All organizations are vulnerable to online fraud. While IATA uses a sophisticated strategy and tools to prevent fraud attacks, fraudsters still find ways to bypass these efforts. To help mitigate fraudulent activities, it is important that IATA stakeholders understand how to identify fraud so it can be reported to IATA's fraud prevention team. Below you will find examples of online fraud and guidance on how to report it.
To report fraudulent activities, contact firstname.lastname@example.org
All organizations are vulnerable to online fraud. While IATA uses a sophisticated strategy and tools to prevent fraud attacks, fraudsters still find ways to bypass these efforts.
To help mitigate fraudulent activities, it is important that IATA stakeholders understand how to identify fraud so it can be reported to IATA's fraud prevention team. Below you will find examples of online fraud and guidance on how to report it.
Do not respond to messages originating from these domains, delete them and report any further activities to email@example.com
Latest fraud activity
This is a list of the most common fraudulent emails received by IATA. The list is not exhaustive and may change without warning. If you are unsure whether the email you received is a genuine email sent by IATA, contact firstname.lastname@example.org.
We accept and appreciate reports of emails that are already on this list.
Please note that IATA never communicates via these domains: @gmx.com, @yahoo.com, @hotmail.com, @iname.com, @accountant.com, @gmail.com, @mail.com, @aol.com, @live.com, @usa.com, or @outlook.com. You should assume all emails sent from those domains and purporting to be from IATA are fraudulent.
For the month of March, a substantial phishing campaign targeted many stakeholders, using the fraudulent emails: "email@example.com" and "firstname.lastname@example.org". Be aware and report any communications from these emails.
|Fraudulent email accounts|
The websites/companies listed below are displaying the IATA logo or making a reference to IATA without authorization. These websites/companies have no affiliation with IATA and are not accredited or otherwise endorsed by IATA in any manner.
- CruiseBuilder - cruisebuilder.com/
- Fajri Pratama Logistics - fajripratamalogistics.com/
- Global Alterius Logistics Ltd. - globalalterius.com/
- Gateway VIP Services - gatewayvipservices.com/
- VIP Dac USA - vipdacusa.com/
- First Priority Logistics Service - firstprioritylogs.com/
Fake travel agent websites
Fraudulent online travel and flight booking agencies operate internationally. These websites can appear highly professional and some may display IATA’s accredited agency logo to appear legitimate. Because this is a growing concern, IATA suggests using only verified agencies.
Verifying the legitimacy of an IATA-accredited agency
IATA-accredited agencies have a unique code, which is the best way to verify the legitimacy of a travel agency. Agencies will provide their IATA code if asked. This can be verified online via our email email@example.com, or through the IATA Customer Portal.
Fake statements from member airlines and strategic partners
Fraudsters often feature false statements on their websites claiming to be IATA accredited, protected or bonded, or claiming that they hold membership with IATA. Be aware that when a travel, cargo or service agency references IATA on their home page, it does not necessarily mean that they are IATA accredited.
To verify the validity of IATA's member airlines and strategic partners we recommend the following:
Email is one of the most frequent fraud techniques. Fraudsters posing as IATA often target travel organizations and other industry stakeholders with the intention of extorting money. Read more about fraudulent email techniques with the IATA Fraudulent emails warning (pdf)
Types of email fraud:
- Phishing: emails purporting to be from legitimate organizations asking individuals to reveal confidential information such as passwords and bank details
- Spoofing: Email addresses disguised as IATA domains (such as firstname.lastname@example.org)
- Puppy scams: IATA does not sell or transport animals. Emails purporting to originate from IATA which offer to sell or deliver puppies or other live animals are fraudulent.
- IATA never communicates through the following domains: yahoo.com, gmail.com, etc.
- IATA will never ask you to share confidential information via email, such information should only be shared through the Customer Portal
- Verify our list of current and recurrent email domains used by fraudsters located on the Fraud Activity tab
- Read more about fraudulent email techniques with the IATA Fraudulent emails warning (pdf)
Reporting fraud (with reference to IATA)
- If you receive an email from a fraudulent address, forward it to email@example.com and delete it
- If you have a doubt concerning a suspicious email address, please contact firstname.lastname@example.org
IATA’s genuine email domain addresses
IATA uses several domains when communicating by e-mail. Below is the list of official domains used by IATA
What addresses does IATA use to send emails?
IATA uses many addresses to send emails to its customers. All IATA emails typically end in ‘@iata.org.’ Though there are subdomains like ‘@info.iata.org’, ‘@updates.iata.org’ and ‘@bsplink.iata.org’ are other domains used for different purposes. Please be aware that fraudsters using phishing methods to make an email address appear to end in “@iata.org”, but the reply address will always be different. If you are unsure whether an email from IATA is genuine or not please do not hesitate to contact email@example.com .
I just realized I have paid a fraudulent invoice, what do I do?
We advise that you contact your bank and notify them to cancel or recall the payment. Also inform your local authorities and raise a complaint at their office or via their website.
What can I do to protect myself?
Immediately contact Fraud Reporting when you receive emails/invoices that appear suspicious or fraudulent.
- Fraudsters often use threatening language in order to get you to pay into their account as soon as possible. They may even call your office and pose as an IATA employee. First check with the Fraud Reporting team to see whether the suspicious email/call you received is valid or not.
- Distribute the information about fraud tactics around your office
- You can give our fraud warning to your company’s internal communication to circulate and also let your colleagues know the tactics that are being used by fraudsters. The more people that are made aware of fraudulent attacks, the less susceptible they are to fraudulent attacks
- Pass information regarding fraud prevention to new employees
- New employees can easily fall victim to fraudulent attacks because most are unaware of how to identify and deal with them. If you are leaving your current position in your organization, we advise that you pass any information you have to the new employee if possible. If circumstances do not permit, please advise your HR department to inform your replacement about the fraudulent emails and invoices
I received a suspicious email, but it is from an IATA employee, what do I do?
Fraudsters have been known to use the names of real IATA employees in order to make their fraudulent email appear legitimate. Please forward all suspicious emails to firstname.lastname@example.org
What security measures does IATA have in place to prevent fraud and what do we recommend others implement?
Domain spoofing is the trick of forging an email header so that the message seems to originate from someone or somewhere different from the actual source.
DMARC, which stands for Domain-based Message Authentication, Reporting, and Conformance is an email protocol, designed to protect a company's email domain from being used for email spoofing and phishing scams. IATA has implemented both email authentication components of DMAC: "Sender Policy Framework" (SPF) and "Domain Key Identified Mail" (DKIM). This allows, email receivers to check if incoming messages have valid SPF and DKIM records and if these align with the sending domain. After these checks a message can be considered as DMARC compliant or DMARC failed. In case of DMARC failure, IATA had defined that the email delivery should be rejected.
For further information about DMARC, please visit https://dmarc.org/.