It seems like you can’t open your computer or personal device without finding a fraudulent email in your inbox about something urgent that requires “immediate attention” to verify your account, password, settings, etc.
And although you may not fall for the bait, sooner or later someone will bite. That’s why cyber phishing has become the preferred weapon of cyber criminals around the world.
“Statistically, cyberphishing threats in everyday life are up about 600% year-over-year,” said Josh Wheeler, NBAA Security Council member and senior director of cybersecurity and service entry at Gogo. “In business aviation, that number is doubling every year, so it’s definitely a threat that airlines need to be aware of.
“Today’s business aircraft are attractive targets because more data is being exchanged on and off the plane than ever before,” Wheeler said. “Real-time conference calls, schedules, social media interactions… where you are, what you’re doing… it’s all there if someone wants to get it.”
“Statistically, cyber phishing threats are up about 600% year over year…but in business aviation, I think it’s doubling every year.”
josh wheeler Gogo Senior Director, Cybersecurity and Service Launch / NBAA Security Council Member
Joshua Crumbaugh, founder and CEO of PhishFirewall, has spent his career as an “ethical hacker” learning tricks and teaching government agencies and businesses how to identify and avoid the most sophisticated phishing schemes.
“AI-powered phishing techniques are getting much smarter. AI understands context and people’s roles within an organization. What I’m concerned about with business aviation is that there are a lot of VIPs. Knowing who’s in the air and when means you know who can’t verify things,” he said. “A hacker can use that data to digitally impersonate that person and request something on that person’s behalf. I think that’s where the big threat could come from.”
“AI-powered phishing techniques are getting much smarter…hackers can use that data to digitally impersonate a person and request something on their behalf.”
Joshua Crumbaugh “Ethical Hacker” / Founder and CEO of PhishFirewall
An example he shared was where the hacker knew that “Barry” was on a company plane and could not be reached to confirm instructions, giving the hacker a time frame to give him absolute digital privileges. They then contacted company executives, posing as the CEO, and instructed them to transfer funds to close the pending transaction “immediately.”
Lest you think such a scam is impossible, the hackers did pull it off and it amounted to $25 million.

Please be careful about CEO impersonation using AI.
It’s becoming increasingly difficult to spot fake emails. “Pixel-perfect” duplication of texts and emails that you receive on a daily basis and that are likely automatically executed is the most common phishing tactic in use today.
Unfortunately, cybercriminals are arming AI to enhance their strategies with deepfake voice spoofing. “It only takes a few minutes of audio to create a deepfake of your voice, which is indistinguishable from the real thing,” Crumbaugh explained. “I don’t know of any executives today who aren’t in public. Everything is somewhere on the web, so hackers can easily get the audio samples they want.
“I don’t know an executive today who doesn’t appear in public. Everything is somewhere on the web, so hackers can easily get the audio samples they need.”
Joshua Crumbaugh “Ethical Hacker” / Founder and CEO of PhishFirewall
“We work with large global companies, and their call centers receive these deepfake calls almost every day,” Crumbaugh added. “It’s becoming commonplace, and what’s worse is that everything could be automated by AI without human intervention.”
If that wasn’t scary enough, high-end cybercriminals are now adding AI-generated videos of people and even pets being held “hostage.” They send videos of their loved ones along with their loved ones’ cries for help. In moments of stress, few people can tell the difference between the real thing and an AI simulation. And that’s exactly what cyber crooks are counting on.
“Fast brain” vs. “slow brain”
“If you don’t recognize an email or text you receive, think about it slowly. If it still doesn’t seem right, delete it,” says Wheeler. “If it’s a credible issue with a bank or other established account, the party will contact you again. Real companies don’t just delete accounts for no reason.”
“Hackers are using emotion, urgency, authority, and fear to get to you.”
josh wheeler Gogo Senior Director, Cybersecurity and Service Launch / NBAA Security Council Member
“I’ve never been involved in a case where the people involved didn’t say they ‘knew’ something was wrong,” Crumbaugh said. “Hackers use emotion, urgency, authority, and fear to get to you. We have fast and slow brains. Use your slow brain to assess and understand the situation before you take action.”
Check out NBAA Aviation Cybersecurity Resources at nbaa.org/cybersecurity.
Actionable steps to strengthen aircraft cybersecurity
Protecting aircraft connectivity systems from persistent and sophisticated pirates looking to steal sensitive and potentially valuable data is easier said than done. Especially considering that the weakest link in the cybersecurity chain is that officers and passengers can inadvertently share information that could be used in illicit ways.
“Cybersecurity (or lack thereof) is a people problem, not a technology problem,” said Joshua Crumbaugh, founder and CEO of PhishFirewall. “I’ve seen a lot of cybercrime, and I can’t find a single problem that’s due to human error. If we can stop mistakes, we can significantly reduce the threat.
“Many executives are tempted to waive various security procedures, such as passwords and multi-factor authentication protocols, because they need administrative assistants to ‘handle it,’ and that’s a lot of work,” Crumbaugh said. “It’s not that they don’t care. They just don’t think about cybersecurity. They expect IT people to take care of it.”
“We make the hacker’s job easier,” said Josh Wheeler, NBAA Security Council member and Gogo’s senior director of cybersecurity and service entry. “Very often, targeted individuals will go to social media or LinkedIn and post where they’re going. This makes it easy for hackers to find their plane. Between social media, AI, and ChatGPT, hackers can easily find just about anyone.”
“Then, once the hacker knows the aircraft’s destination, all they have to do is go to the FBO, get the Wi-Fi password, and wait for the aircraft to arrive,” Wheeler said. “Most aircraft leave their Wi-Fi on, and many don’t care about passwords, so it can be easy to break into the network.
“They’re not trying to shoot down the plane, that’s not possible, but what they want is access to passenger data, including what the passengers are doing and where they’re going, confidential information, intellectual property, trade secrets,” Wheeler said. “There’s money there.”
It’s easier than you think
Step one to strengthen business aviation cybersecurity is to ensure that company leaders and system users understand and implement best practices.
“In business aviation, chain of command and checklists are the difference between life and death,” Crumbaugh said. “But these two pillars actually become vulnerabilities if not handled correctly. So if you want CEOs and aircraft owners to take seriously the need for stronger cybersecurity, it’s all about speaking the language of risk, not the language of technology and procedures. For example, when you say you need passwords on aircraft networks to protect against identity hijacking, they usually listen.”
To ease the transition, a good place to start is to have your aircraft connectivity provider introduce cybersecurity issues to your executives. Start with your company’s IT team and consider sharing your results with senior leadership.
“One of Gogo’s trademark services is offering a variety of educational courses in networking and cybersecurity tailored to the needs of business aviation,” Wheeler said. “We have found these courses to be important for customers who are not clearly aware of the risks, and, like regular flight training, continuous refresher training is required for each member of the flight operation.”
Consider implementing the following Wi-Fi best practices for your flight attendants.
- Please turn off the aircraft’s Wi-Fi immediately after landing.
- Please change your password frequently.
- Make sure your network cache system has the latest security updates.
- Don’t sit on the ramp and surf the internet.
- Don’t take advantage of your FBO’s free Wi-Fi.
Also, ask your connectivity provider what steps they take to protect your data as it travels from your aircraft to your network. Ask where and how it is backed up. Check to see if there are additional security protocols you can implement.
“While CEOs and aircraft owners cannot be forced to change their online practices, flight operations departments can develop and implement their own best practices for crew and maintenance equipment,” Wheeler said. “That way, if there’s a network breach, you can say you’ve done everything you can to preserve your data. If you’ve done your best efforts, you’ve done everything you can.”
