Phishing Emails Impersonating Qantas Target Credit Card Info

Fake Qantas emails in a sophisticated phishing scam steal credit card and personal info from Australians, bypassing major email security filters.

Australian airline Qantas is being targeted by criminals with fake emails claiming to be from the airline. Security experts at Cofense Intelligence, who discovered this attack, found that these convincing emails trick users into giving away their credit card information and personal information like phone numbers and addresses.

These fake Qantas emails mimic real marketing emails, using the same colours, and layout as real ones and “with appropriate branding and functional links.” One clever trick the criminals used was to include an “unsubscribe” link in the emails, just like real marketing emails do.

However, the links in the fake emails didn’t go to Qantas’s official website. Instead, they went to other websites. Experts believe the criminals might have used these fake unsubscribe links to see which email addresses were real and active.

Interestingly, according to Cofense’s report, the fake emails mentioned that Qantas was celebrating its 103rd anniversary. However, Qantas’s 103rd anniversary was actually in 2023, two years ago. This was one of the few mistakes in the otherwise very convincing emails.

The emails tricked people into clicking on links to fake websites, often containing the phrase “auth/auhs1” followed by random words related to Qantas or coupons. These websites generally disappeared within a day and asked for personal information in a multi-step process, including name, phone number, email address, and home address. This collected contact information, along with the date of birth, could be used for targeted scams or password guessing.

These fake websites allegedly attempted to set up multi-factor authentication after a user entered their credit card information, but this failed. Experts believe that this extra step was added to deceive victims into believing there was a problem with their end rather than the website.

Researchers observed that cybercriminals behind this campaign seemed to be particularly targeting people in Australia. Even though some people in the United States also received these emails, the offers were in Australian dollars, and Qantas is based in Australia.

This suggests the attackers preferred Australian victims. Moreover, they highlighted that the campaign successfully bypassed multiple Secure Email Gateways (SEGs), including Microsoft APT, Proofpoint, and Mimecast, indicating a sophisticated approach by the attackers.

This campaign started around February 2025 but seemed to slow down in mid-March 2025. It shows how criminals are constantly trying new and sophisticated ways to trick people online, making it important for everyone to be very careful about the emails they receive and the websites they visit.