All organizations are vulnerable to online fraud. While IATA uses a sophisticated strategy and tools to prevent fraud attacks, fraud actors still find ways to bypass these efforts.
To help mitigate fraudulent activities, it is important that IATA stakeholders understand how to identify fraud so it can be reported to IATA's fraud prevention team. Below you will find examples of online fraud and guidance on how to report it.
Do not respond to messages originating from these domains, delete them and report any further activities to firstname.lastname@example.org
Last update: 🦃🥧 22 November 2022
Latest fraud activity
This is a list of the most common fraudulent emails received by IATA. The list is not exhaustive and may change without warning. If you are unsure whether an email you received is a genuine email sent by IATA, please contact us at email@example.com .
We appreciate all reports, including emails that are already on this list.
Please note that IATA never communicates via public email domains: @gmail.com, @outlook.com, @hotmail.com, @yahoo.com, @icloud.com, @aol.com, @protonmail.com, @gmx.com, @mail.com, @usa.com, @yandex.com, @mail.ru, @qq.com, @163.com, @126.com, @sina.com, etc. You should assume that all emails sent from these domains which claim to be from IATA are fraudulent.
Warning:IATA will never send you software by email. If you receive an email claiming to be from IATA that asks you to install software attached to the email such as an update for BSPLink, IATA ONE ID, or similar, please contact us at firstname.lastname@example.org
|Fraudulent domain||Fraudulent email accounts|
The websites/companies listed below display the IATA logo or make reference to IATA without authorization. These websites/companies are not accredited, affiliated, or otherwise endorsed by IATA.
- Fajri Pratama Logistics - fajripratamalogistics.com
- VIP Dac USA - vipdacusa.com
- Leca Logistics BV - lecalogisticsbv.com
- Transway-Animals - transway-animals.net
- Vikuhelp - vikuhelp.com/travel
- Flytrs - flytrs.com
Fake travel agent websites
Fraudulent online travel and flight booking agencies operate internationally. These websites can appear highly professional and some may display IATA’s accredited agency logo to appear legitimate. Because this is a growing concern, IATA suggests using only verified agencies.
Verifying the legitimacy of an IATA-accredited agency
IATA accredited agencies have a unique code, which is the best way to verify the legitimacy of a travel agency. Agencies will provide their IATA code if asked. This can be verified online via our email email@example.com, or through the IATA Customer Portal.
Fake statements from member airlines and strategic partners
Fraudsters often feature false statements on their websites claiming to be IATA accredited, protected or bonded, or claim that they hold membership with IATA. Be aware that when a travel, cargo, or service agency references IATA on their home page, it does not necessarily mean that they are IATA accredited.
To verify the validity of IATA's member airlines and strategic partners we recommend the following:
Email is one of the most frequent fraud techniques. Fraudsters posing as IATA often target travel organizations and other industry stakeholders with the intention of extorting money. Read more about fraudulent email techniques with the IATA Fraudulent emails warning (pdf)
Types of email fraud:
- Phishing: emails claiming to be from legitimate organizations asking individuals to reveal confidential information such as passwords and bank details, or take a risky action such as transferring money to a new bank account.
- Spoofing: Email addresses disguised as IATA domains (such as firstname.lastname@example.org)
- Puppy scams: IATA does not sell or transport animals. Emails purporting to originate from IATA which offer to sell or deliver puppies or other live animals are fraudulent.
- IATA never communicates through public email domains: yahoo.com, gmail.com, etc.
- IATA will never ask you to share confidential information via email, such information should only be shared through the Customer Portal
- IATA will never ask you to change your bank account via email.
- Verify our list of current and recurrent email domains used by fraudsters located on the Fraud Activity tab.
- Read more about fraudulent email techniques with the IATA Fraudulent emails warning (pdf)
Reporting fraud (with reference to IATA)
- If you receive an email from a fraudulent address, forward it as an attachment to email@example.com and then delete it
- If you have a doubt concerning a suspicious email address, please contact firstname.lastname@example.org
IATA’s genuine email domain addresses
IATA uses several domains when communicating by e-mail. Below is the list of official domains used by IATA
- iata.org, iatan.org, iata.force.com, cnsc.us
What addresses does IATA use to send emails?
IATA uses many addresses to send emails to its customers. IATA emails typically end in ‘@iata.org.’ Subdomains like ‘@info.iata.org’, ‘@updates.iata.org’ and ‘@bsplink.iata.org’ are also used for different purposes. Please be aware that fraudsters using phishing methods to make an email address appear to end in “@iata.org”, but the reply address will be different. If you are unsure whether an email from IATA is genuine please contact email@example.com .
I just realized I have paid a fraudulent invoice, what do I do?
- We advise you to contact your bank and notify them to cancel or recall the payment.
- We advise you to contact the destination bank and notify them to stop or cancel the payment and freeze the fraudulent account.
- We advise you to inform your local authorities and raise a complaint at their office or via their website.
- You can report the fraud to our partner Cybera.io who may be able to help recover the funds.
What can I do to protect myself?
Immediately contact Fraud Reporting when you receive emails/invoices that appear suspicious or fraudulent.
- Fraudsters often use threatening language in order to get you to pay into their account as soon as possible. They may even call your office and pose as an IATA employee. First check with the Fraud Reporting team to see whether the suspicious email/call you received is valid or not.
- Distribute the information about fraud tactics around your office
- You can give our fraud warning to your company’s internal communication to circulate and also let your colleagues know the tactics that are being used by fraudsters. The more people that are made aware of fraudulent attacks, the less susceptible they are to fraudulent attacks
- Pass information regarding fraud prevention to new employees
- New employees can easily fall victim to fraudulent attacks because most are unaware of how to identify and deal with them. If you are leaving your current position in your organization, we advise that you pass any information you have to the new employee if possible. If circumstances do not permit, please advise your HR department to inform your replacement about the fraudulent emails and invoices
I received a suspicious email, but it is from an IATA employee, what do I do?
Fraudsters have been known to use the names of real IATA employees in order to make their fraudulent email appear legitimate. Please forward all suspicious emails to firstname.lastname@example.org
What security measures does IATA have in place to prevent fraud and what do we recommend others implement?
Domain spoofing is the trick of forging an email header so that the message seems to originate from someone or somewhere different from the actual source.
DMARC, which stands for Domain-based Message Authentication, Reporting, and Conformance is an email protocol, designed to protect a company's email domain from being used for email spoofing and phishing scams.
IATA has implemented both email authentication components of DMAC: "Sender Policy Framework" (SPF) and "Domain Key Identified Mail" (DKIM).
This allows, email receivers to check if incoming messages have valid SPF and DKIM records and if these align with the sending domain. After these checks a message can be considered as DMARC compliant or DMARC failed.In case of DMARC failure, IATA had defined that the email delivery should be rejected.
For further information about DMARC, please visit https://dmarc.org/.