If the ticket is incorrect or damaged, you cannot even go through the airport security: when they check your ticket, it will be refused. You are Forbidden to enter the boarding area of the airport.
It depends what we mean by "incorrect"/damaged "credentials ("ticket")...
A. If they are invalid or incorrect in the sense that we can't authenticate them as anyone (as it sounds like you mean with "incorrect" or "damaged") (they're not a user in our database or the password doesn't match a user in our database), then you should actually use 401, meaning that the client can/should try (again) to authenticate with different credentials.
B. But if by "incorrect" you mean (as it sounds like you mean with "you cannot even go through the airport security: when they check your ticket, it will be refused") that the credentials were valid enough to authenticate you as someone (a user in our database), but that (known( user has insufficient credentials, then correct, it should be a 403 forbidden.
It's even easier to explain / think about if you just think of 401 as being used for any missing or failed authentication. See:
- https://hyp.is/3fuPiHooEeyZc5cn4Q1uXg/stackoverflow.com/questions/3297048/403-forbidden-vs-401-unauthorized-http-responses
- https://hyp.is/oxI0uHonEeyZYvdQFZIEUQ/stackoverflow.com/questions/3297048/403-forbidden-vs-401-unauthorized-http-responses
- https://hyp.is/pB2XuHomEeyax28Y6vxcOg/stackoverflow.com/questions/3297048/403-forbidden-vs-401-unauthorized-http-responses