How a Leading Airline Shut Down Social Impersonators and Phishing Comments in Under a Week

A customer drops a frustrated comment under a post: “Can someone help me with my booking?” Within minutes, a “support” account replies with a friendly tone, a sense of urgency, and a link that definitely doesn’t belong there.

It looks and sounds like customer service, but it’s not. In reality, it's a scammer acting at an opportune moment in an unassuming place.

For one U.S.-based airline with a high-volume organic social presence, spam comments and impersonation accounts were more than annoying. They were actively pulling customers into phishing conversations in the places people trust most: the brand’s own comment threads.

And the hardest part? The scams blended into normal social engagement. One fake “customer care” reply at a time, they chipped away at trust, buried real conversations, and forced the social team into constant cleanup mode.

But that changed fast.

In less than a week, the airline re-authenticated key accounts, tuned rules based on what attackers were actually doing, and shifted from manual whack-a-mole to automated social media monitoring and comment moderation workflows. The result: fewer scam replies visible to customers, faster impersonation disruption, and measurable improvement in sentiment.

The Reality of Brand Safety on Social Media in 2026 

Like many value-focused airlines, the organization relies on organic social media to promote offers, support brand campaigns, build community, and keep travelers informed. But in the airline industry, social media poses a critical challenge: customers treat social channels like support queues, even though they weren’t designed to handle service at that scale.

Customers post questions about bookings, refunds, baggage, and delays. That creates a steady stream of public requests that scammers can exploit. Instead of creating their own audience from scratch, threat actors simply insert themselves into existing conversations with believable names like “Customer Care” and templated replies designed to move the interaction off-platform.

 These scam comments, phishing attempts, and brand impersonators drive a need for a proactive brand safety and social care strategy.  

ZeroFox’s social media protection approach is built for this reality: continuous monitoring across major and alternative platforms, detection for impersonations and scams, and the ability to automate harmful content removal at scale.

Marketing-Owned Social, Real Security Stakes

The person closest to the problem was not sitting in a security operations center or customer support desk. They were  sitting in marketing.

This challenge goes beyond the airline industry. Marketing, care, and cyber teams typically act as separate functions, using siloed tech stacks and workflows. In reality, social care protocol touches all three functions.

Once the organization’s social and care teams partnered with the cyber team to deploy ZeroFox, the opportunity became unmistakably clear.

Challenges Identified: Two Threats That Hit Fast on Organic Social

Customers treat comment threads like a support queue, and scammers treat that same queue like a hunting ground.

The team was dealing with two specific types of abuse across organic social channels. They looked different on the surface, but both aimed at the same outcome: trick customers into handing over information.

1. Social media brand impersonation

Impersonation accounts copied the airline’s brand identity, notably their customer support team. They used similar names, logos, and brand colors to look official. Then, they acted like customer service, jumping into the comments to “help” customers and directing them to off-platform contact methods.

The goal was simple: move the customer away from the brand’s visibility and into a private channel where phishing attempts are easier.

2. Spam comments and soft phishing

The second issue was high-volume spam comments and replies that did not use the airline’s logo or name. These accounts often used general usernames like “customer care” or “support team,” then replied to real customer comments with a templated prompt to DM or click a link.

This pattern exposed customers to phishing attempts and flooded comment threads with noise, making legitimate engagement harder to find.

Before: Manual Comment Moderation at Scale

The social team relied on native tools to keep up. That meant manually scraping comment threads, hiding spam comments one by one, and reporting impersonation accounts directly in each platform.

“We were manually scraping. Going in and hiding comments and reporting impersonation pages, but doing it all natively through the platform,” the airline’s social media lead explained.

It worked, but only in the way that a bucket catches a leak in a rainstorm.

Each new post created another opportunity for scams. Each customer complaint created another entry point for fake support accounts. And because the activity appeared inside real engagement, it required constant attention. Over time, the manual process became a daily drain.

What Changed in a Week: Reconnect, Tune, Automate

The change started when leadership flagged how often the scam replies were showing up in public threads. The social media lead escalated internally and connected with the airline’s cyber and care teams to understand what support existed and how quickly they could activate it.

They discovered something important: ZeroFox was already in place for the organization’s broader cybersecurity program, but some social accounts were not fully connected and authenticated. Team transitions had left gaps, and those gaps limited what automation could do.

So the first step was not adding a new tool, but making sure the existing one was fully operational.

Step 1: Re-authenticate and reconnect social channels

“We audited our social channels to ensure every single brand page was connected,” the social media lead shared. “We even found that one of our recruiting-specific pages hadn’t been connected. Now all of those pages can be monitored through ZeroFox.”

The team re-authenticated and reconnected their social accounts, including less obvious channels that still needed protection. This restored visibility and control across the airline’s social footprint. It ensured the right accounts were properly verified for monitoring and enforcement workflows and also set the stage for deeper auto-remediation capabilities.

This simple first step led to near-instant results. With accounts reconnected, the team worked with their ZeroFox Customer Success Manager (CSM) to build rules that reflected real attacker behavior.

Step 2: Build impersonation detection rules based on what they were seeing

The team identified historically relevant patterns, including consistent aliases and naming conventions impersonators used to look official. Those patterns became rules that could flag likely impersonation accounts more reliably.

The social media lead explained the process: “We worked with [our CSM] to develop new impersonation rules as well as spam comment rules…any keywords and phrases we’ve seen in the past…and then any kind of consistent aliases that impersonators had used.” 

Step 3: Create comment moderation rules that target spam and phishing behavior

For spam comments and soft phishing, the team focused on keywords, phrases, and redirect behavior that repeatedly showed up in scam replies. These rules helped automatically flag and hide high-risk replies, especially on Instagram where the airline routinely saw the highest volume.

A key accelerant was the ability to do a historical scrape. This allowed the team to clean up existing scam content while also catching it going forward.

The social media lead adds, “On Instagram—that’s one of our biggest culprits for receiving these comments—the ZeroFox functionality allows for a historical scrape. So it’s not just from time of implementation onward.”

Results: Better Sentiment, Faster Disruption, Time Back

The impact showed up quickly. Week over week, from the period when accounts were disconnected to the following week when the team re-authenticated social channels and deployed updated rules, the airline saw a 70% increase in sentiment score.

They also saw automated disruption activity accelerate:

• Impersonator account takedowns went from zero to about 15 per week.
• Roughly 60% of those takedowns occurred within seven days.
• In the last 60 days, the team logged 132 takedowns related to impersonation.
• The team was able to remediate 593 fraudulent and/or scam comments. 

Just as important, the operational burden dropped. A daily manual task suddenly became largely automated. Instead of manually finding and hiding those 593 scam comments, the team could focus on higher-value community management and campaign execution.

The  social media lead shared the context of going from manual to automatic remediation, “I probably went from spending an hour a day scraping our social channels for these spam and impersonators to five minutes.”

Social Media Monitoring That Leads to Action

Most social teams can spot a scam. The hard part is keeping up with volume, speed, and repetition. This airline’s shift came from turning observations into repeatable rules, then connecting those rules to enforcement.

• Social media monitoring helped identify where impersonation and spam were showing up. 
• Social media comment monitoring workflows reduced exposure by automatically flagging and hiding scam replies. 
• Disruption and takedowns helped remove impersonation accounts at scale and auto-remediate fraudulent comments.

Instead of relying on individual reports inside each platform, the team operationalized social media protection as an always-on workflow.

The Foundation for Social Care and Brand Safety

Without a centralized social support model for every customer inquiry, scammers had room to imitate what “help” could look like in the comments. Basically, they were free-styling what support could look like and inserting themselves wherever customers asked for help. That made the work here bigger than removing a few bad accounts.

By establishing consistent social media monitoring, impersonation detection, and scalable comment moderation, the team set the foundation for a broader social care and brand safety strategy. It supported community management goals, reduced friction in customer conversations, and helped keep official threads cleaner as the brand evolves.

This strategy was so effective that the social media lead plans to evolve brand safety from the new baseline. She shared, “I’m putting together a brand safety and social care strategy based on these initial learnings through ZeroFox…and ultimately that will inform digital CX protocol  and opportunities for continuous improvement.”

What Other Airlines Can Take From This

Airlines across the industry are dealing with the same two challenges: social media brand impersonation and high-volume spam comments designed to pull customers into phishing conversations.

If you are seeing similar patterns, three steps can help you move faster.

1. Audit and authenticate your full social footprint
   Make sure every official channel is connected, verified, and actively monitored. Include less obvious accounts like recruiting, regional pages, and campaign-specific handles.
2. Turn attacker patterns into rules
   Document the phrases, keywords, naming conventions, and redirect behavior you see repeatedly. Then operationalize those patterns through detection and moderation rules.
3. Tie monitoring to enforcement
   Social media monitoring is most valuable when it leads to action. Prioritize workflows that reduce exposure quickly, including automated comment moderation and takedown processes for impersonation accounts.

For this airline, the path to better social media protection started with a simple realization: social threats were showing up where customers already were, and manual moderation could not keep up. By reconnecting their accounts, tuning rules to match real scam behavior, and automating key parts of comment moderation and impersonation disruption, the team improved sentiment, reduced exposure, and reclaimed time.

If impersonators and phishing comments are showing up in your threads, you do not need to fight them one report at a time. Book a demo with ZeroFox to see how social media monitoring, automated comment moderation, and rapid takedowns work together to reduce exposure and keep customer conversations clean.