Cyber Security in Aviation: Phishing and Social Engineering

Phishing

Your inbox is like an airport terminal — most passengers have boarding passes, but sometimes stowaways slip through security.

Phishing attacks are the social equivalent of someone boarding the aircraft in a fake uniform. They look legitimate, they ask for access, and if you don’t check their ID, they can walk straight into sensitive systems.

Most phishing doesn’t look like a Hollywood hacker. It’s a believable request from a manager, an urgent invoice or a “security alert” from a supplier – and that’s the point. These messages rely on urgency, authority and familiarity to get you to click, reply or enter credentials.

Think about how rigorous airport ID checks are for staff and contractors. The same mindset should apply to emails, messages and links in our businesses.

Practical ways to stop phishing from getting on board:

• Pause before you click – urgent language is a red flag. If it smells like panic, treat it like suspicious cargo.
• Verify the sender – hover over links, check the email address (not just the display name), and confirm requests via a separate channel (call the person, not reply).
• Don’t enter credentials via email links – go directly to the service/portal instead.
• Watch for subtle spoofing – one-letter domain changes, weird attachments (.exe, .scr), or mismatched salutations.
• Use MFA – even if credentials are phished, a second factor often stops the attacker at the cockpit door.
• Report and learn – flag suspected phishing to your IT/security lead and share the example so the whole team learns.

Example phishing signals:

“Payment overdue – pay immediately” with an unfamiliar invoice.

“Login required to avoid suspension” where the link domain doesn’t match the provider.

Attachments you didn’t expect, especially with odd file extensions.

As in aviation, rehearsed checks and a culture of verification keep everyone safer. Treat every unexpected message like a person asking to board without visible ID – check, confirm and only then let them on.

Social Engineering

People are often the easiest route onto the tarmac. Social engineering is the art of getting access by manipulating people – not cracking systems. In aviation terms, it’s the person who strolls past the perimeter in a high-vis vest and a confident stride, and suddenly they’re in the ramp area because nobody asked for ID.

Attackers do the same online and in person: they impersonate colleagues, vendors, regulators or contractors and use charm, urgency, or authority to get what they want. When technical defences are solid, the human gap becomes the weakest link. That’s why a security culture – and simple, repeatable checks – matter more than ever.

Common social engineering tactics:

• Pretexting – a believable story to justify access (e.g., “I’m from IT, I need your credentials to fix the system”).
• Vishing – phone calls that impersonate senior staff or vendors asking for urgent transfers or credentials.
• Baiting – leaving USB sticks or attachments that promise something enticing but install malware.
• Tailgating / shoulder surfing – physical access by following someone through a secure door or watching over a shoulder to capture credentials.
• Impersonation via social media – attackers research profiles to craft personalised, trustworthy approaches.

How to defend your organisation:

• Verify before you trust – if someone asks for access or sensitive info, confirm their identity through a separate channel (call a known number, check through the vendor portal). Don’t rely on a caller ID or a confident tone.
• Make “ID checks” routine – badge, call sign or token checks should be non-negotiable. Train people to ask for verification even from senior staff.
• Limit what staff can access – apply least privilege: only give systems and data access that’s needed for the role. If someone changes role, change their access.
• Run regular, realistic exercises – phishing and social engineering simulations teach staff to spot tricks without embarrassment. Treat mistakes as training moments, not punishment.
• Lock screens & secure physical spaces – simple behaviours (lock your laptop, don’t prop doors) stop casual opportunists.
• Reduce oversharing online – brief staff on the risks of posting detailed schedules, travel, or role information that attackers can use for pretexting.
• Have a clear reporting path – if someone suspects an approach, they should know exactly who to tell and how to isolate the risk quickly. Fast reporting saves time and cost.
• Vet contractors & visitors – background checks, temporary badges, escorted access – treat external people with the same scrutiny as internal staff.

Think of social engineering like someone trying to bluff their way into the cockpit by sounding like the captain. You can’t remove people from the process – but you can make the verification culture automatic, and train your teams to treat every unexpected request as something that requires a check.

The payoff is huge: fewer breaches, faster detection and a team that acts like an extra line of defence.

Next in the series: Ransomware – what happens when attackers ground systems, and how to keep your operations flying.