Guest Post: Bots are booking holidays too, what does it mean?

Grainne McKeever, application security specialist of Thales, spells out how this threatens travel businesses

With more people traveling than ever and the summer holiday season approaching, it is the prime time for bad bots to act and carry out malicious activity on the aviation and travel industry. In 2024, bot attacks reached a new high, with travel businesses now experiencing more bot traffic than any other industry. According to the recent Thales Bad Bot report, the travel sector accounted for 27% of all bot attacks in 2024, a significant jump from 21% in 2023, officially making it the most attacked sector globally.

This surge reflects broader shifts in both attacker behaviour and the tools that they can easily access. The report also revealed that API-directed attacks now make up 44% of all advanced bot traffic, further emphasising how threat actors are targeting the very systems that power the digital backbone of the travel experience, from flight searches and pricing to loyalty programs and bookings. This trend is not limited to travel alone, as retail and travel bear the brunt of the problem, with 41% and 59% of their web traffic, respectively, comprising advanced bot activity.

The changing face of bot threats

It’s not only the increase in attacks that is worrying, but it’s the evolving nature of those attacks that travel companies need to be aware of. The travel industry is seeing a significant rise in simple bot attacks, which now make up 52% of bot traffic to travel sites, compared to just 34% last year. This shift marks a democratisation of cybercrime. Thanks to widely available AI-driven automation tools, launching bot-based attacks no longer requires advanced technical skills or substantial infrastructure. Today’s cyber criminals don’t have to be highly skilled hackers; they just need access to the right tools and target high-traffic environments.

This shift marks a new era of threat: rather than deploying fewer, more sophisticated bots to quietly scrape or manipulate systems, hackers are flooding travel sites with high volumes of simpler bots, overwhelming digital services and creating significant disruption for both travel businesses and consumers.

The real-world impact on travel businesses

These attacks aren’t just imaginary risks; they’re directly impacting core functions of the travel experience and happening as we speak. 

There are several kinds of bots developed to achieve various goals that can impact the travel booking experience for customers. Credential stuffing bots target login portals, putting customer accounts and loyalty points at risk. Scraping bots extract pricing data and availability details, giving competitors and third parties an unfair edge. Bots can also be used to hoard limited purchases such as hotel rooms or airline seats, artificially inflating demand or creating booking chaos during high-traffic events.

For airlines, travel agents and business owners in the travel industry, these threats translate to higher operational costs, degraded website performance, increased customer service complaints, reputation damage and can lead to significant lost revenue. In competitive markets where milliseconds matter and user experience is king, bot-driven disruptions can damage customer trust and brand loyalty faster than ever.

As bots increasingly mimic human behaviour with AI and machine learning, traditional detection methods are becoming less effective. Modern bots easily circumvent CAPTCHAs and rate-limiting rules, or worse, they frustrate genuine users more than they block attackers.

What can travel businesses do?

To defend against the rising issue of bot activity, travel companies need a multi-layered, intelligent defense strategy. In today’s fast-changing threat landscape, it’s essential to adopt a proactive and adaptive approach - using advanced bot detection and behavioural analysis as part of the wider suite of cybersecurity tools they have in place to stay protected and resilient. Some actions security teams can take include:

1. Find and prioritise hotspots: Organisations must locate the areas of their site that attract bot traffic. Product launch pages, login portals, checkout forms, and pages with gift cards or exclusive inventory are all good locations to start evaluating high-risk hotspots.
2. Introduce MFA and strengthen credential security: Organisations should use phishing-resistant MFA on login and admin portals. Prevent credential stuffing and carding by integrating credential intelligence and rejecting breached credentials.
3. Use adaptive bot detection and rate limits: Use AI-powered tools that detect human-like bots in real-time. Implement dynamic rate limiting, adaptive CAPTCHAs, and traffic anomaly detection to contain suspicious behaviour without limiting user experience.
4. Have regular threat surveillance and proactive testing: Establish a baseline for normal failed login activity and watch for irregularities or sudden spikes. Use real-time bot monitoring solutions and regularly probe your own systems with simulated attacks to stay ahead of evolving threat tactics and adapt your defences accordingly.

Final word

The era of bad bots causing chaos is here, and travel businesses need to at now to prevent devastating attacks. While advanced attacks once dominated headlines, it’s the surge in basic, high-volume bots that’s becoming the real disruptor in 2025.

To protect their platforms, their customers, and their reputations, travel businesses must shift from reactive defence to proactive, AI-driven bot management. In a world where bots are booking tickets too, the cost of doing nothing is far higher than the cost of protecting your business from cyberattacks.