Home / Industry

Fake Airline Ticket Scams: Domain Spoofing and Other Red Flags

The holidays are a bustling time for businesses and, unfortunately, fraudsters too. Travel fraud is rife in the lead up to the festivities, with airline ticket scams taking center stage. According to a report by The Street, airlines lose US$2.4–4.8 billion yearly due to false bookings. Consumers, meanwhile, lose US$283–588 per transaction.

The lucrative payoff is often irresistible for cybercriminals, as they don’t have to use significant resources to pull off elaborate cons. In fact, it’s usually as easy as setting up a legitimate-looking website with a working payment facility. And many are fooled: A survey by McAfee found that one in five travelers have been scammed while booking their vacations online.

How Fake Airline Ticket Scams Work

A popular version of the fake airline ticket scam caught the attention of the Better Business Bureau earlier this year. The scammers posed as third-party airline ticket brokers, drawing unsuspecting travelers through a bogus reservations website.

Upon completing their ticket booking, consumers would receive a call from the travel company asking them to confirm their payment information. They would then get a verifiable confirmation code with the airline. After a few days, victims would find their reservations canceled despite the credit card charges. And the booking company is nowhere to be found.

Such bogus sites rely on domain spoofing to impersonate popular travel brands. Criminals set up a copycat website on a domain that’s closely similar to the target company’s web address. Fraudsters also use domain spoofing for:

  • Extending fake discount offers to users via phishing emails, pop-ups, and malvertising
  • Sending users fake email notifications for a hotel or flight booking they did not make
  • Redirecting consumers who are ready to pay to a page that doesn’t even share the same domain
  • Installing malware on a user’s computer to steal their personally identifiable information (PII)

Our Investigative Tools: WHOIS Search and Others

According to the AARP, people are 80% less likely to become victims of holiday scams when having ample awareness of how these occur in the first place. Unfortunately, McAfee notes that 27% of holiday bookers still don’t check if a website they’re viewing is authentic before engaging in transactions.

A domain name alone can reveal a lot about bogus companies. For instance, criminals often add high-intent keywords, such as “cheap,” “free,” “reservations,” and “voucher” to a branded domain name to entice users. They also use unusual country-code top-level domains (ccTLDs) or new generic TLDs (gTLDs) for their sites.

Let’s use Delta Airlines as an example. Its domain is delta[.]com. As one of the world’s largest airlines, its domain is a scammer favorite. With a simple Google search for the search term “Delta Airlines Reservations Deals,” we found an impostor site (i.e., deltaairlines-flights[.]com). We opted for this keyword as it was associated with a past incident.

A screenshot of the promotional content from the site already hints at some form of fakery.

Notice the too-good-to-be-true deal. While it’s possible that major airlines would occasionally lower their fares, they rarely slash prices by up to 55%. If they ever do, they’d probably announce the promotion on their website, rather than through a third party.

Using WHOIS Search, we retrieved extracts of the official site’s WHOIS records and its copycat’s and found startling differences:

Real website (https://www.delta[.]com)

Fake website (https://deltaairlines-flights[.]com)

The results show that the fake website was registered just this February, as opposed to its real counterpart, which has been in use since 1993. Of course, that information alone won’t let us confirm that the second website is suspect, so we ran subsequent queries using other tools.

We ran a Reverse WHOIS Search for the impostor site’s registrant contact, Delta Reservations, and found that it wasn’t associated with any website, let alone Delta’s. That again doesn’t indicate that the site is fraudulent, but it’s not reassuring either.

What we can do, however, is verify whether “Delta Reservations” matches the owner of the actual website. Since the current WHOIS record for Delta Airlines was redacted, we used WHOIS History Search to check for previous publicly available records. Here’s what we found:

As you can tell, the registrant contact details for the fake and real sites don’t match. But is it possible that https://deltaairlines-flights[.]com is just another Delta brand? The Reverse WHOIS Report reveals that it’s not among the domains owned by Delta Air Lines Inc.

Based on a casual audit of Delta Airlines’s website, it seems that it uses subcategories or folders (such as https://www.delta.com/cn/en) for its country versions. It doesn’t use ccTLDs for its online properties. As such, it appears that the domains associated with Delta Airlines were registered ahead of time, most probably to protect its marks against cybersquatters.

So what’s the takeaway from all this? First, fake booking sites are often fairly new compared to official airline websites that have been around for decades. Second, most big-name companies often have publicly available domain ownership records that you can easily reference. Finally, it’s best to look up other background information on a particular website before committing to their service. If you don’t find a lot of available data on a site, then it may not be worth your time.

Before making a booking, ensure that you’ve done due diligence, such as looking for other online sources pointing to its website. You can also visit the International Air Transport Association’s (IATA) website to find out if the organization is an accredited airline ticket broker.

* * *

It’s easy to let one’s guard down this holiday season. By remaining vigilant, consumers can ward off malicious entities who are keen to steal their hard-earned cash through domain spoofing and other means. Cybersecurity tools like WHOIS Search, Reverse WHOIS Search, and WHOIS History Search can also reveal the entities behind the websites they visit.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Threat Intelligence

Sponsored byWhoisXML API


Sponsored byDNIB.com

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC


Sponsored byVerisign