Between October 2023 and September 2024, a number of Facebook accounts impersonating major airports and airlines, posted that they were overwhelmed by unclaimed luggage piling up in their warehouses. The posts claimed that the airports were selling the luggage off at throwaway prices, and that the luggage could contain electronics and other luxury goods.
These posts are part of a growing trend of online fraud, particularly on Facebook, where users who follow the links end up having their details stolen, and in some cases, losing their money as well. In this article, Piga Firimbi examines the classic scam tactics used in these accounts, and how they weaponise social engineering and the desire for a quick buck to defraud and steal from unsuspecting social media users.
Principles of influence
Social engineering is a broader concept that encompasses manipulative tactics targeting unsuspecting users. It relies on the human tendency to trust authority figures and respond to urgency and scarcity. The accounts identified in this article prey on these cognitive biases to deceive their targets.
Scams tend to be offers of quick-and-easy money that turn out to be false, or that use fake accounts to try to deceive or defraud. Scammers try to gain the trust of their victims by pretending to be someone they are not, or compromising existing social media accounts and using social engineering to gain the trust of these victims. The most common scams on Facebook, for example, include investment scams, romance scams, fake job application links, lottery scams, loan scams, fake pleas for donations, inheritance scams and commerce scams, as well as links to paid subscription services that do not actually exist.
The Language
Piga Firimbi identified and analysed 112 Facebook accounts impersonating various airports around the world, claiming to sell lost luggage from their warehouses. The language used in posts by these accounts is similar – act quickly to get a bag that could contain something valuable. The phrasing is designed to create the impression of a low-risk high-reward scenario – spend a relatively small amount of money, as low as a Pound, 290 Ksh, a Euro, a Dollar or 38 Rands depending on where the airport is located, for the promise of access to thousands of lost bags.
This is not the only such scam. Similar pages have been identified on Facebook as well, claiming that Amazon is selling lost and unclaimed packages piling up in its warehouses for only $1 each, only for interested buyers to find that they would have to, among other things, pay for shipping or handling fees.
In this case, the pages are impersonating airports all over the world, and claim that the sale is running ‘until the end of the month’. The month in question is unspecified, as some of the pages had posts dating as far back as November 2023.
A post by ‘Air New Zealand’ impersonating the national carrier of New Zealand claims to have bags for sale at 3 NZD. The post reads, “A suitcase with lost items from airport customers in New Zealand for just $3.” It adds, “Unfortunately, the airport does not have a place to store lost luggage and sells batches of suitcases with various things and electronics for only 3 NZD.”
Another post from a similar account impersonating Queenstown Airport advertises the same offer of 3 NZD for unclaimed luggage. Accounts within the same campaign give more details about the supposed valuable items in these bags, aiming at enticing users to believe they are getting an incredible deal.
Fraudsters have been able to use social media platforms to significantly expand their reach, providing easy and affordable ways to create and manage multiple accounts and websites. Equally, these platforms have minimal risks of detection, offering anonymity through pseudonyms and minimal scrutiny.
A common feature of these posts is urgency and the need for prompt action, a persuasive tactic used to entice people to act fast and not take time to question the authenticity of the pages. One post by an account impersonating Jomo Kenyatta International Airport reads, “We empty airport luggage storage and sell lost luggage for 290 Ksh! All suitcases are filled with various things and electronics—delivery all over the country. The offer is valid online only until the end of the month. 60-day money-back guarantee.”
The wording used on this post highlights the subtle urgency, with an assurance that if the buyer does not secure any of these bags, they are guaranteed to get their money back, further ensuring that anyone who wants to take advantage of the offer will not lose anything if what they get is not satisfactory.
Another post by a page impersonating London Airport reads, “Lost luggage for just £1, We are urgently clearing out the airport warehouse and selling over 1000 suitcases. To buy, go to the website and place an order!”
This one, impersonating Sydney Airport reads, “Suitcase with client’s belongings lost at the airport for only $3. Suitcases that have been in storage for over a year are to be recycled. The airport doesn’t want to pay the concession fee for the next quarters and is selling the remaining lost luggage in storage for only $3!”
The three posts above imply that the offer is time-sensitive: the immediate need to sell, an offer that lasts a month long and an urgency for the Sydney Airport to recycle the bags to avoid paying future concession fees. These posts also invoke an illusion of scarcity by claiming that these bags with ‘various things and electronics’ are limited and available for a specific period.
Spoofing and Falsehoods
Spoofing is an instance where someone disguises an email address, sender name, phone number, or website URL —often just by changing one letter, symbol, or number—to convince you that you are interacting with a trusted source.
The objective is to manipulate you into believing that the spoofed communications are real, which can lead you to download malicious software, send money, or disclose personal, financial, or other sensitive information.
Although these accounts pose as major airports and airlines, their falsehoods are exposed through domain searches. The account impersonating Sydney Airport includes a URL posing as the airport’s official website but redirects to a non-existent site with the domain name, katan2sale1.space. A DNS Checker search traces the IP address to Germany and WhoIs lookup shows that the domain was registered on May 10, 2024, with the registrant’s details withheld.
A comparison between this website and Sydney Airport’s official website provides contrasting details. A WhoIs search on sydneyairport.com.au confirms that the registrant is Sydney Airport Corporation Limited. The same search on DNS Checker shows that this domain’s IP address is in Australia. Although registration details of its domain are not accessible through open-source tools, a search on Big Domain Data indicates that the earliest modifications on this website were done on July 7, 2011.
Among the 112 Facebook accounts, seven were found impersonating OR Tambo International Airport in Johannesburg. One such account, Johannesburg Airport posted a link claiming to be the official site to order the bags for sale. This link leads to a domain, airpanda3.store which raises questions regarding the legitimacy of this Facebook account.
A search on Big Domain Data shows that this domain name was registered on April 17, 2024, and modified on April 17, with an expiry date of April 17, 2025. These results also show that there are 10 other domain names, which look similar to the brand name air3panda3. Seven of these domain names were created around the same time, four on April 17, 2024, and three on May 13, 2024, highlighting a more suspicious trend.
Another account impersonating this airport is Tambo Airport, which includes a link to another website where offers for these purchases can be placed. The domain name; deel02sale6.skin is used to retrieve details on Big Domain Data. It shows that this domain was registered on January 5, 2024. It also shows nine other domain names with a similar name, all registered on January 5, 2024, with variations of the domain name.
A similar search on O.R. Tambo International Airport’s official website provides contrasting details. It was registered on December 3, 2014. Unlike the URL impersonating this airport’s website, ortambo-airport.com has no domain names that are similar to it.
The same pattern is evident in a third account posing as O. R Tambo International Airport. With about 1.2K followers, this Facebook account uses ‘O.R. Tambo International Airport ZA’ as its account name with a profile photo of South Africa’s airports management company, Airports Company South Africa. This domain name; 4apylowin4.space was registered on September 4, 2023. Nine others are listed with similar domain names but with their ownership details withheld.
The same search using Airports.co.za provides details of the Airports Company South Africa. It shows that this website was registered on July 16, 1996, with clear registrant details.
These Facebook accounts exploit the existence of multiple similar domain names, often creating multiple similar domain names, to deceive users into believing that they are interacting with a legitimate brand.
Screenshot showing registration details of ‘lostlugagege.store’A company’s domain name is a key indicator of its authenticity. In this case, the accounts impersonating both Sydney Airport and Oliver Tambo International Airport use unrelated domain names though their Facebook names falsely claim to represent these airports. A clear distinction lies in the recognizable, official names: sydneyairport.com.au for Sydney Airport, ortambo-airport.com for Oliver Tambo International Airport and airports.co.za for the Airports Company South Africa. The official domains have transparent ownership and registration details, confirming their credibility.
The temporary nature of these websites reflects a common tactic used by scammers. They are set up to exploit situations, in this case, selling off luggage from airports, and then disappear before being reported or blacklisted. These websites typically do not last long, and once they are registered, they are taken down soon after they attract attention.
‘Atlanta Airport Unclaimed Baggage’ is another Facebook account with a website and claims to have luggage for sale. One of the posts by this account has a link that directs to a non-existent website, with a misspelled domain name lostlugagege.store. According to results by WhoIs, this domain was registered on August 1, 2024, with an expiry date of August 1, 2025. The same domain name is used by a similar Facebook account; ‘Airport Atlanta Sale’, which also offers bags for sale on some of its posts, including this one.
The ‘Gatwick Airport’ account, impersonating London Gatwick Airport, includes a URL in one of its posts with the domain name air3panda8.store. This domain is listed as one of several similar to airpanda3.store, a domain used by Johannesburg Airport, a Facebook account impersonating Oliver Tambo International Airport. A search on WhoIs shows this domain was registered on May 13, 2024.
Campaigns like this often pair their posts with images taken out of context and those that are altered. They source images from unrelated sources and repurpose them to fit their narrative. The visual manipulation creates the impression that the airports are indeed overwhelmed and are selling off these bags at discounted prices.
This post uses an altered image which shows a price tag of 3 New Zealand dollars. The original image, arrived at by a reverse image search, shows that the original image does not have this price tag. An Error Level Analysis shows inconsistencies in this image. This post uses an image of SouthWest Airlines, an airline in the United States.
Another post by the same account uses a stock image from Alamy, which has been altered to include a price tag that is not present in the original image. Furthermore, the original image of these bags is featured in an article by the Financial Times, credited to, Remko de Waal, and is available on Getty Images. The image was taken in an arrival hall at Schiphol Airport in Amsterdam.
Facebook’s page transparency shows that this account has changed its name twice since January 3, 2020, when it was created. Initially, it was registered as ‘Tajim’s Media’, later changing to ‘Mohammad Tajim’ and now, ‘Queenstown Airport.’ These details also show that this page is managed from two different locations: India and Vietnam.
Two posts from October 24, 2023, by ‘Oslo Gardermoen airport’, an account impersonating Norway’s Oslo airport, use images featured on Russian-run websites. According to reverse image results on Yandex here and here, both images are altered to include the price tags. According to the page transparency details, this account changed its name twice on May 30, 2011, starting as ‘Beauty Secrets dead sea products’ and later switching to ‘Oslo Gardermoen airport’ on October 20, 2023.
Anything for the package
Testimonials in the comment section play a significant role in creating an illusion that the luggage being advertised is credible and from a trusted source. These reviews typically overshadow any critical comments by presenting seemingly believable purchases. Posts with these testimonials contain images of bags that are claimed to have been bought and received from the pages, giving the impression that they are legitimate. In most cases, these testimonials are completely fabricated or source images from unrelated legitimate sites.
The most recent post by ‘Oslo Gardermoen airport’ has 12 comments. Part of these are four images of suitcases. One of the comments reads, “Guys, I’m in shock! I ordered my lost suitcase and in it, among other things, was a brand new MacBook! I’m still in shock! I got a MacBook for NOK 16!” A reverse image search shows that this image is picked from stock photos, featured here, here, here, and here.
The most recent post by ‘Air New Zealand’ a similar account mentioned earlier, has 22 comments three of which are images from stock images, featured here, here and here.
Meta’s Transparency Centre emphasizes its goal to “protect users and businesses from being deceived out of their money, property or personal information” by removing content that involves “misrepresentation, stolen information, and exaggerated claims” aimed at scamming and defrauding users. Additionally, Meta allows users to raise awareness and condemn such deceptive activities. Despite these efforts accounts continue to emerge with various scam campaigns, exploiting the anonymity and reach that these platforms offer. The players behind these campaigns are quite flexible and quickly adapt by creating new pages and launching new campaigns.
Fake ads like these can cause harm, and cybersecurity firm Netcraft advises against clicking any suspicious ads, as these can direct users to malicious websites used by cybercriminals to collect data and potentially steal money. The usual motivation for such actors is financial gain, and through phishing and spoofing, they attempt to trick victims into sharing personal information, such as passwords or credit card numbers.
The recurring patterns analysed by Piga Firimbi suggest that scammers use these pages to exploit unknowing social media users, particularly through visual manipulation and creating a false sense of urgency. As a result, victims are much more likely to overlook the red flags. What stands out as well is the speed at which new campaigns emerge after one has been flagged. What is clear is, if the deal is too good, think twice before clicking, as there is a high chance that a page offering such high returns and urging you to act quickly may not necessarily be legitimate.
Add comment