, hosting patterns, and rapid infrastructure deployment.
- Incident response readiness: When airlines experience operational disruptions, merchants should anticipate coordinated phishing campaigns and prepare customer communications accordingly.
The Bottom Line
Airline brands have become launchpads for fraud not because of weak security, but because of strong trust. Travelers instinctively trust airline names. Fraudsters exploit that trust to harvest credentials, divert payments, and infiltrate B2B networks.
For travel merchants, this threat landscape requires moving beyond reactive fraud controls toward predictive risk management. The infrastructure described in recent research is not opportunistic. It is sustained, organized, and evolving. Merchants who understand these patterns and adapt their defenses accordingly will be best positioned to protect both their customers and their bottom line.
Sources: Help Net Security, Skift
