How Aviasales
and BrandSecurity blocked 4,354 malicious resources

"A ticket to Phuket for 12,800 rubles, departure tonight. Buy now, payment by card transfer only" — this is how a seemingly attractive offer turns into a scam. While travelers are packing their bags, fraudsters are trying to steal their personal data and money. But Aviasales and BrandSecurity are keeping watch over their vacations: over 7+ years, 96.1% of all detected violations have been removed

Publication date
16.06.26
Reading time
7 minutes

How scam schemes and digital threats have changed

Before: mass phishing through websites

Until recently, fraudulent websites were the main threat. Attackers created copies of the flight ticket aggregator, attracted users with low prices, and tricked them into sharing personal information and bank card details. Today, this type of phishing is much less common.

Fraud can target not only customers, but also partners. One example: attackers create what looks like a partner portal and send out emails with links to websites containing malware.

Now: personalized scams in messaging apps and social media

Fraudsters have moved to where users spend most of their time: messaging apps and social media. Instead of mass attacks, they now use direct contact. A "manager" chats with the potential victim, offers a discount, and pressures them to pay quickl

How the trap works: a channel with cheap flight tickets

A traveler is planning a vacation and finds an interesting Telegram channel offering "tickets at super-low prices."

One of the posts contains the exact offer in the destination they need.

At first glance, everything in the channel looks convincing:

  • real dates and destinations are listed;
  • links are added that look like real Aviasales links;
  • there are positive reviews supposedly from customers;
  • users can even get a ticket search service for a small fee.

A traveler messages the "manager," and the scam scenario begins:

  • the "last-minute ticket" has to be purchased urgently, with only a few seats left;
  • the manager tries to obtain passport details and an email address, and asks which card will be used for payment;
  • payment is accepted only as a transfer to an individual’s card.

The money sent by the victim goes to the fraudsters through a P2P exchange. In reality, the "booking" is a request to buy cryptocurrency. The chat with the victim is blocked, and the ticket does not exist. The positive reviews in the channel turn out to be fake.

Schemes like this can only be fought through continuous monitoring and blocking.

Not all threats are directly related to fraud. Today, many accounts and websites are created to copy a brand’s visual identity and attract attention. These fakes blur brand perception and can damage reputation. Every fake resource is a potential tool for fraud, so it has to be monitored.
Today, threats have spread across many channels, and attackers have become more inventive.

Together, Aviasales and BrandSecurity have gone through a complex journey of fighting threats: from mass phishing to protection against personalized scam schemes and reputational attacks.

What challenge had to be solved

Aviasales is a major service for finding affordable flight tickets. Every month, 20 million people visit Aviasales because they trust the service. Preserving that trust means detecting and blocking everyone who tries to scam users on behalf of the brand.

The task was to automate protection against digital threats with the broadest possible coverage across platforms.

Aviasales chose BrandSecurity’s solution for protection.

The key selection criteria were:


  • Solution flexibility — the system adapts to the company’s internal processes and the changing threat landscape;
  • Multi-channel protection — monitoring social media, domains, messaging apps, search results, and other platforms.

What BrandSecurity protects the Aviasales brand from today

Key areas of monitoring and blocking:

  • unauthorized use of the trademark on websites;
  • fraudulent groups, accounts, and bots in messaging apps;
  • fake accounts and groups on social media.

How multi-channel protection works

An effective system is built on three components.

  • Technology. BrandSecurity Rocket automatically scans domains, social media, messaging apps, and search results. Algorithms detect threats that would be impossible to find manually. Search modules are updated to reflect new schemes, and the system scales to handle seasonal spikes in fraud.
  • Experts. Detected violations are reviewed by analysts. They identify real threats that require urgent blocking.
  • Processes. Each platform requires its own tactics. BrandSecurity experts submit complaints in line with the procedures of social networks, messaging apps, and domain registrars, driving cases to blocking.

Ruslan Krivulin

Founder of BrandSecurity

"Automation delivers speed and scale, but without human involvement it turns into an overload of alerts, many of them false positives. At BrandSecurity, every blocking action is backed by an analyst’s decision. The combination of automated detection and expert assessment allows us to maintain a high level of effectiveness, even as scam schemes become more sophisticated."

The main challenge in monitoring is that fraudsters constantly disguise themselves. This is taken into account in the threat detection mechanics.

Searching for malicious domains

The system automatically detects malicious websites, even when the domain does not contain the brand name. To do this, it:

  • analyzes a database of 300+ million domain records, which is constantly updated;
  • tracks the registration of new domains across 1,500+ domain zones;
  • scans new SSL certificates in real time;
  • scans resources using intelligence services such as Urlscan, Censys, and similar tools;
  • monitors advertising placements, deep web and dark web resources, repositories, and leak sources.

More technical details

Monitoring fake accounts, channels, and bots

Attackers come up with elaborate names to disguise themselves. BrandSecurity finds them by generating all possible variations of how the brand can be written:

  • with character substitution and insertion;
  • in different letter cases;
  • in combinations with "ru," "official," and other additions.

Once a threat is confirmed, it is submitted for blocking.

A solution as a result, not just a tool

The platform does not require the client to maintain a separate response team. BrandSecurity takes care of detection, verification, blocking, and reporting. The client receives full statistics on removed threats in a unified dashboard.

Real Ticket means a safe flight: a joint project by Aviasales, BrandSecurity, and Roskachestvo

Travelers also needed a way to check suspicious resources. That solution became the service

Nastoyashchiy Bilet.rf

How it works:

  • the user enters the resource address into the service search bar;
  • the system checks the website;
  • the verification result is displayed on the website or sent by email after analysis by specialists.

Result: 4,354 violations removed over 7+ years

Threat blocking effectiveness over the entire period reached 96.1%.

What digital threat protection delivered:

  • fake accounts and clones are removed before they can cause large-scale damage;
  • the internal team does not spend time on manual monitoring or communication with platforms;
  • protection remains stable during holiday seasons, when the number of attacks increases.

Ruslan Krivulin

Founder of BrandSecurity

"In the past, phishing websites were the main challenge. Today, a fraudster can run a campaign without creating a single domain — just a messaging app and a bank card for payment. This forces us to constantly rethink our threat detection methods. Together with Aviasales, we built a system that keeps improving, and the numbers prove its effectiveness: 96.1% of threats are blocked at an early stage."

See which digital threats your company is exposed to

We’ll run an initial analysis of online platforms and show existing violations across domains, social media, and marketplaces