In an examination of the 296 member airlines of the International Air Transport Association (IATA), Proofpoint uncovered that 61 percent of these organizations do not have a published DMARC (Domain-based Message Authentication, Reporting & Conformance) record, making them potentially more susceptible to cybercriminals spoofing their identity and increasing the risk of email fraud targeting consumers. IATA member airlines represent 82 percent of total air traffic.
Further, a massive 93 percent of the global airlines have not implemented the strictest and recommended level of DMARC protection. That setting and policy is known as “Reject” and actually blocks fraudulent emails from reaching their intended target. This means that only 7 percent are proactively blocking fraudulent emails from reaching their customers’ inboxes.
In the MEA region, 26 out of 61 airlines have a DMARC policy published, meaning 57 percent have no DMARC protection in place at all. However, only 4 out of 61 (7 percent) have the full recommended implementation of DMARC to protect customers from fraudulent emails spoofing their domain. That means a staggering 93 percent do not have the required security in place to prevent fraudulent attacks impersonating their domain from reaching users.
“While the travel sector has always been a rife target for cybercriminals, the pandemic has offered new grounds for the targeting of travellers globally. Whether booking new flights or seeking information on flight cancellations, one thing remains the same: many people worldwide are eagerly awaiting communication from airlines,” said Adenike Cosgrove, Cybersecurity Strategist, International at Proofpoint. “Worryingly, at a time when opportunistic cybercriminals may look to take advantage of such global uncertainty, the majority of international airlines are leaving their customers exposed to email fraud.”
Overall, major global carriers are failing to implement adequate email protection – leaving themselves open to phishing, impersonation attacks and other unauthorized use of corporate domains. This is despite email remaining the number one threat vector for cybercriminals.
That said, adoption levels differ from region to region. Out of the regions classified by IATA, China & North Asia has the lowest level of DMARC adoption, with 85 percent having no published policy at all, therefore no visibility into the unauthorized use of their domains. This is followed by Asia Pacific (70 percent), Europe and Middle East & Africa (both regions at 57 percent) and The Americas (43 percent).
When it comes to proactively protecting their customers against email fraud, China & North Asia fares the worst with 100 percent of its carriers not having the strictest DMARC policy in place (Reject). This is followed by Europe and Middle East & Africa (both regions at 93 percent), and APAC and The Americas (both at 89 percent).
“It is critically important that the communication methods used by airlines and every other industry are secure. We recommend implementing robust email defences and inbound threat blocking capabilities (including deploying DMARC email authentication protocols),” added Cosgrove.