I don’t bring this up very often in case it sounds like bragging, but I’m officially a green belt in computer security, thanks to mandatory online training courses at work. I know it all: how to check if the from address on an email looks familiar, how to hover over links in the email to see if the URL matches what I expect, how to click the Hoxhunt button. I’m basically a lethal weapon in computer security.
So when I received an email from Air France Customer Service telling me that The Authorities needed me to upload my travel documents before my flight in two days, I stopped to think before clicking. I had, in fact, already uploaded my visa through the Air France app several days earlier, because the app asked me to. Why would I need to repeat the process? And why is the date written in American format, when it’s a French company?
Could this be… A SCAM?
Instantly, my finely-honed training sprung into action. I did not hesitate before looking at the from address. It should be Air France, right? But in fact it’s from connect-passengers.com. Suspicious. Very suspicious. It’s not a random alphanum address, it’s true. It could be a third party that Air France hired to send email to passengers. That would be a violation of GDPR, which is worth noting, but not unheard of.
So let’s check them out, let’s visit their website. No DNS. Nothing at all. Not even www.connect-passengers.com. Who are these faceless creeps shrinking away from the light?
Let’s check WHOIS. Hmm. The domain is indeed registered to Air France. Or… “SOCIETE AIR FRANCE”. Hold on a moment! Is that really the same thing? Let’s compare to a definitely legitimate domain, airfrance.fr. Aha! Different! Legitimate websites are registered to clearly legitimate trademark holders like, uh… “MEYER & PARTENAIRES”. Or OK, legitimate trademark holders’ lawyers I guess. But while I personally don’t know this Meyer person, they apparently live in Roissy Aeroport. I don’t recognise Roissy Aeroport either, but it turns out CDG simply adopted that as a nom-de-plume, as is the French style. Basically it doesn’t get more legitimately Air France. Whereas this so-called “SOCIETE AIR FRANCE” doesn’t have any address at all.
It could still be real though. I’m flying to Benin, a former French colony. Byzantine bureaucracy is to be expected. And I do have a real concern: I would like a window seat, but refuse to pay for it on principle. I was planning to check in as soon as it opens, which happens to be 06:20. I would be very unhappy to get up specially and then have to delay anyway because of a missing document.
So I get in touch with Air France via “social media”. In practice that’s Facebook, WhatsApp, or that weird thing Apple puts you in when you try to send an SMS. I chose the last of those. Simple question: I received an email from connect-passengers.com, is it legit? They ask me for the email address, a screenshot of the email, my booking details, my frequent flyer number. And with that the simple answer: we might send you emails. Argh. Yes, I know that. My question was… is this email legitimate? And the support drone says, we can’t do that kind of thing on “social media”, please phone customer service. But FYI, you used Expedia, so it’s probably their fault.
It is, in fact, very likely that it’s Expedia’s fault. I’ve already lived a relatively long and happy life, mostly by staying true to that principle.
Still though, what if? What if this is actually a thing and I can’t get a window seat? I decide to phone customer service. I get through several rounds of deliberately misleading IVR prompts, and by the time I’m actually connected to a human I’m outright screaming down the phone. (For the record: today they were not experiencing unusual call volumes. This is a real phenomenon that happens sometimes.) The guy brings up my records and assures me that everything is completely fine. All my documents are in order, check-in should be smooth. “Connect Passengers dot com? No, that doesn’t sound like Air France.”
Scam! It’s a scam! Air France has never heard of these people! Total, 100% scam. The only question is who leaked it? The customer service guy also said it must be an Expedia thing. It could, however, be Kayak. I use their service to convert confirmation emails into iCalendar. They could have been hacked.
Pretty convincing. But you know, for those of us in the computer security game, that kind of thing is what we call “yellow belt thinking”. You’re young and inexperienced, and when you find a likely answer, that’s all you can focus on. In the excitement of checking the from address, you forgot to hover over the link, didn’t you? What was under that link, soldier? Yeah, thought so. That’s how they get you.
There are two major links in this email. One of them is labelled “about ready to fly”. That’s legitimately to airfrance.fr, but that’s not a surprise. That’s the scammers’ line, to lull you into a false sense of security. The bad link will be the other one, “send my documents”. While that does also appear to be airfrance.fr, look closer and it’s a subdomain. And the URL contains a massive alphanum string. Hard to verify. Suspicious. But still plausible. Could my window seat be at risk after all?
There’s only one thing to do. I hop back onto whatever that Apple SMS thing is and ask a different question: “if I happened to get an email from ready to fly, what email address would it be from?”
The response was instantaneous after a few minutes: “we can’t answer that question on social media”. But! If I have concerns, here’s a link to Air France’s official ready to fly service.
It’s a URL shortener. With a Libyan TLD.
By this point I’ve realised something. Benin, like most West African countries, requires tourists to prove yellow fever vaccination. The Air France app had prompted me for my visa, but not my vaccination certificate. It’s plausible that this is a real requirement. Now, as it happens, I just flew to Ghana two weeks before, with KLM which is the same damn company. No-one mentioned yellow fever until I landed. But, still, it’s possible. It’s possible that the app’s “please give me documents” feature just never grew to include vaccination documents. (It’s 2025. Like… no, OK, let it go.) So perhaps it’s a Benin-specific thing that Air France shoehorned in via a spare domain they had lying around from the 90s. Maybe?
So I carefully skirt my way around the Libyans, and instead google this damn “ready to fly” thing. I find an actual URL. And wouldn’t you know it, it’s just the same worryingly-guessable “confirmation number plus last name” thing they use for check-in. It asks me only for a vaccination certificate, which I’m happy to provide.
And I’m done. Not a scam. Actually something I need to do if I want a window seat.
For me, this story ended happily. But with great power comes great responsibility. This is not a time to celebrate and rest on my window seat. This is a time to reflect. I cannot help but meditate on all the poor, downtrodden, belt-less folk out there. This scenario is playing out not so happily, day after day, all around the world. Vulnerable people are left scared, confused, ripped off, abandoned, in a middle seat. We built a society out of rules, but the rules are not working. The real fight is only beginning.