Inside the Global Airline Fraud Epidemic: Hackers, Fake Hotlines, and Stolen Data

The aviation industry is currently facing a complex, multi-front security threat. What initially appeared to be a localized surge in phishing has revealed a much broader vulnerability: major airlines are simultaneously fighting a two-front war against sophisticated external cybercriminals and internal corporate fraud.

Through an international collaboration between GFCN experts Srimal DC in Sri Lanka, Sang-Hyun Lee in South Korea, and Hari Chand in India, this investigation tracks a convergence of threats targeting the aviation sector from mid-2025 to May 2026. The findings detail how disparate actors are exploiting the industry from all sides, using remote-access malware against passengers, Business Email Compromise (BEC) against supply chains, and traditional embezzlement from within.

The Passenger Trap: Social Engineering and Mobile Malware

The primary vector for these scams relies on manipulating passenger psychology. In South Korea, scammers capitalized on rising oil prices and actual flight cancellations caused by conflicts in the Middle East. According to GFCN expert Sang-Hyun Lee, a clear pattern emerged throughout the second half of 2025: fraudsters exploited traveler anxiety through mass smishing (SMS phishing) campaigns.

Victims received text messages stating: “Your flight has been canceled due to the Middle East war. Please rebook using the link below.” Those who clicked the link were directed to perfectly replicated airline homepages designed to harvest credit card numbers, passport information, and bank account details. In other instances, scammers used Instagram and Facebook to promote counterfeit flight discounts.

When victims engage with these fraudulent offers, the attack often moves to direct communication. In Sri Lanka, scammers initiate contact via WhatsApp calls, posing as SriLankan Airlines representatives. GFCN expert Srimal DC reports that these operators use high-pressure tactics to convince victims that they must install a specific application to receive their refund or discount.

The victims are sent a link to download an Android application package (.apk) file outside of official app stores. Once the user is guided to bypass their phone’s security settings and install the file, a Remote Access Trojan (RAT) is deployed. This malware grants the scammers covert control over the device, allowing them to intercept One-Time Passwords (OTPs) and seamlessly transfer funds out of the victim’s bank accounts.

The Illusion of Trust: Caller ID Spoofing

An official public warning issued by the Sri Lankan Department for Registration of Persons on April 7, 2026, alerting citizens to WhatsApp scammers spoofing government hotline numbers. (Source: GFCN / Srimal DC).

To legitimize their communications, criminal syndicates employ Caller ID spoofing technology. This allows them to mask their actual phone numbers, making incoming calls appear as though they originate from official airline hotlines or government institutions.

The scope of this spoofing extends beyond corporate impersonation into critical government infrastructure. In April 2026, the Sri Lankan Ministry of Digital Economy’s Department for Registration of Persons (DRP) issued an urgent public warning. Fraudsters had successfully spoofed the department’s official hotline.

By manipulating the caller ID to display variations of the DRP’s legitimate contact number scammers initiated WhatsApp calls to citizens. Posing as state officials, they attempted to illegally harvest personal identity data under the guise of official government business.

In response to a surge in fraudulent flight cancellation alerts masquerading as communications from airlines and travel agencies, South Korean law enforcement and leading financial platforms are actively promoting a strict verification rule to the public: major corporations, official agencies, and government departments never issue official notifications from personal mobile numbers beginning with the standard “010” prefix.

The Corporate Breach: Supply Chains and BEC Attacks

*A media report highlighting SriLankan Airlines’ official statement regarding a Business Email Compromise (BEC) attack, themorning.lk*

The threat is not limited to individual consumers; the operational infrastructure of airlines is actively under siege. Criminal networks are targeting third-party vendors to acquire the data necessary for convincing impersonation campaigns.

In December 2025, hackers breached a catering supplier for Korean Air, stealing the personal information of 30,000 employees. Simultaneously, the names and account numbers of 10,000 employees were extracted from a catering contractor affiliated with Asiana Airlines. This stolen data is routinely weaponized to facilitate highly targeted voice phishing and corporate fraud.

Hackers have also deployed Business Email Compromise (BEC) tactics to infiltrate corporate networks. In South Korea, fraudsters impersonated senior executives and human resources departments to deceive internal staff into transferring funds or releasing credentials.

This exact methodology recently resulted in significant financial losses for SriLankan Airlines in the United Arab Emirates. Following inquiries from a Dubai-based service provider regarding an unpaid invoice of 974,000 AED (approximately $265,000 USD). An official statement reveals that hackers had compromised the vendor’s email system. The cybercriminals altered bank account details and provided forged documentary proof through official communication channels, successfully diverting the airline’s payment to a fraudulent account.

The Internal Front: Traditional Embezzlement

*News coverage from May 17, 2026, detailing SriLankan Airlines’ formal accusations against its Chennai staff, ndtv.com*

While airline security teams battle a surge in external cyberattacks, they are simultaneously managing severe internal vulnerabilities. Investigations in India have uncovered evidence that the financial bleeding is not exclusively the work of outside hackers.

GFCN expert Hari Chand points to recent developments in Chennai, India, where SriLankan Airlines has formally accused staff members of embezzlement. According to statements released by the airline in May 2026, the incident in Chennai is entirely separate from the UAE hacking case. Instead, employees working in the finance department of the Chennai office misappropriated over INR 22 million (approximately $263,000 USD) through traditional corporate fraud.

Internal audits revealed that the theft was executed over an extended period by systematically altering invoices, forging signatures, and fabricating payment details to divert company funds into unauthorized bank accounts. The implicated employees have been suspended, and the case has been handed over to Indian law enforcement authorities for a full criminal investigation.

Defense and Mitigation Strategies

The convergence of remote mobile malware, corporate email breaches, and insider fraud demonstrates that aviation-related scams have evolved into a highly industrialized threat. Mitigating these risks requires stringent verification protocols from both consumers and corporate entities.

To help consumers navigate this evolving threat landscape, GFCN has compiled a dedicated Passenger Protection Guide. We strongly advise all readers to review these baseline security protocols — including how to handle spoofed caller IDs and malicious app links — before interacting with any airline customer service representative online or over the phone.

Stay alert, and always verify information before taking action.

_{The material reflects the personal position of the author, which may not coincide with the opinion of the editors.}