Cyber-phishing has emerged as one of the fastest-growing threats facing business aviation, with attack rates reportedly doubling year over year within the industry—outpacing even the alarming 600% annual growth seen in general phishing threats across the broader economy. According to Josh Wheeler of Gogo and NBAA's Security Council, and Joshua Crumbaugh, an ethical hacker and founder of PhishFirewall, the sophistication of these attacks has escalated dramatically with the integration of artificial intelligence. Business aircraft have become particularly attractive targets because of the volume of sensitive data now flowing to and from the cabin: real-time teleconferencing, scheduling details, passenger locations, and social media activity all create exploitable digital footprints. The article's centerpiece example—a $25 million heist executed by impersonating a CEO who was airborne and unreachable—illustrates how attackers are weaponizing flight-tracking data and AI-generated deepfakes to exploit windows of unverifiable authority.
For flight departments, corporate security teams, and business aviation operators, this represents a fundamental shift in threat modeling. Traditional cybersecurity concerns for aircraft have centered on avionics integrity, ACARS spoofing, or satcom vulnerabilities, but this reporting highlights a softer, more insidious attack surface: the human element surrounding high-value passengers. Knowing that a principal or C-suite executive is inflight and unreachable gives bad actors a predictable window to impersonate that individual with near-perfect voice cloning—requiring as little as a few minutes of publicly available audio—and issue fraudulent wire-transfer instructions or other high-stakes directives to subordinates who have no way to verify authenticity in real time. This is especially dangerous for flight departments supporting ultra-high-net-worth principals, corporate boards, or government officials, where flight schedules and passenger manifests, if leaked or inferred from ADS-B data and social media, become actionable intelligence for attackers.
The broader trend here dovetails with growing scrutiny around ADS-B privacy programs (like the FAA's PIA/LADD systions and blocking mechanisms increasingly requested by corporate flight departments), as well as heightened NBAA advocacy for tail-number privacy protections. Operators who have historically resisted investing in flight-tracking obfuscation now have an added justification: limiting public visibility into who is airborne, when, and for how long directly reduces the attack surface for these impersonation schemes. This connects to a wider industry conversation about treating cybersecurity as an operational risk management issue rather than a pure IT function—paralleling how SMS (Safety Management Systems) frameworks have expanded to encompass insider threats, data governance, and now social-engineering vulnerabilities tied to flight operations data.
Perhaps most relevant for pilots and dispatchers is the reminder that technology alone cannot solve this problem. Both Wheeler and Crumbaugh frame phishing susceptibility as a human, behavioral issue rather than a purely technical one—rooted in the same fast-brain/slow-brain decision dynamics that CRM and threat-and-error-management training already address in the cockpit. Just as pilots are trained to pause, verify, and cross-check before acting on ambiguous or urgent information in flight, the same discipline is now being urged for handling communications purportedly from executives, dispatch, or ownership—especially those demanding urgent financial or operational action. As deepfake audio and video tools become more accessible and convincing, flight departments will likely need to incorporate cyber-awareness and verification protocols (such as callback procedures or code words) into recurrent training, treating social engineering as seriously as any other operational risk in the modern business aviation environment.
Read original article